Installing UserSync and Starting the Service
Important | |
---|---|
To ensure that LDAP/AD group level authorization is enforced in Hadoop, you should set up Hadoop group mapping for LDAP/AD. |
To install Ranger UserSync and start the service, do the following:
Find the Ranger UserSync software:
yum search usersync
or
yum list | grep usersync
Install Ranger UserSync:
Note Make sure the database on which Ranger will be installed is up and running.
yum install ranger_<version>-usersync.x86_64
At the Ranger UserSync installation directory, update the following properties in the
install.properties
file:Table 13.2. Properties to Update in the install.properties File
Configuration Property Name
Default/Example Value
Required?
Policy Admin Tool
POLICY_MGR_URL URL for policy admin
http://policymanager.xasecure.net:6080
Y
User Group Source Information
SYNC_SOURCE Specifies where the user/group information is extracted to be put into Ranger database. unix - get user information from /etc/passwd file and gets group information from /etc/group file ldap - gets user information from LDAP service (see below for more information)
unix
N
SYNC_INTERVAL Specifies the interval (in minutes) between synchronization cycle. Note, the 2nd sync cycle will NOT start until the first sync cycle is COMPLETE.
5
N
UNIX user/group Synchronization
MIN_UNIX_USER_ID_TO_SYNC UserId below this parameter values will not be synchronized to Ranger user database
300 (Unix default), 1000 (LDAP default)
Mandatory if SYNC_SOURCE is selected as unix
LDAP user/group synchronization
SYNC_LDAP_URL URL of source ldap
ldap://ldap.example.com:389
Mandatory if SYNC_SOURCE is selected as ldap
SYNC_LDAP_BIND_DN ldap bind dn used to connect to ldap and query for users and groups
cn=admin,ou=users,dc=hadoop, dc=apache,dc-org
Mandatory if SYNC_SOURCE is selected as ldap
SYNC_LDAP_BIND_PASSWORD ldap bind password for the bind dn specified above
LdapAdminPassW0Rd
Mandatory if SYNC_SOURCE is selected as ldap
CRED_KEYSTORE_FILENAME Location of the file where crypted password is kept
/usr/lib/xausersync/.jceks/xausersync.jceks (default) /etc/ranger/usersync/.jceks/xausersync.jceks
Mandatory if SYNC_SOURCE is selected as ldap
SYNC_LDAP_USER_SEARCH_BASE Search base for users
ou=users,dc=hadoop,dc=apache, dc=org
Mandatory if SYNC_SOURCE is selected as ldap
SYNC_LDAP_USER_SEARCH_SCOPE Search scope for the users, only base, one, and sub are supported values
sub (default)
N
SYNC_LDAP_USER_OBJECT_CLASS objectclass to identify user entries
person (default)
N (defaults to person)
SYNC_LDAP_USER_SEARCH_FILTER Optional additional filter constraining the users selected for syncing
(dept=eng)
N (defaults to an empty string)
SYNC_LDAP_USER_NAME _ATTRIBUTE Attribute from user entry that would be treated as user name
cn (default)
N (defaults to cn)
SYNC_LDAP_USER_GROUP_NAME _ATTRIBUTE attribute from user entry whose values would be treated as group values to be pushed into Policy Manager database. You can provide multiple attribute names separated by comma
memberof,ismemberof (default)
N (defaults to memberof, ismemberof)
User Synchronization
unix_user UNIX User who runs the ranger-usersync process
ranger (default)
Y
unix_group UNIX group associated with Unix user who runs the ranger-usersync process
ranger (default)
Y
SYNC_LDAP_USERNAME_CASE _CONVERSION Convert all username to lower/upper case none - no conversation will be done. Kept as it is in the SYNC_SOURCE lower - convert it to lower case when saving it to ranger db upper - convert it to upper case when saving it to ranger db
lower (default)
N (defaults to lower)
SYNC_LDAP_GROUPNAME_CASE _CONVERSION Convert all username to lower/upper case none - no conversation will be done. Kept as it is in the SYNC_SOURCE lower - convert it to lower case when saving it to ranger db upper - convert it to upper case when saving it to ranger db
lower (default)
N (defaults to lower)
logdir Location of the log directory were the usersync logs are stored
logs (default)
Y
Set the Policy Manager URL to http://<ranger-admin-host>:6080
Check the JAVA_HOME environment variable. If JAVA_HOME has not yet been set, enter:
export JAVA_HOME=<path of installed jdk version folder>
Install the Ranger UserSync service:
cd /usr/hdp/<version>/ranger-usersync
./setup.sh
Start the Ranger UserSync service:
service ranger-usersync start
To verify that the service was successfully started, wait 6 hours for LDAP and AD to synchronize, then do the following:
Go to
http://<ranger-admin-host>:6080
Click the Users/Group tab. See if users and groups are synchronized.
Add a UNIX/LDAP/AD user, then check for the presence of that user in the Ranger Admin tab.