[
https://issues.apache.org/jira/browse/RANGER-1102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15384932#comment-15384932
]
Don Bosco Durai commented on RANGER-1102:
-----------------------------------------
[~yujie.li], it might be good to know your use cases. Ideally, if you are using
LDAP/AD, then LDAP/AD should be your sole source of truth. Even though not
recommended, you might have an exception for "admin" user. If "admin" user is
the only user you are concerned, then you we could rename it "ranger_admin" or
something like that to avoid username conflict.
I personally feel, "internal" users shouldn't have preference over "external"
users. Most important reason is, you don't want to override your corporate
policies by reusing the same username as internal. Second, during initial
install or PoC, you might not sync with LDAP/AD, but just create the Hadoop
users as internal users and try out Ranger. So in this case, when you setup the
LDAP/AD synchronization, the users you manually created will never be
overwritten, which is not the desired feature.
I feel, we should either or both of the below:
1. Have option to rename "admin" to "ranger_admin" during install.
2. Have option to disable creating internal users, except those created during
install. But have the option to delete internal users.
> Conflict between internal and external users with same username
> ---------------------------------------------------------------
>
> Key: RANGER-1102
> URL: https://issues.apache.org/jira/browse/RANGER-1102
> Project: Ranger
> Issue Type: Bug
> Components: usersync
> Affects Versions: 0.5.2, 0.6.0
> Reporter: Yujie Li
>
> When Ranger syncs user data from external source, if external users share the
> same username with existing internal users, those internal users will be
> updated with external users' group information.
> For example, we have an internal user "admin" in "admin" group. If we sync
> from UNIX and there is also a user named "admin" in group "test", eventually
> the internal "admin" will still be internal but its group will be updated to
> "test". There won't be another external "admin" user.
> This should not be allowed as they should be separated as two different users.
> But on the other hand, if we create an internal user from the web UI while we
> already have an external user with that username, there will be an warning
> saying "user already exists" and the action will abort. This will not cause
> any issues.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
