Providing Authorization with Apache Ranger
Also available as:
loading table of contents...

Configure Advanced Usersync Settings

To access Usersync settings, select the Advanced tab on the Customize Service page. Usersync pulls in users from UNIX, LDAP, or AD and populates Ranger's local user tables with these users.

Configure advanced User Sync settings for the following:
  • Unix
  • (Required) LDAP/AD
  • (Optional) LDAP/AD
  • Automatically Assign ADMIN KEYADMIN Role for External Users
  • Unix: If you are using UNIX authentication, the default values for the Advanced ranger-ugsync-site properties are the settings for UNIX authentication:

    Under Ambari > Ranger > Configs > Advanced > Advanced ranger-ugsync-site.
  • (Required) LDAP/AD
    1. LDAP Advanced ranger-ugsync-site Settings
      Table 1. LDAP Advanced ranger-ugsync-site Settings
      Property Name LDAP Value

      Set this to the same value as the ranger.usersync.credstore.filename property, i.e, the default value is /usr/hdp/current/ranger-usersync/conf/ugsync.jceks

      ranger.usersync.ldap.bindalias ranger.usersync.ldap.bindalias
      ranger.usersync.source.impl.class ldap
    2. AD Advanced ranger-ugsync-site Settings
      Table 2. AD Advanced ranger-ugsync-site Settings
      Property Name LDAP Value
      ranger.usersync.source.impl.class ldap
  • (Optional) LDAP/AD. If you are using LDAP or Active Directory authentication, you may need to update the following properties, depending upon your specific deployment characteristics.
    1. Advanced ranger-ugsync-site Settings for LDAP and AD
      Table 3. Advanced ranger-ugsync-site Settings for LDAP and AD
      Property Name LDAP ranger-ugsync-site Value AD ranger-ugsync-site Value


      ldap:// ldap://ad-conrowoller-hostname:389


      cn=ldapadmin,ou=users, dc=example,dc=com cn=adadmin,cn=Users, dc=example,dc=com


      secret secret


      dc=example,dc=com dc=example,dc=com
      ranger.usersync.source.impl.class org.apache.ranger. ladpusersync. process.LdapUserGroupBuilder


      ou=users, dc=example, dc=com dc=example,dc=com


      sub sub


      person person


      Set to single empty space if no value. Do not leave it as “empty” (objectcategory=person)


      uid or cn sAMAccountName


      memberof,ismemberof memberof,ismemberof


      none none


      none none *

      false false *

      false false *

      ou=groups, dc=example, dc=com dc=example,dc=com *

      sub sub *

      groupofnames groupofnames *

      needed for AD authentication (member=CN={0}, OU=MyUsers, DC=AD-HDP, DC=COM) *

      cn cn *

      member member

      ranger.usersync.pagedresultsenabled *

      true true

      ranger.usersync.pagedresultssize *

      500 500

      ranger.usersync.user.searchenabled *

      false false *

      false false

      * Only applies when you want to filter out groups.

      After you have finished specifying all of the settings on the Customize Services page, click Next at the bottom of the page to continue with the installation.

  • Automatically Assign ADMIN KEYADMIN Role for External Users. You can use usersync to mark specific external users, or users in a specific external group, with ADMIN or KEYADMIN role within Ranger. This is useful in cases where internal users are not allowed to login to Ranger.
    1. From Ambari>Ranger>Configs>Advanced>Custom ranger-ugsync-site, select Add Property.
    2. Add the following properties:
      • ranger.usersync.role.assignment.list.delimiter = &

        The default value is &.

      • ranger.usersync.users.groups.assignment.list.delimiter = :

        The default value is :.

      • ranger.usersync.username.groupname.assignment.list.delimiter = ,

        The default value is ,.

      • = ROLE_SYS_ADMIN:u:userName1,userName2&ROLE_SYS_ADMIN:g:groupName1,groupName2&ROLE_KEY_ADMIN:u:userName&ROLE_KEY_ADMIN:g:groupName&ROLE_USER:u:userName3,userName4&ROLE_USER:g:groupName

    3. Click Add.
    4. Restart Ranger.
    ranger.usersync.role.assignment.list.delimiter = &
    ranger.usersync.users.groups.assignment.list.delimiter = :
    ranger.usersync.username.groupname.assignment.list.delimiter = , : &ROLE_SYS_ADMIN:u:ldapuser_12,ldapuser2