Install UserSync and Start the Service
Important | |
---|---|
To ensure that LDAP/AD group level authorization is enforced in Hadoop, you should set up Hadoop group mapping for LDAP/AD. |
To install Ranger UserSync and start the service, do the following:
Find the Ranger UserSync software:
yum search usersync
or
yum list | grep usersync
Install Ranger UserSync:
Note Make sure the database on which Ranger will be installed is up and running.
yum install ranger_<version>-usersync.x86_64
At the Ranger UserSync installation directory, update the following properties in the
install.properties
file:Table 13.2. Properties to Update in the install.properties File
Configuration Property Name
Default/Example Value
Required?
Policy Admin Tool
POLICY_MGR_URL URL for policy admin
http://policymanager.xasecure.net:6080
Y
User Group Source Information
SYNC_SOURCE Specifies where the user/group information is extracted to be put into Ranger database. unix - get user information from /etc/passwd file and gets group information from /etc/group file ldap - gets user information from LDAP service (see below for more information)
unix
N
SYNC_INTERVAL Specifies the interval (in minutes) between synchronization cycle. Note, the 2nd sync cycle will NOT start until the first sync cycle is COMPLETE.
5
N
UNIX user/group Synchronization
MIN_UNIX_USER_ID_TO_SYNC UserId below this parameter values will not be synchronized to Ranger user database
300 (Unix default), 1000 (LDAP default)
Mandatory if SYNC_SOURCE is selected as unix
LDAP user/group synchronization
SYNC_LDAP_URL URL of source ldap
ldap://ldap.example.com:389
Mandatory if SYNC_SOURCE is selected as ldap
SYNC_LDAP_BIND_DN ldap bind dn used to connect to ldap and query for users and groups
cn=admin,ou=users,dc=hadoop, dc=apache,dc-org
Mandatory if SYNC_SOURCE is selected as ldap
SYNC_LDAP_BIND_PASSWORD ldap bind password for the bind dn specified above
LdapAdminPassW0Rd
Mandatory if SYNC_SOURCE is selected as ldap
CRED_KEYSTORE_FILENAME Location of the file where encrypted password is kept
/usr/lib/xausersync/.jceks/xausersync.jceks (default) /etc/ranger/usersync/.jceks/xausersync.jceks
Mandatory if SYNC_SOURCE is selected as ldap
SYNC_LDAP_USER_SEARCH_BASE Search base for users
ou=users,dc=hadoop,dc=apache, dc=org
Mandatory if SYNC_SOURCE is selected as ldap
SYNC_LDAP_USER_SEARCH_SCOPE Search scope for the users, only base, one, and sub are supported values
sub (default)
N
SYNC_LDAP_USER_OBJECT_CLASS objectclass to identify user entries
person (default)
N (defaults to person)
SYNC_LDAP_USER_SEARCH_FILTER Optional additional filter constraining the users selected for syncing
(dept=eng)
N (defaults to an empty string)
SYNC_LDAP_USER_NAME _ATTRIBUTE Attribute from user entry that would be treated as user name
cn (default)
N (defaults to cn)
SYNC_LDAP_USER_GROUP_NAME _ATTRIBUTE attribute from user entry whose values would be treated as group values to be pushed into Policy Manager database. You can provide multiple attribute names separated by comma
memberof,ismemberof (default)
N (defaults to memberof, ismemberof)
SYNC_LDAP_SEARCH_BASE Default is False.
dc=example,de=com
N SYNC_GROUP_SEARCH_ENABLED Default is False.
If set to True, and SYNC_GROUP_USER_MAP_SYNC_ENABLED is also set to True, you must set the following properties:
SYNC_GROUP_SEARCH_BASE=ou=People,dc=example,dc=com SYNC_GROUP_SEARCH_SCOPE=sub SYNC_GROUP_OBJECT_CLASS=groupofnames SYNC_LDAP_GROUP_SEARCH_FILTER= SYNC_GROUP_NAME_ATTRIBUTE=cn SYNC_GROUP_MEMBER_ATTRIBUTE_NAME=member SYNC_PAGED_RESULTS_ENABLED=true SYNC_PAGED_RESULTS_SIZE=500RANGER_ SYNC_LDAP_REFERRAL=follow,ignore
N User Synchronization
unix_user UNIX User who runs the ranger-usersync process
ranger (default)
Y
unix_group UNIX group associated with Unix user who runs the ranger-usersync process
ranger (default)
Y
SYNC_LDAP_USERNAME_CASE _CONVERSION Convert all username to lower/upper case none - no conversation will be done. Kept as it is in the SYNC_SOURCE lower - convert it to lower case when saving it to ranger db upper - convert it to upper case when saving it to ranger db
lower (default)
N (defaults to lower)
SYNC_LDAP_GROUPNAME_CASE _CONVERSION Convert all username to lower/upper case none - no conversation will be done. Kept as it is in the SYNC_SOURCE lower - convert it to lower case when saving it to ranger db upper - convert it to upper case when saving it to ranger db
lower (default)
N (defaults to lower)
logdir Location of the log directory where the usersync logs are stored
logs (default)
Y
Add the following property to the
install.properties
file to set the base directory for the Ranger Usersync process:ranger_base_dir=/etc/ranger
Add the following properties to the
install.properties
file to set SSL configurations for Ranger Usersync:AUTH_SSL_ENABLED=false AUTH_SSL_KEYSTORE_FILE=/etc/ranger/usersync/conf/cert/unixauthservice.jks AUTH_SSL_KEYSTORE_PASSWORD=UnIx529p AUTH_SSL_TRUSTSTORE_FILE= AUTH_SSL_TRUSTSTORE_PASSWORD=
Add the following property to the
install.properties
file to configure the Ranger Usersync PID directory to start and stop the Ranger Usersync service:USERSYNC_PID_DIR_PATH=/var/run/ranger
Set the Policy Manager URL to http://<ranger-admin-host>:6080
Check the JAVA_HOME environment variable. If JAVA_HOME has not yet been set, enter:
export JAVA_HOME=<path of installed jdk version folder>
Install the Ranger UserSync service:
cd /usr/hdp/<version>/ranger-usersync
./setup.sh
Start the Ranger UserSync service:
service ranger-usersync start
To verify that the service was successfully started, wait 6 hours for LDAP/AD to synchronize, then do the following:
Go to
http://<ranger-admin-host>:6080
Click the Users/Group tab. See if users and groups are synchronized.
Add a UNIX/LDAP/AD user, then check for the presence of that user in the Ranger Admin tab.