Cloudera Docs

Configuring nested group hierarchies

You must enable non-zero group hierarchy levels in Ranger before adding a group as a member to another group.

"Nesting" groups means adding a group as a member to another group. If a group (groupA) is a member of another group (groupB), then the users belonging to the member group (groupA) are part of the parent group (groupB) as well. Nesting can be very useful when delegating access through inheritance. Many large enterprises have their groups in LDAP/AD nested within other groups. Security admins want the users in those nested groups to be associated in Ranger so that they are available for policy authoring in Ranger Admin. CDP Ranger Usersync supports nested group membership representation for policy authoring.

In the following example directory structure, all the marketing users are under one OU "Marketing Users". All these users are members of different groups based on the location like US, Canada, London, etc… For example, user "Adam Will" from "Marketing Users" OU is a member of "Canada Marketing Group". The example directory structure also contains multiple, nested group levels; for example, "US Marketing Group" is a member of "AMER Marketing Group" which again is a member of "Marketing Group".

Figure 1. Example Active Directory structure with Nested Groups
Example Active Directory structure with Nested Groups

Ranger Usersync, by default, computes only the immediate groups for the users. For example, user "Adam Will" is part of "Canada Marketing Group" and only this information is available in ranger without nested group sync configuration. With this information, if an admin wants to provide access to all the users under "AMER Marketing Group", then all the sub groups - "US Marketing Group" and "Canada Marketing Group" must be added to the policy, using Ranger.

In order to simplify the policy configuration at parent-level groups, Ranger supports evaluating nested group memberships by configuring "ranger.usersync.ldap.grouphierarchylevels". If ranger.usersync.ldap.grouphierarchylevels is set to "3", Ranger Usersync computes the group memberships for user "Adam Will" as "Canada Marketing Group", "AMER Marketing Group", "Marketing Group". This way, admin can configure ranger policy at the parent group level ("AMER Marketing Group") which will be applied for all the users (Mary Sam, John Doe, and Adam Will) under each sub group (US Marketing Group and Canada Marketing Group).

  1. In Cloudera Manager > Ranger > Configuration, type hierarchy in Search.
  2. In Usersync Group Hierarchy Levels (ranger.usersync.ldap.grouphierarchylevels) configuration, set:
    • In Ranger Usersync Default Group, type: 3
  3. Click Save Changes.
  4. Restart Ranger.