No. Since these users (hdfs, yarn, etc...) are not part of your AD, they are not sync'd once deleted.
On Tue, Dec 10, 2019 at 11:47 AM Reed Villanueva <rvillanu...@ucera.org> wrote: > "If a user/group is deleted from Ranger UI, once ranger is restarted, > these users/groups are sync'd to Ranger DB based on the sync configuration." > > I have UNIX users that were added by default during cluster creation (via > Ambari in HDP 3.1.0), ie. "hdfs", "livy", "yarn", etc. Would these users > still be added to Ranger as well if manually deleted from the Ranger UI > (even though user sync set to use AD/LDAP), since they exist across all > nodes of the cluster, just as unix local users rather than AD users? > > On Mon, Dec 9, 2019 at 3:08 PM Sailaja Polavarapu < > spolavar...@cloudera.com> wrote: > >> Hi Reed Villanueva, >> >> 1. If I were to go into the Ranger UI and go to the users and groups >> menu and manually delete all of the AD users and groups, then add the user >> search filter to the Ranger configs, and restart Ranger would that wipe the >> rest of the users from Ranger's user DB and leave only the AD users from >> the search filter once Ranger was restarted? Any other way to get this >> desired result? >> [Sailaja] Once Users are Groups are sync'd to Ranger DB, deleting them is >> an admin only manual operation. Ranger doesn't delete users and groups >> automatically based on the search filter changes. But once you cleanup the >> users are groups and restarting ranger usersyn should pull in only the >> users and groups based on the configured filter. >> Just an FYI - For testing purposes, ranger usersync supports one config >> "ranger.usersync.policymanager.mockrun" >> which can be set to true so that the sync'd users and groups are not >> updated to ranger DB. >> https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/installing-ranger/content/ranger_install_configure_ranger_user_sync.html >> >> >> 2. What would happen if accidentally manually deleted a unix user from >> the users and groups menu in the Ranger UI? Would they repopulate once >> restarted Ranger or would I need to something else to fix the mistake? >> [Sailaja] If a user/group is deleted from Ranger UI, once ranger is >> restarted, these users/groups are sync'd to Ranger DB based on the sync >> configuration. >> >> Hope this helps, >> Sailaja. >> >> On Mon, Dec 9, 2019 at 3:23 PM Reed Villanueva <rvillanu...@ucera.org> >> wrote: >> >>> Looking for some clarification on how incremental sync works / does. I >>> have recently configured Ranger/AD sync with incremental sync off and the >>> user search filter blank. This resulted in all users from AD being added to >>> Ranger. >>> >>> This was just intended as a base-case test, but when adding a new user >>> search filter for the Ranger AD configs in Ambari and restarting the Ranger >>> service, no changes appear to have been made (which is what I had expected >>> when setting incremental sync to off) and ALL of the AD users are still >>> visible, not just the ones specified by the filter. At this point have a >>> some questions: >>> >>> 1. If I were to go into the Ranger UI and go to the users and groups >>> menu and manually delete all of the AD users and groups, then add the user >>> search filter to the Ranger configs, and restart Ranger would that wipe the >>> rest of the users from Ranger's user DB and leave only the AD users from >>> the search filter once Ranger was restarted? Any other way to get this >>> desired result? >>> >>> 2. What would happen if accidentally manually deleted a unix user from >>> the users and groups menu in the Ranger UI? Would they repopulate once >>> restarted Ranger or would I need to something else to fix the mistake? >>> >>> This electronic message is intended only for the named >>> recipient, and may contain information that is confidential or >>> privileged. If you are not the intended recipient, you are >>> hereby notified that any disclosure, copying, distribution or >>> use of the contents of this message is strictly prohibited. If >>> you have received this message in error or are not the named >>> recipient, please notify us immediately by contacting the >>> sender at the electronic mail address noted above, and delete >>> and destroy all copies of this message. Thank you. >>> >> > This electronic message is intended only for the named > recipient, and may contain information that is confidential or > privileged. If you are not the intended recipient, you are > hereby notified that any disclosure, copying, distribution or > use of the contents of this message is strictly prohibited. If > you have received this message in error or are not the named > recipient, please notify us immediately by contacting the > sender at the electronic mail address noted above, and delete > and destroy all copies of this message. Thank you. >
