Hortonworks Docs » Hortonworks Data Platform 3.1.5 » Providing Authorization with Apache Ranger
Providing Authorization with Apache Ranger
Also available as:
PDF
loading table of contents...

Configure Advanced Usersync Settings

To access Usersync settings, select the Advanced tab on the Customize Service page. Usersync pulls in users from UNIX, LDAP, or AD and populates Ranger's local user tables with these users.

Configure advanced User Sync settings for the following:
  • Unix
  • (Required) LDAP/AD
  • (Optional) LDAP/AD
  • Automatically Assign ADMIN KEYADMIN Role for External Users
  • Unix: If you are using UNIX authentication, the default values for the Advanced ranger-ugsync-site properties are the settings for UNIX authentication:

    Under Ambari > Ranger > Configs > Advanced > Advanced ranger-ugsync-site.
  • (Required) LDAP/AD
    1. LDAP Advanced ranger-ugsync-site Settings
      Table 1. LDAP Advanced ranger-ugsync-site Settings
      Property Name LDAP Value
      ranger.usersync.ldap.bindkeystore

      Set this to the same value as the ranger.usersync.credstore.filename property, i.e, the default value is /usr/hdp/current/ranger-usersync/conf/ugsync.jceks

      ranger.usersync.ldap.bindalias ranger.usersync.ldap.bindalias
      ranger.usersync.source.impl.class ldap
    2. AD Advanced ranger-ugsync-site Settings
      Table 2. AD Advanced ranger-ugsync-site Settings
      Property Name LDAP Value
      ranger.usersync.source.impl.class ldap
  • (Optional) LDAP/AD. If you are using LDAP or Active Directory authentication, you may need to update the following properties, depending upon your specific deployment characteristics.
    1. Advanced ranger-ugsync-site Settings for LDAP and AD
      Table 3. Advanced ranger-ugsync-site Settings for LDAP and AD
      Property Name LDAP ranger-ugsync-site Value AD ranger-ugsync-site Value

      ranger.usersync.ldap.url

      		 ldap://127.0.0.1:389 ldap://ad-conrowoller-hostname:389

      ranger.usersync.ldap.binddn

      		 cn=ldapadmin,ou=users, dc=example,dc=com cn=adadmin,cn=Users, dc=example,dc=com

      ranger.usersync.ldap.ldapbindpassword

      		 secret secret

      ranger.usersync.ldap.searchBase

      		 dc=example,dc=com dc=example,dc=com
      ranger.usersync.source.impl.class org.apache.ranger. ladpusersync. process.LdapUserGroupBuilder

      ranger.usersync.ldap.user.searchbase

      		 ou=users, dc=example, dc=com dc=example,dc=com

      ranger.usersync.ldap.user.searchscope

      		 sub sub

      ranger.usersync.ldap.user.objectclass

      		 person person

      ranger.usersync.ldap.user.searchfilter

      		 Set to single empty space if no value. Do not leave it as “empty” (objectcategory=person)

      ranger.usersync.ldap.user.nameattribute

      		 uid or cn sAMAccountName

      ranger.usersync.ldap.user.groupnameattribute

      		 memberof,ismemberof memberof,ismemberof

      ranger.usersync.ldap.username.caseconversion

      		 none none

      ranger.usersync.ldap.groupname.caseconversion

      		 none none

      ranger.usersync.group.searchenabled *

      		 false false

      ranger.usersync.group.usermapsyncenabled *

      		 false false

      ranger.usersync.group.searchbase *

      		 ou=groups, dc=example, dc=com dc=example,dc=com

      ranger.usersync.group.searchscope *

      		 sub sub

      ranger.usersync.group.objectclass *

      		 groupofnames groupofnames

      ranger.usersync.group.searchfilter *

      		 needed for AD authentication (member=CN={0}, OU=MyUsers, DC=AD-HDP, DC=COM)

      ranger.usersync.group.nameattribute *

      		 cn cn

      ranger.usersync.group.memberattributename *

      		 member member

      ranger.usersync.pagedresultsenabled *

      		 true true

      ranger.usersync.pagedresultssize *

      		 500 500

      ranger.usersync.user.searchenabled *

      		 false false

      ranger.usersync.group.search.first.enabled *

      		 false false

      * Only applies when you want to filter out groups.

      After you have finished specifying all of the settings on the Customize Services page, click Next at the bottom of the page to continue with the installation.

  • Automatically Assign ADMIN KEYADMIN Role for External Users. You can use usersync to mark specific external users, or users in a specific external group, with ADMIN or KEYADMIN role within Ranger. This is useful in cases where internal users are not allowed to login to Ranger.
    1. From Ambari>Ranger>Configs>Advanced>Custom ranger-ugsync-site, select Add Property.
    2. Add the following properties:

      • ranger.usersync.role.assignment.list.delimiter = &

        The default value is &.

      • ranger.usersync.users.groups.assignment.list.delimiter = :

        The default value is :.

      • ranger.usersync.username.groupname.assignment.list.delimiter = ,

        The default value is ,.

      • ranger.usersync.group.based.role.assignment.rules = ROLE_SYS_ADMIN:u:userName1,userName2&ROLE_SYS_ADMIN:g:groupName1,groupName2&ROLE_KEY_ADMIN:u:userName&ROLE_KEY_ADMIN:g:groupName&ROLE_USER:u:userName3,userName4&ROLE_USER:g:groupName

    3. Click Add.
    4. Restart Ranger. 
    ranger.usersync.role.assignment.list.delimiter = &
ranger.usersync.users.groups.assignment.list.delimiter = :
ranger.usersync.username.groupname.assignment.list.delimiter = ,
ranger.usersync.group.based.role.assignment.rules : &ROLE_SYS_ADMIN:u:ldapuser_12,ldapuser2
© 2012–2019, Hortonworks, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Hortonworks.com | Documentation | Support | Community