Handling inconsistent username and group name conventions for consistent authorization

This document explains how user and group names are processed to ensure that Ranger policies are applied correctly, leading to seamless access to data and resources.

Cloudera Data Platform (CDP) offers a standardized method for managing usernames and group names to ensure consistent and accurate authorization across all CDP services. This approach is particularly useful when dealing with diverse naming conventions, including special characters such as whitespace and slashes.

You often use a variety of naming conventions for users and groups in your identity providers, for example, Active Directory or LDAP. These conventions can include special characters that, if not handled consistently, can lead to potential inconsistencies in authorization and increased administrative overhead.

To handle inconsistent user and group naming conventions, perform the following steps:

  1. Configure the Ranger Admin safety valve.
    1. Go to Cloudera Manager > Ranger > Configuration.
    2. In Ranger Admin Advanced Configuration Snippet (Safety Valve) for conf/ranger-admin-site.xml, add the following properties:
      • ranger.plugins.conf.ldap.username.caseconversion
      • ranger.plugins.conf.ldap.groupname.caseconversion
      • ranger.plugins.conf.mapping.username.handler (default value org.apache.ranger.ugsyncutil.transform.RegEx)
      • ranger.plugins.conf.mapping.groupname.handler (default value org.apache.ranger.ugsyncutil.transform.RegEx)
      • ranger.plugins.conf.mapping.regex.separator (default value “/”)
      • ranger.plugins.conf.mapping.username.regex
      • ranger.plugins.conf.mapping.groupname.regex
    3. Restart the Ranger Admin service.
  2. Configure the safety valve at service level.
    1. Go to Cloudera Manager > <Service> > Configuration.
    2. Set the ranger.plugin.<serviceType>.supports.name.transformation safety valve to the service-level configuration.