Configuring Ranger Usersync for Deleted Users and Groups

How to configure Ranger Usersync for users and groups that have been deleted from the sync source.

You can configure Ranger Usersync to update Ranger when users and groups have been deleted from the sync source (UNIX, LDAP, AD or PAM). This ensures that users and groups – and their associated access permissions – do not remain in Ranger when they are deleted from sync source.

  1. In Cloudera Manager, select Ranger > Configuration, then use the Search box to search for Ranger Usersync Advanced Configuration Snippet (Safety Valve) for conf/ranger-ugsync-site.xml. Use the Add (+) icons to add the following properties, then click Save Changes.
    Name Value Description

    ranger.usersync.deletes.enabled

    true Enables deleted users and groups synchronization. The default setting is false (disabled).

    ranger.usersync.deletes.frequency

    10 Sets the frequency of delete synchronization. The default setting is 10, or once every 10 Usersync cycles. Delete synchronization consumes cluster resources, so a lower (more frequent) setting may affect performance.
  2. Click the Ranger Restart icon.
  3. On the Stale Configurations page, click Restart Stale Services.
  4. On the Restart Stale Services page, select the Re-deploy client configuration check box, then click Restart Now.
  5. A progress indicator page appears while the services are being restarted. When the services have restarted, click Continue.
  6. Users that have been deleted in sync source are not automatically deleted in Ranger – they are marked as Hidden and must be manually deleted by the Ranger Admin user, and then Ranger Usersync must be restarted.
    In the Ranger Admin Web UI, select Settings > Users/Groups/Roles. Click in the User List text box, then select Visibility > Hidden.
  7. To delete a hidden user or group manually, select the applicable check boxes, then click the red Delete icon, as shown in the following example.

    You can delete multiple users or groups by running a "delete" script on the command line interface.

    For example:
    Sample command to delete users:
    python deleteUserGroupUtil.py -users <user file path> -admin <ranger admin user> -url <rangerhosturl> [-force] [-sslCertPath <cert path>] [-debug]
    
    Sample command to delete groups:
    python deleteUserGroupUtil.py -groups <group file path> -admin <ranger admin user> -url <rangerhosturl> [-force] [-sslCertPath <cert path>] [-debug]
  8. In Cloudera Manager, select Ranger > Ranger Usersync, then select Actions > Restart this Ranger Usersync.