Hello,
We are going to synchronize our Ranger installation with the corporate
Active Directory, which contains users and groups. The issue we are
facing is:
- The number of users is high (around 100,000) but only a small
fraction of these users will get Hadoop access rights
- We want to synchronize only Hadoop authorized users, to reduce both
AD server load and network load
- For policy reasons, we cannot create an extra OU to hold just the
Hadoop users
- Filtering users by an attribute would cut down on network use but
would still scan all users in AD
The best workaround for our situation would be to create one group
that contains all Hadoop users, and query that group entry instead of
individual user entries. The user names can then be obtained from the
member attribute list of the group entry.
Is such an approach possible in Ranger, and/or could it be made a
feature request for a future version?
Kind regards,
Hellmar
========================================
Hellmar Becker
Edmond Audranstraat 55
NL-3543BG Utrecht
mail: [email protected]
mobile: +31 6 29986670
========================================
