Ranger Usersync

How to configure Ranger Usersync to sync users and groups from AD/LDAP

Overview

The Ranger usersync service syncs users, groups, and group memberships from various sources, such as Unix, File, or AD/LDAP into Ranger. Ranger usersync provides a set of rich and flexible configuration properties to sync users, groups, and group memberships from AD/LDAP supporting a wide variety of use cases.

As a Ranger administrator, you will work with users and groups to configure policies in Ranger and administer access to the Ranger UI. You will use group memberships only to administer access to the Ranger UI. You must first understand the specific use-case before syncing users, groups, and group memberships from AD/LDAP. For example, if you want to configure only group-level policies, then you must sync groups to Ranger, but syncing users and group memberships to Ranger is not required.

Determining the users and groups to sync to Ranger:

Typically, you must complete a three-step process to define the complete set of users and groups that you will sync to Ranger:
  1. Define the customer use-case.

    3 common use cases:

    • A customer Admin or Data Admin wants to configure only group-level policies and restrict access to the Ranger UI to only a few users.
    • A customer’s Admin or Data Admin wants to configure only group-level policies and restrict access to the Ranger UI to only members of a group.
    • A customer’s Admin or Data Admin wants to configure mostly group-level policies and a few user- level policies.
  2. Define all relevant sync source details. For every use-case, at least four key questions must by answered:
    • What groups will sync to Ranger?
    • Which organizational units (OUs) in AD/LDAP contain these groups?
    • What users will sync to Ranger?
    • Which organizational units (OUs) in AD/LDAP contain these users?
  3. Configure Usersync properties.

    This topic describes an example set of Usersync configuration properties and values, based on a simple use-case and example AD source repository.

Example Use Case:

First, consider the following use-case, in order to better understand how to configure Usersync properties:

A customers Admin or Data Admin wants to configure only group-level policies and restrict access to the Ranger UI to only members of a group.

Example AD environment:

Configuring Ranger Usersync with AD/LDAP depends highly on the customer environment. You must understand the organization of users and groups in the customer environment. This illustration shows users and groups organized in an Active Directory environment.

Figure 1. Example Active Directory Structure
Example Active Directory Structure

Answering the key user and group questions, based on the example AD structure:

In this example, the customer wants to configure group-level policies for groups cdp_testing and cdp_prod and wants to provide admin access to the Ranger UI only for users in the dev_ops group.

Based on the example Active Directory structure, answers to the four key user/group questions are:
Q1: What groups will be synced to Ranger?
A1: cdp_testing, cdp_prod, and dev_ops
Q2: What OUs contain these groups in AD?
A2: hadoop groups and security groups
Q3: What users will be synced to Ranger?
A3: asmith and acaroll (these users are dev_ops group members)
Q4: What OUs contain these users in AD?
A4: vendors and service accounts
To find the specific answers to these questions in a particular environment, use a tool such as Ldapsearch, as shown in the following examples.
  • Example: Ldapsearch command to search a particular group cdp_testing and determine what attributes are available for the group.
    Figure 2. Using Ldapsearch to find a specific group
    Using Ldapsearch to find a specific group

    Above output shows all the available attributes for cn=cdp_testing. The highlighted attributes are those of interest for usersync configuration. In this case, cdp_testing has three “member” attributes: ASmith, BHall, and JDoe.

  • Example: Ldapsearch command to search a particular user ASmith and determine what attributes are available for the user.
    Figure 3. Using Ldapsearch to find a specific user
    Using Ldapsearch to find a specific user

    Above output shows all the available attributes for a user. The highlighted attributes are those of interest for usersync configuration. In this case, ASmith is a “memberof” 3 groups - cdp_testing, dev_ops, and cdp_prod.

Do NOT remove these system users!

There are basic access policies based on those system users designed to keep a Ranger-governed component working after Ranger is given all control over that component's authorizations. Without those policies/users many components may not function as expected.