Hi Elliot, If I make an access request to a Ranger plugin with a user specified in the request, but no groups, can the plugin lookup the groups for said user? - yes user group mapping compute happens at the plugin/service end and completely taken care by the service
This assumes that an identity service is syncing users and group membership to Ranger (we do this with AD) and that users and groups are synced from Ranger to the service plugin (I'm not sure if this happens). - NO, users and group just sync to ranger, they are not passed on to the service plugin, user group mapping happens locally at the service end Is this a supported capability, and what if anything must I do do enable it? - yes this is supported, AFAIK most of the hadoop services rely on the core-site.xml for fetching the user group mapping, following documentation may be helpful: https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.0/installing-ranger/content/set_up_hadoop_group_mapping_for_ldap_ad.html -Deepak On Wed, May 12, 2021 at 1:19 PM Elliot West <tea...@gmail.com> wrote: > Hello, can anyone give me any insights on this? > > On Wed, 5 May 2021 at 10:30, Elliot West <tea...@gmail.com> wrote: > >> Hello, >> >> If I make an access request to a Ranger plugin with a user specified in >> the request, but no groups, can the plugin lookup the groups for said user? >> This assumes that an identity service is syncing users and group membership >> to Ranger (we do this with AD) and that users and groups are synced from >> Ranger to the service plugin (I'm not sure if this happens). Is this a >> supported capability, and what if anything must I do do enable it? >> >> The problem I am trying to solve is that I have group based policies, but >> the origin service does not currently have any group information in the >> request principal, only a user id. I could of course build functionality to >> look this up but if feels like something that Ranger is probably doing >> anyway. >> >> Thanks, >> >> Elliot. >> >> >>
