Configure Advanced Usersync Settings
To access Usersync settings, select the Advanced tab on the Customize Service page. Usersync pulls in users from UNIX, LDAP, or AD and populates Ranger's local user tables with these users.
- Unix
- (Required) LDAP/AD
- (Optional) LDAP/AD
- Automatically Assign ADMIN KEYADMIN Role for External Users
-
Unix: If you are using UNIX authentication, the default values for the
Advanced ranger-ugsync-site properties are the settings for UNIX
authentication:
-
(Required) LDAP/AD
-
LDAP Advanced ranger-ugsync-site Settings
Table 1. LDAP Advanced ranger-ugsync-site Settings Property Name LDAP Value ranger.usersync.ldap.bindkeystore Set this to the same value as the
ranger.usersync.credstore.filename
property, i.e, the default value is/usr/hdp/current/ranger-usersync/conf/ugsync.jceks
ranger.usersync.ldap.bindalias ranger.usersync.ldap.bindalias ranger.usersync.source.impl.class ldap -
AD Advanced ranger-ugsync-site Settings
Table 2. AD Advanced ranger-ugsync-site Settings Property Name LDAP Value ranger.usersync.source.impl.class ldap
-
LDAP Advanced ranger-ugsync-site Settings
-
(Optional) LDAP/AD. If you are using LDAP or Active Directory
authentication, you may need to update the following properties, depending upon
your specific deployment characteristics.
-
Advanced ranger-ugsync-site Settings for LDAP and AD
Table 3. Advanced ranger-ugsync-site Settings for LDAP and AD Property Name LDAP ranger-ugsync-site Value AD ranger-ugsync-site Value ranger.usersync.ldap.url
ldap://127.0.0.1:389 ldap://ad-conrowoller-hostname:389 ranger.usersync.ldap.binddn
cn=ldapadmin,ou=users, dc=example,dc=com cn=adadmin,cn=Users, dc=example,dc=com ranger.usersync.ldap.ldapbindpassword
secret secret ranger.usersync.ldap.searchBase
dc=example,dc=com dc=example,dc=com ranger.usersync.source.impl.class org.apache.ranger. ladpusersync. process.LdapUserGroupBuilder ranger.usersync.ldap.user.searchbase
ou=users, dc=example, dc=com dc=example,dc=com ranger.usersync.ldap.user.searchscope
sub sub ranger.usersync.ldap.user.objectclass
person person ranger.usersync.ldap.user.searchfilter
Set to single empty space if no value. Do not leave it as “empty” (objectcategory=person) ranger.usersync.ldap.user.nameattribute
uid or cn sAMAccountName ranger.usersync.ldap.user.groupnameattribute
memberof,ismemberof memberof,ismemberof ranger.usersync.ldap.username.caseconversion
none none ranger.usersync.ldap.groupname.caseconversion
none none ranger.usersync.group.searchenabled *
false false ranger.usersync.group.usermapsyncenabled *
false false ranger.usersync.group.searchbase *
ou=groups, dc=example, dc=com dc=example,dc=com ranger.usersync.group.searchscope *
sub sub ranger.usersync.group.objectclass *
groupofnames groupofnames ranger.usersync.group.searchfilter *
needed for AD authentication (member=CN={0}, OU=MyUsers, DC=AD-HDP, DC=COM) ranger.usersync.group.nameattribute *
cn cn ranger.usersync.group.memberattributename *
member member ranger.usersync.pagedresultsenabled *
true true ranger.usersync.pagedresultssize *
500 500 ranger.usersync.user.searchenabled *
false false ranger.usersync.group.search.first.enabled *
false false * Only applies when you want to filter out groups.
After you have finished specifying all of the settings on the Customize Services page, click Next at the bottom of the page to continue with the installation.
-
Advanced ranger-ugsync-site Settings for LDAP and AD
-
Automatically Assign ADMIN KEYADMIN Role for External Users. You can use
usersync to mark specific external users, or users in a specific external group,
with ADMIN or KEYADMIN role within Ranger. This is useful in cases where
internal users are not allowed to login to Ranger.
- From Ambari>Ranger>Configs>Advanced>Custom ranger-ugsync-site, select Add Property.
-
Add the following properties:
-
ranger.usersync.role.assignment.list.delimiter = &
The default value is
&
. -
ranger.usersync.users.groups.assignment.list.delimiter = :
The default value is
:
. -
ranger.usersync.username.groupname.assignment.list.delimiter = ,
The default value is
,
. -
ranger.usersync.group.based.role.assignment.rules = ROLE_SYS_ADMIN:u:userName1,userName2&ROLE_SYS_ADMIN:g:groupName1,groupName2&ROLE_KEY_ADMIN:u:userName&ROLE_KEY_ADMIN:g:groupName&ROLE_USER:u:userName3,userName4&ROLE_USER:g:groupName
-
- Click Add.
- Restart Ranger.
ranger.usersync.role.assignment.list.delimiter = & ranger.usersync.users.groups.assignment.list.delimiter = : ranger.usersync.username.groupname.assignment.list.delimiter = , ranger.usersync.group.based.role.assignment.rules : &ROLE_SYS_ADMIN:u:ldapuser_12,ldapuser2