ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From v..@apache.org
Subject incubator-ranger git commit: Ranger-869: Including review comments for Group based search
Date Sat, 02 Apr 2016 14:09:41 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/master 47c035603 -> 1d5471ae3


Ranger-869: Including review comments for Group based search

Signed-off-by: Velmurugan Periasamy <vel@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/1d5471ae
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/1d5471ae
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/1d5471ae

Branch: refs/heads/master
Commit: 1d5471ae30e6231e9475f447ded24033efe3547d
Parents: 47c0356
Author: Sailaja Polavarapu <spolavarapu@hortonworks.com>
Authored: Thu Mar 31 14:09:37 2016 -0700
Committer: Velmurugan Periasamy <vel@apache.org>
Committed: Sat Apr 2 10:09:17 2016 -0400

----------------------------------------------------------------------
 .../process/LdapUserGroupBuilder.java           | 456 ++++++++++++++-----
 .../config/UserGroupSyncConfig.java             |  42 ++
 .../process/PolicyMgrUserGroupBuilder.java      |  45 ++
 .../ranger/usergroupsync/UserGroupSink.java     |   2 +
 .../ranger/usergroupsync/LdapUserGroupTest.java | 152 ++++++-
 .../PolicyMgrUserGroupBuilderTest.java          |   7 +
 ugsync/src/test/resources/ADSchema.ldif         |  24 +
 .../src/test/resources/ranger-ugsync-site.xml   |  10 +
 8 files changed, 609 insertions(+), 129 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
index 670d8c5..e68a52f 100644
--- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
+++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
@@ -21,6 +21,7 @@
 
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -77,6 +78,8 @@ public class LdapUserGroupBuilder implements UserGroupSource {
   private boolean pagedResultsEnabled = true;
   private int pagedResultsSize = 500;
 
+  private boolean groupSearchFirstEnabled = false;
+  private boolean userSearchEnabled = false;
   private boolean groupSearchEnabled = true;
   private String[] groupSearchBase;
   private int    groupSearchScope;
@@ -101,6 +104,7 @@ public class LdapUserGroupBuilder implements UserGroupSource {
   Mapper userNameRegExInst = null;
   Mapper groupNameRegExInst = null;
   private Map<String, UserInfo> userGroupMap;
+  private Set<String> usersList;
 
 	public static void main(String[] args) throws Throwable {
 		LdapUserGroupBuilder  ugBuilder = new LdapUserGroupBuilder();
@@ -162,31 +166,24 @@ public class LdapUserGroupBuilder implements UserGroupSource {
 			LOG.error("Failed to load " + mappingGroupNameHandler + " " + cne);
 		} catch (Throwable te) {
 			LOG.error("Failed to instantiate " + mappingGroupNameHandler + " " + te);
-		}		
+		}
+		
 	}
 
 	@Override
-	public void init() {
-		// do nothing
+	public void init() throws Throwable{		
+		setConfig();
 	}
 	
 	private void createLdapContext() throws Throwable {
-		LOG.info("LdapUserGroupBuilder initialization started");
-
-    ldapUrl = config.getLdapUrl();
-    ldapBindDn = config.getLdapBindDn();
-    ldapBindPassword = config.getLdapBindPassword();
-    //ldapBindPassword = "admin-password";
-    ldapAuthenticationMechanism = config.getLdapAuthenticationMechanism();
-    ldapReferral = config.getContextReferral();
 		Properties env = new Properties();
 		env.put(Context.INITIAL_CONTEXT_FACTORY, 
-		    "com.sun.jndi.ldap.LdapCtxFactory");
+				"com.sun.jndi.ldap.LdapCtxFactory");
 		env.put(Context.PROVIDER_URL, ldapUrl);
 		if (ldapUrl.startsWith("ldaps") && (config.getSSLTrustStorePath() != null && !config.getSSLTrustStorePath().trim().isEmpty())) {
 			env.put("java.naming.ldap.factory.socket", "org.apache.ranger.ldapusersync.process.CustomSSLSocketFactory");
-		}	
-		
+		}
+
 		ldapContext = new InitialLdapContext(env, null);
 		if (!ldapUrl.startsWith("ldaps")) {
 			if (config.isStartTlsEnabled()) {
@@ -199,14 +196,26 @@ public class LdapUserGroupBuilder implements UserGroupSource {
 				LOG.info("Starting TLS session...");
 			}
 		}
-		
+
 		ldapContext.addToEnvironment(Context.SECURITY_PRINCIPAL, ldapBindDn);
 		ldapContext.addToEnvironment(Context.SECURITY_CREDENTIALS, ldapBindPassword);
 		ldapContext.addToEnvironment(Context.SECURITY_AUTHENTICATION, ldapAuthenticationMechanism);
 		ldapContext.addToEnvironment(Context.REFERRAL, ldapReferral) ;
-		
-		searchBase = config.getSearchBase();
+	}
+	
+	private void setConfig() throws Throwable {
+		LOG.info("LdapUserGroupBuilder initialization started");
 
+		groupSearchFirstEnabled =   config.isGroupSearchFirstEnabled();
+		userSearchEnabled =   config.isUserSearchEnabled();
+    ldapUrl = config.getLdapUrl();
+    ldapBindDn = config.getLdapBindDn();
+    ldapBindPassword = config.getLdapBindPassword();
+    //ldapBindPassword = "admin-password";
+    ldapAuthenticationMechanism = config.getLdapAuthenticationMechanism();
+    ldapReferral = config.getContextReferral();
+		searchBase = config.getSearchBase();
+		
 		userSearchBase = config.getUserSearchBase().split(";");
 		userSearchScope = config.getUserSearchScope();
 		userObjectClass = config.getUserObjectClass();
@@ -217,6 +226,7 @@ public class LdapUserGroupBuilder implements UserGroupSource {
 			if (!customFilter.startsWith("(")) {
 				customFilter = "(" + customFilter + ")";
 			}
+			
 			extendedUserSearchFilter = "(&" + extendedUserSearchFilter + customFilter + ")";
 		}
 		
@@ -256,14 +266,22 @@ public class LdapUserGroupBuilder implements UserGroupSource {
       extendedGroupSearchFilter = extendedGroupSearchFilter + customFilter;
     }
     extendedAllGroupsSearchFilter = "(&"  + extendedGroupSearchFilter + ")";
-    extendedGroupSearchFilter =  "(&"  + extendedGroupSearchFilter + "(" + groupMemberAttributeName + "={0})"  + ")";
-
+    if (!groupSearchFirstEnabled) {
+      extendedGroupSearchFilter =  "(&"  + extendedGroupSearchFilter + "(" + groupMemberAttributeName + "={0})"  + ")";
+    }
     groupUserMapSyncEnabled = config.isGroupUserMapSyncEnabled();
 
     groupSearchControls = new SearchControls();
     groupSearchControls.setSearchScope(groupSearchScope);
-    String[] groupSearchAttributes = new String[]{groupNameAttribute};
-    groupSearchControls.setReturningAttributes(groupSearchAttributes);
+    //String[] groupSearchAttributes = new String[]{groupNameAttribute};
+    //groupSearchControls.setReturningAttributes(groupSearchAttributes);
+    
+    Set<String> groupSearchAttributes = new HashSet<String>();
+    groupSearchAttributes.add(groupNameAttribute);
+    groupSearchAttributes.add(groupMemberAttributeName);
+	
+    groupSearchControls.setReturningAttributes(groupSearchAttributes.toArray(
+			new String[groupSearchAttributes.size()]));
 
 		if (LOG.isInfoEnabled()) {
 			LOG.info("LdapUserGroupBuilder initialization completed with --  "
@@ -272,7 +290,7 @@ public class LdapUserGroupBuilder implements UserGroupSource {
 					+ ",  ldapBindPassword: ***** " 
 					+ ",  ldapAuthenticationMechanism: " + ldapAuthenticationMechanism
           + ",  searchBase: " + searchBase
-          + ",  userSearchBase: " + userSearchBase
+          + ",  userSearchBase: " + Arrays.toString(userSearchBase)
           + ",  userSearchScope: " + userSearchScope
 					+ ",  userObjectClass: " + userObjectClass
 					+ ",  userSearchFilter: " + userSearchFilter
@@ -283,7 +301,7 @@ public class LdapUserGroupBuilder implements UserGroupSource {
           + ",  pagedResultsEnabled: " + pagedResultsEnabled
           + ",  pagedResultsSize: " + pagedResultsSize
           + ",  groupSearchEnabled: " + groupSearchEnabled
-          + ",  groupSearchBase: " + groupSearchBase
+          + ",  groupSearchBase: " + Arrays.toString(groupSearchBase)
           + ",  groupSearchScope: " + groupSearchScope
           + ",  groupObjectClass: " + groupObjectClass
           + ",  groupSearchFilter: " + groupSearchFilter
@@ -291,7 +309,10 @@ public class LdapUserGroupBuilder implements UserGroupSource {
           + ",  extendedAllGroupsSearchFilter: " + extendedAllGroupsSearchFilter
           + ",  groupMemberAttributeName: " + groupMemberAttributeName
           + ",  groupNameAttribute: " + groupNameAttribute
+          + ", groupSearchAttributes: " + groupSearchAttributes
           + ",  groupUserMapSyncEnabled: " + groupUserMapSyncEnabled
+          + ", groupSearchFirstEnabled: " + groupSearchFirstEnabled
+          + ", userSearchEnabled: " + userSearchEnabled
           + ",  ldapReferral: " + ldapReferral
       );
 		}
@@ -302,7 +323,6 @@ public class LdapUserGroupBuilder implements UserGroupSource {
 		if (tls != null) {
 			tls.close();
 		}
-
 		if (ldapContext != null) {
 			ldapContext.close();
 		}
@@ -318,9 +338,71 @@ public class LdapUserGroupBuilder implements UserGroupSource {
 	public void updateSink(UserGroupSink sink) throws Throwable {
 		LOG.info("LDAPUserGroupBuilder updateSink started");
 		userGroupMap = new HashMap<String, UserInfo>();
+		if (!groupSearchFirstEnabled) {
+			LOG.info("Performing user search first");
+			getUsers(sink);
+			
+			LOG.debug("Total No. of users saved = " + userGroupMap.size());
+			//Iterator<UserInfo> userInfoIterator = userGroupMap.
+			for (UserInfo userInfo : userGroupMap.values()) {
+				String userName = userInfo.getUserName();
+				if (groupSearchEnabled) {
+					// Perform group search
+					LOG.info("groupSearch is enabled, would search for groups and compute memberships");
+					getGroups(sink, userInfo);
+				}
+				List<String> groupList = userInfo.getGroups();
+				try {
+					sink.addOrUpdateUser(userName, groupList);
+				} catch (Throwable t) {
+					LOG.error("sink.addOrUpdateUser failed with exception: " + t.getMessage()
+					+ ", for user: " + userName
+					+ ", groups: " + groupList);
+				}
+			}
+			
+		} else {
+			LOG.info("Performing Group search first");
+			getGroups(sink, null);
+			if (userSearchEnabled) {
+				LOG.info("User search is enabled and hence computing user membership.");
+				getUsers(sink);
+			} else {
+				LOG.info("User search is disabled and hence using the group member attribute for username.");
+				// Go through the userInfo map and update ranger admin.
+				for (UserInfo userInfo : userGroupMap.values()) {
+					String userName = userInfo.getUserName();
+					if (userNameCaseConversionFlag) {
+						if (userNameLowerCaseFlag) {
+							userName = userName.toLowerCase() ;
+						}
+						else {
+							userName = userName.toUpperCase() ;
+						}
+					}
+
+					if (userNameRegExInst != null) {
+						userName = userNameRegExInst.transform(userName);
+					}
+					List<String> groupList = userInfo.getGroups();
+					try {
+						sink.addOrUpdateUser(userName, groupList);
+					} catch (Throwable t) {
+						LOG.error("sink.addOrUpdateUser failed with exception: " + t.getMessage()
+						+ ", for user: " + userName
+						+ ", groups: " + groupList);
+					}
+				}
+			}
+		}
+	}
+	
+	private void getUsers(UserGroupSink sink) throws Throwable {
+		UserInfo userInfo;
 		NamingEnumeration<SearchResult> userSearchResultEnum = null;
 		NamingEnumeration<SearchResult> groupSearchResultEnum = null;
 		try {
+			//setConfig();
 			createLdapContext();
 			int total;
 			// Activate paged results
@@ -337,6 +419,7 @@ public class LdapUserGroupBuilder implements UserGroupSource {
 					userSearchResultEnum = ldapContext
 							.search(userSearchBase[ou], extendedUserSearchFilter,
 									userSearchControls);
+					
 					while (userSearchResultEnum.hasMore()) {
 						// searchResults contains all the user entries
 						final SearchResult userEntry = userSearchResultEnum.next();
@@ -389,63 +472,85 @@ public class LdapUserGroupBuilder implements UserGroupSource {
 							userName = userNameRegExInst.transform(userName);
 						}
 
-						UserInfo userInfo = new UserInfo(userName, userEntry.getNameInNamespace());
-						Set<String> groups = new HashSet<String>();
-
-						// Get all the groups from the group name attribute of the user only when group search is not enabled.
-						if (!groupSearchEnabled) {
-							for (String useGroupNameAttribute : userGroupNameAttributeSet) {
-								Attribute userGroupfAttribute = userEntry.getAttributes().get(useGroupNameAttribute);
-								if (userGroupfAttribute != null) {
-									NamingEnumeration<?> groupEnum = userGroupfAttribute.getAll();
-									while (groupEnum.hasMore()) {
-										String gName = getShortGroupName((String) groupEnum
-												.next());
-										if (groupNameCaseConversionFlag) {
-											if (groupNameLowerCaseFlag) {
-												gName = gName.toLowerCase();
-											} else {
-												gName = gName.toUpperCase();
+						if (!groupSearchFirstEnabled) {
+							userInfo = new UserInfo(userName, userEntry.getNameInNamespace());
+							Set<String> groups = new HashSet<String>();
+
+							// Get all the groups from the group name attribute of the user only when group search is not enabled.
+							if (!groupSearchEnabled) {
+								for (String useGroupNameAttribute : userGroupNameAttributeSet) {
+									Attribute userGroupfAttribute = userEntry.getAttributes().get(useGroupNameAttribute);
+									if (userGroupfAttribute != null) {
+										NamingEnumeration<?> groupEnum = userGroupfAttribute.getAll();
+										while (groupEnum.hasMore()) {
+											String gName = getShortGroupName((String) groupEnum
+													.next());
+											if (groupNameCaseConversionFlag) {
+												if (groupNameLowerCaseFlag) {
+													gName = gName.toLowerCase();
+												} else {
+													gName = gName.toUpperCase();
+												}
 											}
+											if (groupNameRegExInst != null) {
+												gName = groupNameRegExInst.transform(gName);
+											}
+											groups.add(gName);
 										}
-										if (groupNameRegExInst != null) {
-											gName = groupNameRegExInst.transform(gName);
-										}
-										groups.add(gName);
 									}
 								}
 							}
-						}
 
-						userInfo.addGroups(groups);
-						//populate the userGroupMap with username, userInfo. 
-						//userInfo contains details of user that will be later used for
-						//group search to compute group membership as well as to call sink.addOrUpdateUser()
-						if (userGroupMap.containsKey(userName)) {
-							LOG.warn("user object with username " + userName + " already exists and is replaced with the latest user object." );
-						}
-						userGroupMap.put(userName, userInfo);
-
-						//List<String> groupList = new ArrayList<String>(groups);
-						List<String> groupList = userInfo.getGroups();
-						counter++;
-						if (counter <= 2000) { 
-							if (LOG.isInfoEnabled()) {
-								LOG.info("Updating user count: " + counter
-										+ ", userName: " + userName + ", groupList: "
-										+ groupList);
+							userInfo.addGroups(groups);
+							//populate the userGroupMap with username, userInfo. 
+							//userInfo contains details of user that will be later used for
+							//group search to compute group membership as well as to call sink.addOrUpdateUser()
+							if (userGroupMap.containsKey(userName)) {
+								LOG.warn("user object with username " + userName + " already exists and is replaced with the latest user object." );
 							}
-							if ( counter == 2000 ) {
-								LOG.info("===> 2000 user records have been synchronized so far. From now on, only a summary progress log will be written for every 100 users. To continue to see detailed log for every user, please enable Trace level logging. <===");
+							userGroupMap.put(userName, userInfo);
+
+							//List<String> groupList = new ArrayList<String>(groups);
+							List<String> groupList = userInfo.getGroups();
+							counter++;
+							if (counter <= 2000) { 
+								if (LOG.isInfoEnabled()) {
+									LOG.info("Updating user count: " + counter
+											+ ", userName: " + userName + ", groupList: "
+											+ groupList);
+								}
+								if ( counter == 2000 ) {
+									LOG.info("===> 2000 user records have been synchronized so far. From now on, only a summary progress log will be written for every 100 users. To continue to see detailed log for every user, please enable Trace level logging. <===");
+								}
+							} else {
+								if (LOG.isTraceEnabled()) {
+									LOG.trace("Updating user count: " + counter
+											+ ", userName: " + userName + ", groupList: "
+											+ groupList);
+								} else  {
+									if ( counter % 100 == 0) {
+										LOG.info("Synced " + counter + " users till now");
+									}
+								}
 							}
 						} else {
-							if (LOG.isTraceEnabled()) {
-								LOG.trace("Updating user count: " + counter
-										+ ", userName: " + userName + ", groupList: "
-										+ groupList);
-							} else  {
-								if ( counter % 100 == 0) {
-									LOG.info("Synced " + counter + " users till now");
+							// If the user from the search result is present in the usersList, 
+							// then update user name in the userInfo map with the value from the search result
+							// and update ranger admin.
+							String userFullName = (userEntry.getNameInNamespace()).toLowerCase();
+							LOG.info("Chekcing if the user " + userFullName + " is part of the retrieved groups");
+							if (usersList != null && usersList.contains(userFullName)) {
+								counter++;
+								userInfo = userGroupMap.get(userFullName);
+								LOG.info("Updating username for " + userFullName + " with " + userName);
+								userInfo.updateUserName(userName);
+								List<String> groupList = userInfo.getGroups();
+								try {
+									sink.addOrUpdateUser(userName, groupList);
+								} catch (Throwable t) {
+									LOG.error("sink.addOrUpdateUser failed with exception: " + t.getMessage()
+									+ ", for user: " + userName
+									+ ", groups: " + groupList);
 								}
 							}
 						}
@@ -477,7 +582,7 @@ public class LdapUserGroupBuilder implements UserGroupSource {
 								new PagedResultsControl(PAGE_SIZE, cookie, Control.CRITICAL) });
 					}
 				} while (cookie != null);
-				LOG.info("LDAPUserGroupBuilder.updateSink() completed with user count: "
+				LOG.info("LDAPUserGroupBuilder.getUsers() completed with user count: "
 						+ counter);
 
 			}
@@ -491,80 +596,158 @@ public class LdapUserGroupBuilder implements UserGroupSource {
 			}
 			closeLdapContext();
 		}
-		// Perform group search
-		getUserGroups(sink);
 	}
 	
-	private void getUserGroups(UserGroupSink sink) throws Throwable {
+	private void getGroups(UserGroupSink sink, UserInfo userInfo) throws Throwable {
 		NamingEnumeration<SearchResult> groupSearchResultEnum = null;
-		LOG.debug("Total No. of users saved = " + userGroupMap.size());
-		if (groupSearchEnabled) {
-			LOG.info("groupSearch is enabled, would search for groups and compute memberships");
+		usersList = new HashSet<String>();
+		try {
+			//setConfig();
 			createLdapContext();
-		}
-		
-		//java.util.Iterator<UserInfo> userInfoIterator = userGroupMap.
-		for (UserInfo userInfo : userGroupMap.values()) {
-			//UserInfo userInfo = userInfoIterator.next();
-			String userName = userInfo.getUserName();
-			if (groupSearchEnabled) {
-				for (int ou=0; ou<groupSearchBase.length; ou++) {
-					try {
+			int total;
+			// Activate paged results
+			if (pagedResultsEnabled)   {
+				ldapContext.setRequestControls(new Control[]{
+						new PagedResultsControl(pagedResultsSize, Control.NONCRITICAL) });
+			}
+			for (int ou=0; ou<groupSearchBase.length; ou++) {
+				byte[] cookie = null;
+				int counter = 0;
+				do {
+					if (!groupSearchFirstEnabled) {
+						if (userInfo == null) {
+							// Should never reach this.
+							LOG.error("No user information provided for group search!");
+							return;
+						}
 						groupSearchResultEnum = ldapContext
 								.search(groupSearchBase[ou], extendedGroupSearchFilter,
 										new Object[]{userInfo.getUserFullName()},
 										groupSearchControls);
-						Set<String> computedGroups = new HashSet<String>();
-						while (groupSearchResultEnum.hasMore()) {
-							final SearchResult groupEntry = groupSearchResultEnum.next();
-							if (groupEntry != null) {
-								Attribute groupNameAttr = groupEntry.getAttributes().get(groupNameAttribute);
-								if (groupNameAttr == null) {
-									if (LOG.isInfoEnabled())  {
-										LOG.info(groupNameAttribute + " empty for entry " + groupEntry.getNameInNamespace() +
-												", skipping sync");
-									}
+					} else {
+						// If group based search is enabled, then first retrieve all the groups based on the group configuration. 
+						groupSearchResultEnum = ldapContext
+								.search(groupSearchBase[ou], extendedAllGroupsSearchFilter,
+										groupSearchControls);
+					}
+					//Set<String> computedGroups = new HashSet<String>();
+					while (groupSearchResultEnum.hasMore()) {
+						final SearchResult groupEntry = groupSearchResultEnum.next();
+						if (groupEntry != null) {
+							counter++;
+							Attribute groupNameAttr = groupEntry.getAttributes().get(groupNameAttribute);
+							if (groupNameAttr == null) {
+								if (LOG.isInfoEnabled())  {
+									LOG.info(groupNameAttribute + " empty for entry " + groupEntry.getNameInNamespace() +
+											", skipping sync");
+								}
+								continue;
+							}
+							String gName = (String) groupNameAttr.get();
+							if (groupNameCaseConversionFlag) {
+								if (groupNameLowerCaseFlag) {
+									gName = gName.toLowerCase();
+								} else {
+									gName = gName.toUpperCase();
+								}
+							}
+							if (groupNameRegExInst != null) {
+								gName = groupNameRegExInst.transform(gName);
+							}
+							if (!groupSearchFirstEnabled) {
+								//computedGroups.add(gName);
+								if (LOG.isInfoEnabled())  {
+									LOG.info("computed groups for user: " + userInfo.getUserName() +", groups: " + gName);
+								}
+								userInfo.addGroup(gName);
+							} else {
+								// If group based search is enabled, then
+								// update the group name to ranger admin
+								// check for group members and populate userInfo object with user's full name and group mapping
+								Attribute groupMemberAttr = groupEntry.getAttributes().get(groupMemberAttributeName);
+								LOG.debug("Update Ranger admin with " + gName);
+								sink.addOrUpdateGroup(gName);
+								int userCount = 0;
+								if (groupMemberAttr == null || groupMemberAttr.size() <= 0) {
+									LOG.info("No members available for " + gName);
 									continue;
 								}
-								String gName = (String) groupNameAttr.get();
-								if (groupNameCaseConversionFlag) {
-									if (groupNameLowerCaseFlag) {
-										gName = gName.toLowerCase();
+								NamingEnumeration<?> userEnum = groupMemberAttr.getAll();
+								while (userEnum.hasMore()) {
+									String userFullName = (String) userEnum.next();
+									if (userFullName == null || userFullName.trim().isEmpty()) {
+										continue;
+									}
+									userFullName = userFullName.toLowerCase();
+									userCount++;
+									/* If user search is enabled, then the username is updated later 
+									 * based on the user search config (in getUsers() method) else 
+									 * use user's short name as the username and use that in the map. 
+									 */
+									if (userSearchEnabled) {
+										if (!userGroupMap.containsKey(userFullName)) {
+											userInfo = new UserInfo(userFullName, userFullName);
+											userGroupMap.put(userFullName, userInfo);
+										} else {
+											userInfo = userGroupMap.get(userFullName);
+										}
+										LOG.info("Adding " + gName + " to user " + userInfo.getUserFullName());
+										userInfo.addGroup(gName);
+										usersList.add(userFullName);
 									} else {
-										gName = gName.toUpperCase();
+										String userShortName = getShortUserName(userFullName);
+										if (!userGroupMap.containsKey(userShortName)) {
+											userInfo = new UserInfo(userShortName, userFullName);
+											userGroupMap.put(userShortName, userInfo);
+										} else {
+											userInfo = userGroupMap.get(userShortName);
+										}
+										LOG.debug("Adding " + gName + " to user " + userInfo.getUserName());
+										userInfo.addGroup(gName);
 									}
 								}
-								if (groupNameRegExInst != null) {
-									gName = groupNameRegExInst.transform(gName);
-								}
-								computedGroups.add(gName);
+								LOG.info("No. of members in the group " + gName + " = " + userCount);
 							}
 						}
-						if (LOG.isInfoEnabled())  {
-							LOG.info("computed groups for user: " + userName +", groups: " + computedGroups);
-						}
-						userInfo.addGroups(computedGroups);
-
-					} finally {
-						if (groupSearchResultEnum != null) {
-							groupSearchResultEnum.close();
+					}
+					// Examine the paged results control response
+					Control[] controls = ldapContext.getResponseControls();
+					if (controls != null) {
+						for (int i = 0; i < controls.length; i++) {
+							if (controls[i] instanceof PagedResultsResponseControl) {
+								PagedResultsResponseControl prrc =
+										(PagedResultsResponseControl)controls[i];
+								total = prrc.getResultSize();
+								if (total != 0) {
+									LOG.debug("END-OF-PAGE total : " + total);
+								} else {
+									LOG.debug("END-OF-PAGE total : unknown");
+								}
+								cookie = prrc.getCookie();
+							}
 						}
+					} else {
+						LOG.debug("No controls were sent from the server");
 					}
-				}
+					// Re-activate paged results
+					if (pagedResultsEnabled)   {
+						ldapContext.setRequestControls(new Control[]{
+								new PagedResultsControl(PAGE_SIZE, cookie, Control.CRITICAL) });
+					}
+				} while (cookie != null);
+				LOG.info("LDAPUserGroupBuilder.getGroups() completed with group count: "
+						+ counter);
 			}
-			List<String> groupList = userInfo.getGroups();
-			try {
-				sink.addOrUpdateUser(userName, groupList);
-			} catch (Throwable t) {
-				LOG.error("sink.addOrUpdateUser failed with exception: " + t.getMessage()
-				+ ", for user: " + userName
-				+ ", groups: " + groupList);
+
+
+		} finally {
+			if (groupSearchResultEnum != null) {
+				groupSearchResultEnum.close();
 			}
-		}
-		if (groupSearchEnabled) {
 			closeLdapContext();
 		}
 	}
+
 	
 	private static String getShortGroupName(String longGroupName) throws InvalidNameException {
 		if (longGroupName == null) {
@@ -582,6 +765,22 @@ public class LdapUserGroupBuilder implements UserGroupSource {
 		return groupName;
 	}
 	
+	private static String getShortUserName(String longUserName) throws InvalidNameException {
+		if (longUserName == null) {
+			return null;
+		}
+		StringTokenizer stc = new StringTokenizer(longUserName, ",");
+		String firstToken = stc.nextToken();
+		StringTokenizer ste = new StringTokenizer(firstToken, "=");
+		String userName =  ste.nextToken();
+		if (ste.hasMoreTokens()) {
+			userName = ste.nextToken();
+		}
+		userName = userName.trim();
+		LOG.info("longUserName: " + longUserName + ", userName: " + userName);
+		return userName;
+	}
+	
 }
 
 class UserInfo {
@@ -595,6 +794,10 @@ class UserInfo {
 		this.groupList = new HashSet<String>();
 	}
 	
+	public void updateUserName(String userName) {
+		this.userName = userName;
+	}
+	
 	public String getUserName() {
 		return userName;
 	}
@@ -604,6 +807,9 @@ class UserInfo {
 	public void addGroups(Set<String> groups) {
 		groupList.addAll(groups);
 	}
+	public void addGroup(String group) {
+		groupList.add(group);
+	}
 	public List<String> getGroups() {
 		return (new ArrayList<String>(groupList));
 	}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
index e7b00ca..6cfb394 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
@@ -149,6 +149,16 @@ public class UserGroupSyncConfig  {
 
   private static final String LGSYNC_GROUP_SEARCH_ENABLED = "ranger.usersync.group.searchenabled";
   private static final boolean DEFAULT_LGSYNC_GROUP_SEARCH_ENABLED = false;
+  
+  private static final String LGSYNC_GROUP_SEARCH_FIRST_ENABLED = "ranger.usersync.group.search.first.enabled";
+  private static final boolean DEFAULT_LGSYNC_GROUP_SEARCH_FIRST_ENABLED = false;
+  
+/*This flag (ranger.usersync.user.searchenabled) is used only when group search first is enabled to get username either -
+  	* from the group member attribute of the group or 
+  	* from the additional user search based on the user attribute configuration
+  */
+ private static final String LGSYNC_USER_SEARCH_ENABLED = "ranger.usersync.user.searchenabled";
+ private static final boolean DEFAULT_LGSYNC_USER_SEARCH_ENABLED = false;
 
   private static final String LGSYNC_GROUP_USER_MAP_SYNC_ENABLED = "ranger.usersync.group.usermapsyncenabled";
   private static final boolean DEFAULT_LGSYNC_GROUP_USER_MAP_SYNC_ENABLED = false;
@@ -657,6 +667,28 @@ public class UserGroupSyncConfig  {
     }
     return groupSearchEnabled;
   }
+  
+  public boolean isGroupSearchFirstEnabled() {
+	boolean groupSearchFirstEnabled;
+	String val = prop.getProperty(LGSYNC_GROUP_SEARCH_FIRST_ENABLED);
+	if(val == null || val.trim().isEmpty()) {
+	   groupSearchFirstEnabled = DEFAULT_LGSYNC_GROUP_SEARCH_FIRST_ENABLED;
+	} else {
+	   groupSearchFirstEnabled  = Boolean.valueOf(val);
+	}
+	return groupSearchFirstEnabled;
+  }
+  
+  public boolean isUserSearchEnabled() {
+	    boolean userSearchEnabled;
+	    String val = prop.getProperty(LGSYNC_USER_SEARCH_ENABLED);
+	    if(val == null || val.trim().isEmpty()) {
+	       userSearchEnabled = DEFAULT_LGSYNC_USER_SEARCH_ENABLED;
+	    } else {
+	       userSearchEnabled  = Boolean.valueOf(val);
+	    }
+	    return userSearchEnabled;
+	  }
 
   public boolean isGroupUserMapSyncEnabled() {
     boolean groupUserMapSyncEnabled;
@@ -887,4 +919,14 @@ public class UserGroupSyncConfig  {
     public void setGroupSearchBase(String groupSearchBase)  throws Throwable {
 	prop.setProperty(LGSYNC_GROUP_SEARCH_BASE, groupSearchBase);
     }
+    
+    /* Used only for unit testing */
+    public void setGroupSearchFirstEnabled(boolean groupSearchFirstEnabled) {
+        prop.setProperty(LGSYNC_GROUP_SEARCH_FIRST_ENABLED, String.valueOf(groupSearchFirstEnabled));
+    }
+    
+    /* Used only for unit testing */
+    public void setUserSearchEnabled(boolean userSearchEnabled) {
+        prop.setProperty(LGSYNC_USER_SEARCH_ENABLED, String.valueOf(userSearchEnabled));
+    }
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
index 67379d5..20466ab 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
@@ -815,5 +815,50 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 		return ret;
 	}
 
+
+	@Override
+	public void addOrUpdateGroup(String groupName) {
+		XGroupInfo group = groupName2XGroupInfoMap.get(groupName) ;
+		
+		if (group == null) {    // Does not exists
+			
+			//* Build the group info object and do the rest call
+ 			if ( ! isMockRun ) {
+ 				group = addGroupInfo(groupName);
+ 				if ( group != null) {
+ 					addGroupToList(group);
+ 				}
+ 			}
+		}
+	}
+	
+	private XGroupInfo addGroupInfo(String groupName){
+		XGroupInfo ret = null;
+		XGroupInfo group = null;
+		
+		LOG.debug("INFO: addPMXAGroup(" + groupName + ")" ) ;
+		if (! isMockRun) {
+			group = addXGroupInfo(groupName) ;
+		}
+		
+		Client c = getClient();
+		
+		WebResource r = c.resource(getURL(PM_ADD_GROUP_URI));
+		
+		Gson gson = new GsonBuilder().create();
+		
+		String jsonString = gson.toJson(group);
+		
+		LOG.debug("Group" + jsonString);
+		
+		String response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString) ;
+		
+		LOG.debug("RESPONSE: [" + response + "]") ;
+		
+		ret = gson.fromJson(response, XGroupInfo.class);
+		
+		return ret;	
+	}
+
 	
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java b/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java
index 0443185..c9b5f1a 100644
--- a/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java
+++ b/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java
@@ -25,4 +25,6 @@ public interface UserGroupSink {
 	public void init() throws Throwable;
 
 	public void addOrUpdateUser(String user, List<String> groups);
+	
+	public void addOrUpdateGroup(String group);
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java
----------------------------------------------------------------------
diff --git a/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java b/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java
index 8d75e10..df8adf3 100644
--- a/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java
+++ b/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java
@@ -22,8 +22,6 @@ package org.apache.ranger.usergroupsync;
 import static org.junit.Assert.assertEquals;
 
 import org.apache.directory.server.annotations.CreateLdapConnectionPool;
-import org.apache.directory.server.annotations.CreateLdapServer;
-import org.apache.directory.server.annotations.CreateTransport;
 import org.apache.directory.server.core.annotations.ApplyLdifFiles;
 import org.apache.directory.server.core.annotations.ContextEntry;
 import org.apache.directory.server.core.annotations.CreateDS;
@@ -37,7 +35,6 @@ import org.apache.ranger.unixusersync.config.UserGroupSyncConfig;
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
-import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
@@ -93,7 +90,6 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{
 	    getLdapServer().start();
 		config = UserGroupSyncConfig.getInstance();	
 		ldapBuilder = new LdapUserGroupBuilder();
-        ldapBuilder.init();
 	}
 	
 	@Test
@@ -103,6 +99,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{
 		config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
         config.setGroupSearchEnabled(false);
         config.setPagedResultsEnabled(true);
+        config.setGroupSearchFirstEnabled(false);
+        ldapBuilder.init();
 		PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
 		sink.init();
 		ldapBuilder.updateSink(sink);
@@ -116,6 +114,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{
 		config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
         config.setGroupSearchEnabled(false);
         config.setPagedResultsEnabled(false);
+        config.setGroupSearchFirstEnabled(false);
+        ldapBuilder.init();
 		PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
 		sink.init();
 		ldapBuilder.updateSink(sink);
@@ -129,6 +129,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{
             config.setUserSearchFilter("(|(memberof=CN=Group10,OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com)(memberof=CN=Group11,OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com))");
             config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
             config.setGroupSearchEnabled(false);
+            config.setGroupSearchFirstEnabled(false);
+            ldapBuilder.init();
             PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
             sink.init();
             ldapBuilder.updateSink(sink);
@@ -142,6 +144,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{
             config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
             config.setGroupSearchFilter("");
             config.setGroupSearchEnabled(true);
+            config.setGroupSearchFirstEnabled(false);
+            ldapBuilder.init();
             PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
             sink.init();
             ldapBuilder.updateSink(sink);
@@ -155,6 +159,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{
             config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
             config.setGroupSearchFilter("cn=Group19");
             config.setGroupSearchEnabled(true);
+            config.setGroupSearchFirstEnabled(false);
+            ldapBuilder.init();
             PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
             sink.init();
             ldapBuilder.updateSink(sink);
@@ -168,6 +174,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{
             config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
             config.setGroupSearchFilter("cn=Group19");
             config.setGroupSearchEnabled(false);
+            config.setGroupSearchFirstEnabled(false);
+            ldapBuilder.init();
             PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
             sink.init();
             ldapBuilder.updateSink(sink);
@@ -181,6 +189,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{
             config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
             config.setGroupSearchFilter("cn=*Group10");
             config.setGroupSearchEnabled(true);
+            config.setGroupSearchFirstEnabled(false);
+            ldapBuilder.init();
             PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
             sink.init();
             ldapBuilder.updateSink(sink);
@@ -195,6 +205,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{
             config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
             config.setGroupSearchFilter("cn=*Group10");
             config.setGroupSearchEnabled(false);
+            config.setGroupSearchFirstEnabled(false);
+            ldapBuilder.init();
             PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
             sink.init();
             ldapBuilder.updateSink(sink);
@@ -209,6 +221,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{
             config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
             config.setGroupSearchFilter("cn=*Group10");
             config.setGroupSearchEnabled(false);
+            config.setGroupSearchFirstEnabled(false);
+            ldapBuilder.init();
             PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
             sink.init();
             ldapBuilder.updateSink(sink);
@@ -223,6 +237,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{
             config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
             config.setGroupSearchFilter("cn=*");
             config.setGroupSearchEnabled(true);
+            config.setGroupSearchFirstEnabled(false);
+            ldapBuilder.init();
             PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
             sink.init();
             ldapBuilder.updateSink(sink);
@@ -237,6 +253,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{
             config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
             config.setGroupSearchFilter("cn=*Group10");
             config.setGroupSearchEnabled(true);
+            config.setGroupSearchFirstEnabled(false);
+            ldapBuilder.init();
             PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
             sink.init();
             ldapBuilder.updateSink(sink);
@@ -244,6 +262,132 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{
             assertEquals(2, sink.getTotalGroups());
     }
     
+    @Test
+    public void testGroupBasedAllUsers() throws Throwable {
+    		config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;");
+            config.setUserSearchFilter("cn=*");
+            config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
+            config.setGroupSearchFilter("cn=*Group10");
+            config.setGroupSearchFirstEnabled(true);
+            ldapBuilder.init();
+            PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
+            sink.init();
+            ldapBuilder.updateSink(sink);
+            assertEquals(2, sink.getTotalUsers());
+            assertEquals(2, sink.getTotalGroups());
+    }
+    
+    @Test
+    public void testGroupBasedWithUserFilter() throws Throwable {
+    		config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;");
+            config.setUserSearchFilter("cn=User*");
+            config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
+            config.setGroupSearchFilter("cn=*Group10");
+            config.setGroupSearchFirstEnabled(true);
+            config.setUserSearchEnabled(true);
+            ldapBuilder.init();
+            PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
+            sink.init();
+            ldapBuilder.updateSink(sink);
+            assertEquals(1, sink.getTotalUsers());
+            assertEquals(2, sink.getTotalGroups());
+    }
+    
+    @Test
+    public void testGroupBasedWithNoUsers() throws Throwable {
+    		config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;");
+            config.setUserSearchFilter("cn=*");
+            config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
+            config.setGroupSearchFilter("cn=Group2*");
+            config.setGroupSearchFirstEnabled(true);
+            config.setUserSearchEnabled(true);
+            ldapBuilder.init();
+            PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
+            sink.init();
+            ldapBuilder.updateSink(sink);
+            assertEquals(0, sink.getTotalUsers());
+            assertEquals(2, sink.getTotalGroups());
+    }
+    
+    @Test
+    public void testGroupBasedWithAllUsersAndGroups() throws Throwable {
+		config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;");
+        config.setUserSearchFilter("cn=*");
+        config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
+        config.setGroupSearchFilter("cn=*");
+        config.setGroupSearchFirstEnabled(true);
+        config.setUserSearchEnabled(true);
+        ldapBuilder.init();
+        PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
+        sink.init();
+        ldapBuilder.updateSink(sink);
+        assertEquals(100, sink.getTotalUsers());
+        assertEquals(13, sink.getTotalGroups());
+    }
+    
+    @Test
+    public void testGroupBasedWithSingleOU() throws Throwable {
+		config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;");
+        config.setUserSearchFilter("cn=*");
+        config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
+        config.setGroupSearchFilter("cn=*");
+        config.setGroupSearchFirstEnabled(true);
+        config.setUserSearchEnabled(true);
+        ldapBuilder.init();
+        PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
+        sink.init();
+        ldapBuilder.updateSink(sink);
+        assertEquals(99, sink.getTotalUsers());
+        assertEquals(12, sink.getTotalGroups());
+    }
+    
+    @Test
+    public void testUpdateSinkWithEmptyUserSearchBase() throws Throwable {
+		config.setUserSearchBase("");
+		config.setUserSearchFilter("");
+		config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
+        config.setGroupSearchEnabled(false);
+        config.setPagedResultsEnabled(true);
+        config.setGroupSearchFirstEnabled(false);
+        ldapBuilder.init();
+		PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
+		sink.init();
+		ldapBuilder.updateSink(sink);
+		assertEquals(111, sink.getTotalUsers());
+    }
+    
+    @Test
+    public void testGBWithUserSearchDisabled() throws Throwable {
+    		config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;");
+            config.setUserSearchFilter("cn=User*");
+            config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
+            config.setGroupSearchFilter("cn=*Group10");
+            config.setGroupSearchFirstEnabled(true);
+            config.setUserSearchEnabled(false);
+            ldapBuilder.init();
+            PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
+            sink.init();
+            ldapBuilder.updateSink(sink);
+            assertEquals(2, sink.getTotalUsers());
+            assertEquals(2, sink.getTotalGroups());
+    }
+    
+    @Test
+    public void testGBWithNoUsersAndUserSearchDisabled() throws Throwable {
+    		config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;");
+            config.setUserSearchFilter("cn=*");
+            config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com");
+            config.setGroupSearchFilter("cn=Group2*");
+            config.setGroupSearchFirstEnabled(true);
+            config.setUserSearchEnabled(false);
+            ldapBuilder.init();
+            PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest();
+            sink.init();
+            ldapBuilder.updateSink(sink);
+            assertEquals(0, sink.getTotalUsers());
+            assertEquals(2, sink.getTotalGroups());
+    }
+    
     @After
     public void shutdown() throws Exception {
     	if (getService().isStarted()) {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/test/java/org/apache/ranger/usergroupsync/PolicyMgrUserGroupBuilderTest.java
----------------------------------------------------------------------
diff --git a/ugsync/src/test/java/org/apache/ranger/usergroupsync/PolicyMgrUserGroupBuilderTest.java b/ugsync/src/test/java/org/apache/ranger/usergroupsync/PolicyMgrUserGroupBuilderTest.java
index e106e9c..0d817f6 100644
--- a/ugsync/src/test/java/org/apache/ranger/usergroupsync/PolicyMgrUserGroupBuilderTest.java
+++ b/ugsync/src/test/java/org/apache/ranger/usergroupsync/PolicyMgrUserGroupBuilderTest.java
@@ -27,6 +27,7 @@ import org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder;
 
 public class PolicyMgrUserGroupBuilderTest extends PolicyMgrUserGroupBuilder {
         private static int totalUsers = 0;
+        //private static int totalGroups = 0;
         private Set<String> allGroups;
 
         @Override
@@ -42,6 +43,12 @@ public class PolicyMgrUserGroupBuilderTest extends PolicyMgrUserGroupBuilder {
                 allGroups.addAll(groups);
                 //System.out.println("Username: " + user + " and associated groups: " + groups);
         }
+        
+        @Override
+        public void addOrUpdateGroup(String group) {
+                //totalGroups++;
+                allGroups.add(group);
+        }
 
         public int getTotalUsers() {
                 return totalUsers;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/test/resources/ADSchema.ldif
----------------------------------------------------------------------
diff --git a/ugsync/src/test/resources/ADSchema.ldif b/ugsync/src/test/resources/ADSchema.ldif
index 9d5a4c2..59402f1 100644
--- a/ugsync/src/test/resources/ADSchema.ldif
+++ b/ugsync/src/test/resources/ADSchema.ldif
@@ -2473,4 +2473,28 @@ member: CN=User1801,CN=Users,DC=ranger,DC=qe,DC=hortonworks,DC=com
 distinguishedName: CN=Group19,OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com
 sAMAccountName: Group19
 sn: Group19
+#groupType: -2147483644
+
+dn: CN=Group20,OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com
+changetype: add
+objectClass: extensibleObject
+objectClass: top
+objectClass: groupOfNames
+cn: Group20
+member:
+distinguishedName: CN=Group20,OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com
+sAMAccountName: Group20
+sn: Group20
+#groupType: -2147483644
+
+dn: CN=Group21,OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com
+changetype: add
+objectClass: extensibleObject
+objectClass: top
+objectClass: groupOfNames
+cn: Group21
+member:
+distinguishedName: CN=Group21,OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com
+sAMAccountName: Group21
+sn: Group21
 #groupType: -2147483644
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/test/resources/ranger-ugsync-site.xml
----------------------------------------------------------------------
diff --git a/ugsync/src/test/resources/ranger-ugsync-site.xml b/ugsync/src/test/resources/ranger-ugsync-site.xml
index 9ae522b..f1232de 100644
--- a/ugsync/src/test/resources/ranger-ugsync-site.xml
+++ b/ugsync/src/test/resources/ranger-ugsync-site.xml
@@ -64,6 +64,16 @@
     </property>
     
     <property>
+      <name>ranger.usersync.group.search.first.enabled</name>
+      <value>false</value>
+    </property>
+    
+    <property>
+      <name>ranger.usersync.user.searchenabled</name>
+      <value>true</value>
+    </property>
+    
+    <property>
       <name>ranger.usersync.keystore.file</name>
       <value>/usr/hdp/current/ranger-usersync/conf/unixauthservice.jks</value>
     </property>


Mime
View raw message