RANGER-5427 : AD Groups with 1500+ Users Fail to Sync into Ranger Admin via RangerUserSync#966
Draft
dhavalshah9131 wants to merge 1 commit into
Draft
RANGER-5427 : AD Groups with 1500+ Users Fail to Sync into Ranger Admin via RangerUserSync#966dhavalshah9131 wants to merge 1 commit into
dhavalshah9131 wants to merge 1 commit into
Conversation
…in via RangerUserSync
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…
What changes were proposed in this pull request?
RANGER-5427 : AD Groups with 1500+ Users Fail to Sync into Ranger Admin via RangerUserSync
Problem Description
Active Directory (AD) groups containing more than 1500 users are not fully synchronized into Ranger Admin when using the RangerUserSync service.
During LDAP sync, RangerUserSync retrieves only the first 1500 members of such groups, resulting in missing users in Ranger admin.
Root Cause
Active Directory enforces a hard limit (MaxValRange = 1500) on multi-valued attributes such as member.
For groups with more than 1500 users, AD returns group members using range-based attributes, for example:
member;range=0-1499RangerUserSync currently expects the standard member attribute and does not handle range-based member retrieval, which causes incomplete group membership resolution.
Example
Non-working (Large AD group):
member;range=0-1499: CN=1624070,OU=User,OU=Accounts,OU=people,DC=zone1,DC=scb,DC=netWorking (Group with <1500 users):
member: CN=<cn>,OU=Generic,OU=Accounts,OU=people,DC=zone1,DC=scb,DC=netSolution / Fix
A new configuration property has been introduced to support large AD group synchronization using range retrieval.
Property Name:
ranger.usersync.ldap.largegroupsyncDefault Value: false
Required Value to Fix the Issue: true
This property must be enabled and added in the following file: ranger-ugsync-site.xml
When ranger.usersync.ldap.largegroupsync is set to true:
RangerUserSync fetches group members in batches of 1500
LDAP queries use range-based attributes:
member;range=0-1499member;range=1500-2999...
Sync continues until AD returns member;range=-, indicating the final batch
All users in large AD groups are successfully synced into Ranger Admin
How was this patch tested?
=> Build successfully with unit tests
=> Manual testing