"If a user/group is deleted from Ranger UI, once ranger is restarted, these users/groups are sync'd to Ranger DB based on the sync configuration."
I have UNIX users that were added by default during cluster creation (via Ambari in HDP 3.1.0), ie. "hdfs", "livy", "yarn", etc. Would these users still be added to Ranger as well if manually deleted from the Ranger UI (even though user sync set to use AD/LDAP), since they exist across all nodes of the cluster, just as unix local users rather than AD users? On Mon, Dec 9, 2019 at 3:08 PM Sailaja Polavarapu <spolavar...@cloudera.com> wrote: > Hi Reed Villanueva, > >> 1. If I were to go into the Ranger UI and go to the users and groups > menu and manually delete all of the AD users and groups, then add the user > search filter to the Ranger configs, and restart Ranger would that wipe the > rest of the users from Ranger's user DB and leave only the AD users from > the search filter once Ranger was restarted? Any other way to get this > desired result? > [Sailaja] Once Users are Groups are sync'd to Ranger DB, deleting them is > an admin only manual operation. Ranger doesn't delete users and groups > automatically based on the search filter changes. But once you cleanup the > users are groups and restarting ranger usersyn should pull in only the > users and groups based on the configured filter. > Just an FYI - For testing purposes, ranger usersync supports one config > "ranger.usersync.policymanager.mockrun" > which can be set to true so that the sync'd users and groups are not > updated to ranger DB. > https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/installing-ranger/content/ranger_install_configure_ranger_user_sync.html > > >> 2. What would happen if accidentally manually deleted a unix user from > the users and groups menu in the Ranger UI? Would they repopulate once > restarted Ranger or would I need to something else to fix the mistake? > [Sailaja] If a user/group is deleted from Ranger UI, once ranger is > restarted, these users/groups are sync'd to Ranger DB based on the sync > configuration. > > Hope this helps, > Sailaja. > > On Mon, Dec 9, 2019 at 3:23 PM Reed Villanueva <rvillanu...@ucera.org> > wrote: > >> Looking for some clarification on how incremental sync works / does. I >> have recently configured Ranger/AD sync with incremental sync off and the >> user search filter blank. This resulted in all users from AD being added to >> Ranger. >> >> This was just intended as a base-case test, but when adding a new user >> search filter for the Ranger AD configs in Ambari and restarting the Ranger >> service, no changes appear to have been made (which is what I had expected >> when setting incremental sync to off) and ALL of the AD users are still >> visible, not just the ones specified by the filter. At this point have a >> some questions: >> >> 1. If I were to go into the Ranger UI and go to the users and groups menu >> and manually delete all of the AD users and groups, then add the user >> search filter to the Ranger configs, and restart Ranger would that wipe the >> rest of the users from Ranger's user DB and leave only the AD users from >> the search filter once Ranger was restarted? Any other way to get this >> desired result? >> >> 2. What would happen if accidentally manually deleted a unix user from >> the users and groups menu in the Ranger UI? Would they repopulate once >> restarted Ranger or would I need to something else to fix the mistake? >> >> This electronic message is intended only for the named >> recipient, and may contain information that is confidential or >> privileged. If you are not the intended recipient, you are >> hereby notified that any disclosure, copying, distribution or >> use of the contents of this message is strictly prohibited. If >> you have received this message in error or are not the named >> recipient, please notify us immediately by contacting the >> sender at the electronic mail address noted above, and delete >> and destroy all copies of this message. Thank you. >> > -- This electronic message is intended only for the named recipient, and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic mail address noted above, and delete and destroy all copies of this message. Thank you.
