DocsHortonworks Data Platform

 

 1. Set up the User and Group Agent

Install the Unix User and Group Synchronizer (uxugsync) component after installing the HDP Security Administration server, see Install the HDP Security Administration Server. This component synchronizes users and groups from an external Unix host or LDAP service to the HDP Security Administration server. This agent is required when allowing remote authentication of Web UI administrators with a Unix System.

UX-UserGroup Synchronizer provides the following functionality:

  • User and group data for creating policies

  • Authentication for HDP Security Administration accounts using the same credentials as the external host where the synchronizer is installed

[Note]Note

  • Before installing the UX-UserGroup Synchronizer verify that Java 7 JRE or JDK is installed by running the following command:

    java -version

  • The user and group agent is not required when authenticating users against an external LDAP service.

 1.1. Installation Set Up for Unix Authentication and User/Group Synchronization

To synchronize user and groups and/or allow users from a remote Unix system to log into the Web UI perform the following steps on the remote Unix host:

  1. Log on to the host as root.

  2. Copy the installation files to the target host and extract the files:

    1. Create a temporary directory, such as /tmp/xasecure:

      mkdir /tmp/xasecure

    2. Move the installation package into the temporary directory along with the MySQL Connector Jar.

    3. Extract the contents:

      tar xvf $xasecureinstallation.tar

    4. Go to the directory where you extracted the installation files:

      cd /tmp/xasecure/xasecure-$name-$build-version

  3. Open the install.properties file for editing.

  4. Set the UNIX remote authentication and user/group synchronization parameters:

     

    Table 3.1. Unix Authentication and User/Group Sync Installation Parameters

    ParameterValueDescription
    POLICY_MGR_URL$URLComplete URL including protocol and port to the HDP Security Administration server. For example, http://policy-manager:6080.
    MIN_UNIX_USER_ID_TO_SYNC$integerSpecify the minimum user ID level to synchronize with HDP Security Administration. Typically system users are created with IDs lower than 1000. For example, 1000
    SYNC_INTERVAL$minutesSpecify the interval in minutes, the default when no value is set is 360.
    SYNC_SOURCEunixSpecify unix to allow remote authentication and user/group synchronization for users and groups on the host system.


    Example install.properties file for HDP Security Administration Server configured for UNIX authentication and UNIX user and group synchronization:

    #
# The following URL should be the base URL for connecting to the policy manager web application
# For example:
#
#  POLICY_MGR_URL = http://policymanager.xasecure.net:6080
#

POLICY_MGR_URL = http://policymgr:6080


# Minumum Unix User-id to start SYNC.
# This should avoid creating UNIX system-level users in the Policy Manager
#
MIN_UNIX_USER_ID_TO_SYNC = 1000

# sync interval in minutes
# user, groups would be synced again at the end of each sync interval
# defaults to 5min if SYNC_SOURCE is unix
# defaults to 360min if SYNC_SOURCE is ldap
SYNC_INTERVAL = 

# sync source,  only unix and ldap are supported at present
# defaults to unix
SYNC_SOURCE = unix

  5. Save the install.properties file.

 1.2. Installation Set Up for LDAP Service User/Group Synchronization

When synchronizing users from an LDAP service the agent can be installed on the HDP Security Administration server.

[Note]Note

The LDAP configuration in the User and Group Synchronizer Agent is only used for synchronization. Authentication is configured during the installation of the HDP Security Administration Server,

To synchronize user and groups from an LDAP service:

  1. Log on to the host as root.

  2. Copy the installation files to the target host and extract the files:

    1. Create a temporary directory, such as /tmp/xasecure:

      mkdir /tmp/xasecure

    2. Move the installation package into the temporary directory along with the MySQL Connector Jar.

    3. Extract the contents:

      tar xvf $xasecureinstallation.tar

    4. Go to the directory where you extracted the installation files:

      cd /tmp/xasecure/xasecure-$name-$build-version

  3. Open the install.properties file for editing.

  4. Configure the LDAP user and group synchronization parameters:

     

    Table 3.2. LDAP User/Group Sync Installation Parameters

    ParameterValueDescription
    POLICY_MGR_URL$URLComplete URL including protocol and port to the HDP Security Administration server. For example, http://policy-manager:6080.
    MIN_UNIX_USER_ID_TO_SYNC$integerSpecify the minimum user ID level to synchronize with HDP Security Administration. Typically system users are created with IDs lower than 1000. For example, 1000
    SYNC_INTERVAL$minutesSpecify the interval in minutes, the default when no value is set is 360.
    SYNC_SOURCEldapSpecify unix to allow remote authentication and user/group synchronization for users and groups on the host system.
    SYNC_LDAP_URL$URLSpecify the full URL to the LDAP service, including port number. For example, ldap://ldap-host:389.[a]
    SYNC_LDAP_BIND_DN$userDNSpecify the user DN for the LDAP account to the LDAP service.
    SYNC_LDAP_BIND_PASSWORD$passwordSpecify the password for the LDAP account.
    SYNC_LDAP_USER_SEARCH_BASE$BaseDNSpecify the base DN for the user and groups search.
    SYNC_LDAP_USER_SEARCH_SCOPEbase, one or subSpecify the search type (base, one or sub) for the search.
    SYNC_LDAP_USER_OBJECT_CLASS$classSpecify the ObjectClass for users and groups to sync. For example, person.[b]
    SYNC_LDAP_USER_SEARCH_FILTER$filterSpecify the value to filter the search results on for synchronization. For example, dept=engineer.
    SYNC_LDAP_USER_NAME_ATTRIBUTE$attributeSpecify the attribute to return as the user or group name. This is the value synchronized.
    SYNC_LDAP_USERNAME_CASE_ CONVERSION lowerConverts the user name case on import. The possible values are lower or upper.
    SYNC_LDAP_GROUPNAME_CASE_ CONVERSION lowerConverts the group name case on import. The possible values are lower or upper.

    [a] Only Active Directory and OpenLDAP are supported.

    [b] The default is person.


    Example install.properties file for HDP Security Administration Server configured for LDAP authentication and LDAP user and group synchronization:

    #
# The following URL should be the base URL for connecting to the policy manager web application
# For example:
#
#  POLICY_MGR_URL = http://policymanager.xasecure.net:6080
#
POLICY_MGR_URL = http://policymgr:6080

#
# Minumum Unix User-id to start SYNC.
# This should avoid creating UNIX system-level users in the Policy Manager
#
MIN_UNIX_USER_ID_TO_SYNC = 1000

# sync interval in minutes
# user, groups would be synced again at the end of each sync interval
# defaults to 5min if SYNC_SOURCE is unix
# defaults to 360min if SYNC_SOURCE is ldap
SYNC_INTERVAL = 

# sync source,  only unix and ldap are supported at present
# defaults to unix
SYNC_SOURCE = ldap

# ---------------------------------------------------------------
# The following properties are relevant only if SYNC_SOURCE = ldap
# ---------------------------------------------------------------

# URL of source ldap 
# a sample value would be:  ldap://ldap.example.com:389
# Must specify a value if SYNC_SOURCE is ldap
SYNC_LDAP_URL = ldap://sandbox:389

# ldap bind dn used to connect to ldap and query for users and groups
# a sample value would be cn=admin,ou=users,dc=hadoop,dc=apache,dc-org
# Must specify a value if SYNC_SOURCE is ldap
SYNC_LDAP_BIND_DN = cn=admin,ou=users,dc=hadoop,dc=apache,dc-org

# ldap bind password for the bind dn specified above
# please ensure read access to this file  is limited to root, to protect the password
# Must specify a value if SYNC_SOURCE is ldap
# unless anonymous search is allowed by the directory on users and group
SYNC_LDAP_BIND_PASSWORD = 

# search base for users
# sample value would be ou=users,dc=hadoop,dc=apache,dc=org
SYNC_LDAP_USER_SEARCH_BASE = ou=users,dc=hadoop,dc=apache,dc=org


# search scope for the users, only base, one and sub are supported values
# please customize the value to suit your deployment
# default value: sub
SYNC_LDAP_USER_SEARCH_SCOPE = sub

# objectclass to identify user entries
# please customize the value to suit your deployment
# default value: person
SYNC_LDAP_USER_OBJECT_CLASS = person

# optional additional filter constraining the users selected for syncing
# a sample value would be (dept=eng)
# please customize the value to suit your deployment
# default value is empty
SYNC_LDAP_USER_SEARCH_FILTER =

# attribute from user entry that would be treated as user name
# please customize the value to suit your deployment
# default value: cn
SYNC_LDAP_USER_NAME_ATTRIBUTE = cn

# UserSync - Case Conversion Flags
# possible values:  none, lower, upper
SYNC_LDAP_USERNAME_CASE_CONVERSION=lower
SYNC_LDAP_GROUPNAME_CASE_CONVERSION=lower

  5. Save the install.properties file.

 1.3. Run the Agent Installation Script

After configuring the install.properties file, install the agent as root:

  1. Log on to the Linux system as root and go to the directory where you extracted the installation files:

    cd /tmp/xasecure/xasecure-$name-$build-version

  2. Run the agent installation script:

    # ./install.sh
Legal notices
loading table of contents...