bigtop-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nigel Jones <jon...@uk.ibm.com>
Subject Re: Scalability - large numbers of users/groups in LDAP
Date Fri, 10 Feb 2017 17:26:16 GMT
On 10/02/2017 17:07, Don Bosco Durai wrote:

 > 1.    Ranger should have an option just to sync Group (without 
users). We should be already supporting it or there was an intention to 
support.  If we are not doing it for any reason, I am a strong +1 for 
doing it.
I'll experiment with this - only working off the docs so far, trying it 
out is next :-)

 > 2.    Direct LDAP would have been ideal, but we were worried about 
the load we might put on LDAP for real-time queries. Just FYI, Ranger 
uses LDAP/AD for authentication and easy selection of users/groups 
during policy create. For authentication, it is already real-time (even 
though I would have preferred to get the roles also in real-time).
A fair concern, though at least it's only at connect time. The 
enterprise I spoke to didn't seem to think it was a concern. I'll start 
with option #1 though

 > If you have a very high number of users/groups, then the short-term 
recommendation to is to apply LDAP filters and limit syncing users only 
to those using Hadoop.
This will be extending outside hadoop - I'm trying to determine how to 
constrain the ldap query to the users using the relevant systems. I can 
potentially obtain a list of groups from elsewhere via a new usersync 
process, and then go back into ldap to query membership which would look 
the same to ranger, just modify that sync.

Thanks for the info !

Nigel.


Mime
View raw message