Command Line Installation
Also available as:
PDF
loading table of contents...

Install UserSync and Start the Service

[Important]Important

To ensure that LDAP/AD group level authorization is enforced in Hadoop, you should set up Hadoop group mapping for LDAP/AD.

To install Ranger UserSync and start the service, do the following:

  1. Find the Ranger UserSync software:

    yum search usersync

    or

    yum list | grep usersync
  2. Install Ranger UserSync:

    [Note]Note

    Make sure the database on which Ranger will be installed is up and running.

    yum install ranger_<version>-usersync.x86_64
  3. At the Ranger UserSync installation directory, update the following properties in the install.properties file:

    Table 13.2. Properties to Update in the install.properties File

    Configuration Property Name

    Default/Example Value

    Required?

    Policy Admin Tool

    POLICY_MGR_URL URL for policy admin

    http://policymanager.xasecure.net:6080

    Y

    User Group Source Information

    SYNC_SOURCE Specifies where the user/group information is extracted to be put into Ranger database. unix - get user information from /etc/passwd file and gets group information from /etc/group file ldap - gets user information from LDAP service (see below for more information)

    unix

    N

    SYNC_INTERVAL Specifies the interval (in minutes) between synchronization cycle. Note, the 2nd sync cycle will NOT start until the first sync cycle is COMPLETE.

    5

    N

    UNIX user/group Synchronization

    MIN_UNIX_USER_ID_TO_SYNC UserId below this parameter values will not be synchronized to Ranger user database

    300 (Unix default), 1000 (LDAP default)

    Mandatory if SYNC_SOURCE is selected as unix

    LDAP user/group synchronization

    SYNC_LDAP_URL URL of source ldap

    ldap://ldap.example.com:389

    Mandatory if SYNC_SOURCE is selected as ldap

    SYNC_LDAP_BIND_DN ldap bind dn used to connect to ldap and query for users and groups

    cn=admin,ou=users,dc=hadoop, dc=apache,dc-org

    Mandatory if SYNC_SOURCE is selected as ldap

    SYNC_LDAP_BIND_PASSWORD ldap bind password for the bind dn specified above

    LdapAdminPassW0Rd

    Mandatory if SYNC_SOURCE is selected as ldap

    CRED_KEYSTORE_FILENAME Location of the file where encrypted password is kept

    /usr/lib/xausersync/.jceks/xausersync.jceks (default) /etc/ranger/usersync/.jceks/xausersync.jceks

    Mandatory if SYNC_SOURCE is selected as ldap

    SYNC_LDAP_USER_SEARCH_BASE Search base for users

    ou=users,dc=hadoop,dc=apache, dc=org

    Mandatory if SYNC_SOURCE is selected as ldap

    SYNC_LDAP_USER_SEARCH_SCOPE Search scope for the users, only base, one, and sub are supported values

    sub (default)

    N

    SYNC_LDAP_USER_OBJECT_CLASS objectclass to identify user entries

    person (default)

    N (defaults to person)

    SYNC_LDAP_USER_SEARCH_FILTER Optional additional filter constraining the users selected for syncing

    (dept=eng)

    N (defaults to an empty string)

    SYNC_LDAP_USER_NAME _ATTRIBUTE Attribute from user entry that would be treated as user name

    cn (default)

    N (defaults to cn)

    SYNC_LDAP_USER_GROUP_NAME _ATTRIBUTE attribute from user entry whose values would be treated as group values to be pushed into Policy Manager database. You can provide multiple attribute names separated by comma

    memberof,ismemberof (default)

    N (defaults to memberof, ismemberof)

    SYNC_LDAP_SEARCH_BASE

    Default is False.

    dc=example,de=com

    N
    SYNC_GROUP_SEARCH_ENABLED

    Default is False.

    If set to True, and SYNC_GROUP_USER_MAP_SYNC_ENABLED is also set to True, you must set the following properties:

    SYNC_GROUP_SEARCH_BASE=ou=People,dc=example,dc=com
    SYNC_GROUP_SEARCH_SCOPE=sub
    SYNC_GROUP_OBJECT_CLASS=groupofnames
    SYNC_LDAP_GROUP_SEARCH_FILTER=
    SYNC_GROUP_NAME_ATTRIBUTE=cn
    SYNC_GROUP_MEMBER_ATTRIBUTE_NAME=member
    SYNC_PAGED_RESULTS_ENABLED=true
    SYNC_PAGED_RESULTS_SIZE=500RANGER_
    SYNC_LDAP_REFERRAL=follow,ignore
    N

    User Synchronization

    unix_user UNIX User who runs the ranger-usersync process

    ranger (default)

    Y

    unix_group UNIX group associated with Unix user who runs the ranger-usersync process

    ranger (default)

    Y

    SYNC_LDAP_USERNAME_CASE _CONVERSION Convert all username to lower/upper case none - no conversation will be done. Kept as it is in the SYNC_SOURCE lower - convert it to lower case when saving it to ranger db upper - convert it to upper case when saving it to ranger db

    lower (default)

    N (defaults to lower)

    SYNC_LDAP_GROUPNAME_CASE _CONVERSION Convert all username to lower/upper case none - no conversation will be done. Kept as it is in the SYNC_SOURCE lower - convert it to lower case when saving it to ranger db upper - convert it to upper case when saving it to ranger db

    lower (default)

    N (defaults to lower)

    logdir Location of the log directory where the usersync logs are stored

    logs (default)

    Y


  4. Add the following property to the install.properties file to set the base directory for the Ranger Usersync process:

    ranger_base_dir=/etc/ranger
    
  5. Add the following properties to the install.properties file to set SSL configurations for Ranger Usersync:

    AUTH_SSL_ENABLED=false
    AUTH_SSL_KEYSTORE_FILE=/etc/ranger/usersync/conf/cert/unixauthservice.jks
    AUTH_SSL_KEYSTORE_PASSWORD=UnIx529p
    AUTH_SSL_TRUSTSTORE_FILE=
    AUTH_SSL_TRUSTSTORE_PASSWORD=
    
  6. Add the following property to the install.properties file to configure the Ranger Usersync PID directory to start and stop the Ranger Usersync service:

    USERSYNC_PID_DIR_PATH=/var/run/ranger
  7. Set the Policy Manager URL to http://<ranger-admin-host>:6080

  8. Check the JAVA_HOME environment variable. If JAVA_HOME has not yet been set, enter:

    export JAVA_HOME=<path of installed jdk version folder>
  9. Install the Ranger UserSync service:

    cd /usr/hdp/<version>/ranger-usersync
    ./setup.sh
  10. Start the Ranger UserSync service:

    service ranger-usersync start
  11. To verify that the service was successfully started, wait 6 hours for LDAP/AD to synchronize, then do the following:

    • Go to

      http://<ranger-admin-host>:6080
    • Click the Users/Group tab. See if users and groups are synchronized.

    • Add a UNIX/LDAP/AD user, then check for the presence of that user in the Ranger Admin tab.