Switch to LDAP Access Privileges

CCP defaults to Java Database Connectivity (JDBC) to define access privileges. You can easily switch to using LDAP.

  1. In Ambari, select Add Service from the Actions menu.
  2. Select Knox from the list of available components and click Next.
    Now, when you go to Swagger or the UIs, you should be able to view your assigned roles and permissions.
  3. Accept all of the defaults and click Next then Deploy to install Knox.
  4. In Ambari, click Metron in the Actions menu and then click the Config tab.
  5. Click the Security tab.
  6. Populate the User Role Name field with the name of the LDAP group that provides user access to CCP.
  7. Populate the Admin Role Name field with the name of the LDAP group that provides administration access to CCP.
  8. Set LDAP Enables to On.
  9. Modify each of the fields to match your LDAP configuration.
    Field Definition Example
    LDAP URL The url for the LDAP server. This must be in the following format:

    ldap://[host]:[port] or ldaps://[host]:[port]

    ldap://localhost:33389 Active Directory: ldaps://23.96.22.127:636
    Bind User The fully distinguished name (DN) of an LDAP user account that has privileges to search for users. uid=admin,ou=people,dc=hadoop,dc=apache,dc=org Active Directory: bind-admin@mycompany.local
    Bind User Password The password for the bind user account. Set this password to match the admin user's password from the ldif file. adminPassword
    User dn pattern The pattern used to create a distinguished name (DN) from a username. This pattern is used to create a DN string for direct user authentication. The pattern argument {0} will be replaced with the username at runtime. uid={0},ou=people,dc=hadoop,dc=apache,dc=org Active Directory: uid={0},cn=users,dc=mycompany,dc=local
    User password attribute The name of an attribute containing the SHA-encoded user password. This attribute is used to perform a remote compare operation to authenticate the user. To use bind authentication, leave this field blank. userPassword Active Directory: leave blank
    User Search Base The location from which the search starts for user entries. ou=people,dc=hadoop,dc=apache,dc=org Active Directory: cn=users,dc=mycompany,dc=local
    User Search Filter The search filter used to locate a user. The pattern argument {0} is replaced with the username at runtime. Active Directory: (&(objectClass=user)(sAMAccountName={0}))
    Group Search Base The location from which the search starts for group entries. ou=groups,dc=hadoop,dc=apache,dc=org Active Directory: cn=users,dc=mycompany, dc=local
    Group Search Filter The search filter used to locate a group. The pattern argument {0} is replaced with the username at runtime. member={0} Active Directory: (&(objectClass=group)(member={0}))
    LDAP group role attribute The attribute of a group that defines the group name. cn
    LDAP Truststore The path of the truststore containing SSL certs for LDAP. /usr/metron/0.7.1/keystore
    LDAP Truststore Password The password for the truststore containing SSL certs for LDAP.
  10. Click the Summary tab to display all of the Metron components.
  11. Restart Metron REST.
    Now, when you go to Swagger or the UIs, you should be able to view your assigned roles and permissions.