Security
Also available as:
PDF
loading table of contents...
Configure Ranger User Sync

This section describes how to configure Ranger User Sync for either UNIX or LDAP/AD.

Test Run Ranger Usersync

Steps

Before committing to usersync changes, it is recommended that you test-run that users and groups are being retrieved as intended.

To test-run loading User and Group data into Ranger before committing to the changes:

  1. Set ranger.usersync.policymanager.mockrun=true. This parameter can be found in Ambari> Ranger> Configs> Advanced> Advanced ranger-ugsync-site.

  2. View the Users and Groups that will be loaded into Ranger: tail -f /var/log/ranger/usersync/usersync.log.

  3. After confirming that the users and groups are retrieved as intended, set ranger.usersync.policymanager.mockrun=false and restart Ranger Usersync.

    This will sync the users shown in the usersync log to the Ranger database.

Configuring Ranger User Sync for UNIX

Before you begin

Before committing to usersync changes, it is recommended that you test-run that users and groups are being retrieved as intended: Test Run Ranger Usersync.

Steps

Use the following steps to configure Ranger User Sync for UNIX.

  1. On the Customize Services page, select the Ranger User Info tab.

  2. Click Yes under Enable User Sync.

  3. Use the Sync Source drop-down to select UNIX, then set the following properties.

    Table 3.6. UNIX User Sync Properties

    PropertyDescriptionDefault Value
    Sync SourceOnly sync users above this user ID.500
    Password FileThe location of the password file on the Linux server./etc/passwd
    Group FileThe location of the groups file on the Linux server./etc/group

Configuring Ranger User Sync for LDAP/AD
[Important]Important

To ensure that LDAP/AD group level authorization is enforced in Hadoop, you should set up Hadoop group mapping for LDAP/AD.

[Note]Note

You can use the LDAP Connection Check tool to determine User Sync settings for LDAP/AD.

Before you begin

Before committing to usersync changes, it is recommended that you test-run that users and groups are being retrieved as intended: Test Run Ranger Usersync.

Steps

Use the following steps to configure Ranger User Sync for LDAP/AD.

  1. On the Customize Services page, select the Ranger User Info tab.

  2. Click Yes under Enable User Sync.

  3. Use the Sync Source drop-down to select LDAP/AD.

  4. Set the following properties on the Common Configs tab.

    Table 3.7. LDAP/AD Common Configs

    PropertyDescriptionDefault ValueSample Values
    LDAP/AD URLAdd URL depending upon LDAP/AD sync sourceldap://{host}:{port}ldap://ldap.example.com:389 or ldaps://ldap.example.com:636
    Bind AnonymousIf Yes is selected, the Bind User and Bind User Password are not required.NO 
    Bind UserThe location of the groups file on the Linux server.The full distinguished name (DN), including common name (CN), of an LDAP/AD user account that has privileges to search for users. The LDAP bind DN is used to connect to LDAP and query for users and groups.cn=admin,dc=example,dc=com or admin@example.com
    Bind User PasswordThe password of the Bind User.   

  5. Set the following properties on the User Configs tab.

    Table 3.8. LDAP/AD User Configs

    PropertyDescriptionDefault ValueSample Values
    Group User Map SyncSync specific groups for users.YesYes
    Username AttributeThe LDAP user name attribute. sAMAccountName for AD, uid or cn for OpenLDAP
    User Object ClassObject class to identify user entries. persontop, person, organizationalPerson, user, or posixAccount
    User Search Base

    Search base for users.

    Ranger can search multiple OUs in AD. Ranger UserSync module performs a user search on each configured OU and adds all the users into single list. Once all the OUs are processed, a user’s group membership is computed based on the group search.

    cn=users,dc=example,dc=com;ou=example1,ou=example2
    User Search FilterOptional additional filter constraining the users selected for syncing. 

    Sample filter to retrieve all the users: cn=*

    Sample filter to retrieve all the users who are members of groupA or groupB: (|(memberof=CN=GroupA,OU=groups,DC=example,DC=com)(memberof=CN=GroupB,OU=groups,DC=example,DC=com))

    User Search ScopeThis value is used to limit user search to the depth from search base.subbase, one, or sub
    User Group Name AttributeAttribute from user entry whose values would be treated as group values to be pushed into the Access Manager database. You can provide multiple attribute names separated by commas.memberof,ismemberof

    memberof, ismemberof, or gidNumber

    Enable User SearchThis option is available only when the "Enable Group Search First" option is selected. NoYes

  6. Set the following properties on the Group Configs tab.

    Table 3.9. LDAP/AD Group Configs

    PropertyDescriptionDefault ValueSample Values
    Enable Group Sync

    If Enable Group Sync is set to No, the group names the users belong to are derived from “User Group Name Attribute”. In this case no additional group filters are applied.

    If Enable Group Sync is set to Yes, the groups the users belong to are retrieved from LDAP/AD using the following group-related attributes.

    NoYes
    Group Member AttributeThe LDAP group member attribute name. member
    Group Name AttributeThe LDAP group name attribute. distinguishedName for AD, cn for OpenLdap
    Group Object ClassLDAP Group object class. group, groupofnames, or posixGroup
    Group Search Base

    Search base for groups.

    Ranger can search multiple OUs in AD. Ranger UserSync module performs a user search on each configured OU and adds all the users into single list. Once all the OUs are processed, a user’s group membership is computed based on the group search configuration. Each OU segment needs to be separated by a ; (semi-colon).

     ou=groups,DC=example,DC=com;ou=group1;ou=group2
    Group Search FilterOptional additional filter constraining the groups selected for syncing. 

    Sample filter to retrieve all groups: cn=*

    Sample filter to retrieve only the groups whose cn is Engineering or Sales: (|(cn=Engineering)(cn=Sales))

    Enable Group Search First

    When Enable Group Search First is selected, there are two possible ways of retrieving users:

    • If Enable User Search is not selected: users are retrieved from the “member” attribute of the group.

    • If Enable User Search is selected: user membership is computed by performing an LDAP search based on the user configuration.

    NoYes