Major Description
When configuring a user with a group based role assignment to the ROLE_ADMIN_AUDITOR role, running the usersync process causes a malformed user permission to be assigned to that user. Each time usersync is run this adds more user permissions, until eventually there are enough that the usersync and login processes take several minutes to complete.
Configuration
I have this configured in ranger-ugsync-site.xml:
<property> <name>ranger.usersync.group.based.role.assignment.rules</name> <value>ROLE_ADMIN_AUDITOR:u:myusername</value> </property>
And the usersync process is being invoked with:
/usr/bin/java -Dproc_rangerusersync -Dlog4j.configuration=file:/etc/ranger/conf/log4j.properties -XX:MetaspaceSize=100m -XX:MaxMetaspaceSize=200m -Xmx1g -Xms1g -Duser=ranger -Dhostname=<redacted> -Dlogdir=/var/log/ranger/usersync -cp /usr/local/ranger-usersync/dist/*:/usr/local/ranger-usersync/lib/*:/usr/local/ranger-usersync/conf: org.apache.ranger.authentication.UnixAuthenticationService -enableUnixAuth
Observations
Upon the usersync process restarting, the x_user_module_perm table in the ranger database has new rows added to it. These all have "module_id" set to [null]. These rows are never removed or updated. During login, this causes the call to /service/users/profile to take longer and longer. In production, 15,000 rows in this table for a single user caused the login to take 2.5 minutes.