[jira] [Commented] (RANGER-1102) Conflict between internal and external users with same username

Sun, 17 Jul 2016 02:06:49 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-1102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15381246#comment-15381246
 ] 

Don Bosco Durai commented on RANGER-1102:
-----------------------------------------

[~yujie.li], currently the user is expected to be used for login into Ranger 
Admin and also within the Hadoop ecosystem.  

Since we don't differentiate, it is difficult to have two users with the name 
username. I personally feel, external users trumps internal users. However, for 
certain users like "admin", you want to use the internal users, because these 
are not Hadoop users.

My preference would be to use non-standard username for Ranger Admin, e.g. 
rangeradmin. This could be made configurable during initial DB seeding or 
should be created immediately after Ranger is installed.

Other option is to put an filter to exclude "admin" users from AD/LDAP.

Let me know if you have any other suggestions.

Thanks



> Conflict between internal and external users with same username
> ---------------------------------------------------------------
>
>                 Key: RANGER-1102
>                 URL: https://issues.apache.org/jira/browse/RANGER-1102
>             Project: Ranger
>          Issue Type: Bug
>          Components: usersync
>    Affects Versions: 0.5.2, 0.6.0
>            Reporter: Yujie Li
>
> When Ranger syncs user data from external source, if external users share the 
> same username with existing internal users, those internal users will be 
> updated with external users' group information. 
> For example, we have an internal user "admin" in "admin" group. If we sync 
> from UNIX and there is also a user named "admin" in group "test", eventually 
> the internal "admin" will still be internal but its group will be updated to 
> "test". There won't be another external "admin" user.
> This should not be allowed as they should be separated as two different users.
> But on the other hand, if we create an internal user from the web UI while we 
> already have an external user with that username, there will be an warning 
> saying "user already exists" and the action will abort. This will not cause 
> any issues.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to