Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Advanced Usersync Settings

To access Usersync settings, select the Advanced tab on the Customize Service page. Usersync pulls in users from UNIX, LDAP, or AD and populates Ranger's local user tables with these users.

[Important]Important

To ensure that LDAP/AD group level authorization is enforced in Hadoop, you must first set up Hadoop group mapping for LDAP.

Before committing to usersync changes, it is recommended that you test-run that users and groups are being retrieved as intended: Test Run Ranger Usersync.

UNIX Usersync Settings

If you are using UNIX authentication, the default values for the Advanced ranger-ugsync-site properties are the settings for UNIX authentication.

Before committing to usersync changes, it is recommended that you test-run that users and groups are being retrieved as intended: Test Run Ranger Usersync.

Required LDAP and AD Usersync Settings

If you are using LDAP authentication, you must update the following Advanced ranger-ugsync-site properties.

Before committing to usersync changes, it is recommended that you test-run that users and groups are being retrieved as intended: Test Run Ranger Usersync.

Table 3.13. LDAP Advanced ranger-ugsync-site Settings

Property NameLDAP Value
ranger.usersync.ldap.bindkeystore

Set this to the same value as the ranger.usersync.credstore.filename property, i.e, the default value is /usr/hdp/current/ranger-usersync/conf/ugsync.jceks

ranger.usersync.ldap.bindaliasranger.usersync.ldap.bindalias
ranger.usersync.source.impl.classldap

Table 3.14. AD Advanced ranger-ugsync-site Settings

Property NameLDAP Value
ranger.usersync.source.impl.classldap

Additional LDAP and AD Usersync Settings

If you are using LDAP or Active Directory authentication, you may need to update the following properties, depending upon your specific deployment characteristics.

Before committing to usersync changes, it is recommended that you test-run that users and groups are being retrieved as intended: Test Run Ranger Usersync.

Table 3.15. Advanced ranger-ugsync-site Settings for LDAP and AD

Property NameLDAP ranger-ugsync-site ValueAD ranger-ugsync-site Value

ranger.usersync.ldap.url

ldap://127.0.0.1:389ldap://ad-conrowoller-hostname:389

ranger.usersync.ldap.binddn

cn=ldapadmin,ou=users, dc=example,dc=comcn=adadmin,cn=Users, dc=example,dc=com

ranger.usersync.ldap.ldapbindpassword

secretsecret

ranger.usersync.ldap.searchBase

dc=example,dc=comdc=example,dc=com
ranger.usersync.source.impl.classorg.apache.ranger. ladpusersync. process.LdapUserGroupBuilder

ranger.usersync.ldap.user.searchbase

ou=users, dc=example, dc=comdc=example,dc=com

ranger.usersync.ldap.user.searchscope

subsub

ranger.usersync.ldap.user.objectclass

personperson

ranger.usersync.ldap.user.searchfilter

Set to single empty space if no value. Do not leave it as “empty”(objectcategory=person)

ranger.usersync.ldap.user.nameattribute

uid or cn sAMAccountName

ranger.usersync.ldap.user.groupnameattribute

memberof,ismemberofmemberof,ismemberof

ranger.usersync.ldap.username.caseconversion

nonenone

ranger.usersync.ldap.groupname.caseconversion

nonenone

ranger.usersync.group.searchenabled *

falsefalse

ranger.usersync.group.usermapsyncenabled *

falsefalse

ranger.usersync.group.searchbase *

ou=groups, dc=example, dc=comdc=example,dc=com

ranger.usersync.group.searchscope *

subsub

ranger.usersync.group.objectclass *

groupofnamesgroupofnames

ranger.usersync.group.searchfilter *

needed for AD authentication(member=CN={0}, OU=MyUsers, DC=AD-HDP, DC=COM)

ranger.usersync.group.nameattribute *

cncn

ranger.usersync.group.memberattributename *

membermember

ranger.usersync.pagedresultsenabled *

truetrue

ranger.usersync.pagedresultssize *

500500

ranger.usersync.user.searchenabled *

falsefalse

ranger.usersync.group.search.first.enabled *

falsefalse


* Only applies when you want to filter out groups.

After you have finished specifying all of the settings on the Customize Services page, click Next at the bottom of the page to continue with the installation.