Hellmar >The best workaround for our situation would be to create one group that >contains all Hadoop users, and query that group entry instead of >individual user entries. The user names can then be obtained from the >member attribute list of the group entry.
The UserSync design should support it, but would need some updates. There were few other enhancement requests around UserSync. It might be good if you can create a JIRA for this issue. Another option is, if you have and IdM provisioning system, it can be used to provision Ranger user database also. Let me know if that is an option you want to pursue? Thanks Bosco On 3/18/15, 12:52 AM, "Hellmar Becker" <[email protected]> wrote: >Hello, > >We are going to synchronize our Ranger installation with the corporate >Active Directory, which contains users and groups. The issue we are >facing is: > >- The number of users is high (around 100,000) but only a small >fraction of these users will get Hadoop access rights >- We want to synchronize only Hadoop authorized users, to reduce both >AD server load and network load >- For policy reasons, we cannot create an extra OU to hold just the >Hadoop users >- Filtering users by an attribute would cut down on network use but >would still scan all users in AD > >The best workaround for our situation would be to create one group >that contains all Hadoop users, and query that group entry instead of >individual user entries. The user names can then be obtained from the >member attribute list of the group entry. > >Is such an approach possible in Ranger, and/or could it be made a >feature request for a future version? > >Kind regards, >Hellmar > > >======================================== >Hellmar Becker >Edmond Audranstraat 55 >NL-3543BG Utrecht >mail: [email protected] >mobile: +31 6 29986670 >======================================== >
