Install the Unix User and Group Synchronizer (uxugsync
) component
after installing the HDP Security Administration server, see
Install the HDP Security Administration Server.
This component synchronizes users and groups from an external Unix host or LDAP service
to the HDP Security Administration server. This agent is
required when allowing remote authentication of Web UI administrators with a Unix
System.
UX-UserGroup Synchronizer provides the following functionality:
User and group data for creating policies
Authentication for HDP Security Administration accounts using the same credentials as the external host where the synchronizer is installed
Note | |
---|---|
|
To synchronize user and groups and/or allow users from a remote Unix system to log into the Web UI perform the following steps on the remote Unix host:
Log on to the host as root.
Copy the installation files to the target host and extract the files:
Create a temporary directory, such as
/tmp/xasecure
:mkdir /tmp/xasecure
Move the installation package into the temporary directory along with the MySQL Connector Jar.
Extract the contents:
tar xvf $xasecureinstallation.tar
Go to the directory where you extracted the installation files:
cd /tmp/xasecure/xasecure-$name-$build-version
Open the
install.properties
file for editing.Set the UNIX remote authentication and user/group synchronization parameters:
Table 3.1. Unix Authentication and User/Group Sync Installation Parameters
Parameter Value Description POLICY_MGR_URL
$URL
Complete URL including protocol and port to the HDP Security Administration server. For example, http://policy-manager:6080
.MIN_UNIX_USER_ID_TO_SYNC
$integer
Specify the minimum user ID level to synchronize with HDP Security Administration. Typically system users are created with IDs lower than 1000. For example, 1000
SYNC_INTERVAL
$minutes
Specify the interval in minutes, the default when no value is set is 360
.SYNC_SOURCE
unix
Specify unix
to allow remote authentication and user/group synchronization for users and groups on the host system.Example
install.properties
file for HDP Security Administration Server configured for UNIX authentication and UNIX user and group synchronization:# # The following URL should be the base URL for connecting to the policy manager web application # For example: # # POLICY_MGR_URL = http://policymanager.xasecure.net:6080 # POLICY_MGR_URL = http://policymgr:6080 # Minumum Unix User-id to start SYNC. # This should avoid creating UNIX system-level users in the Policy Manager # MIN_UNIX_USER_ID_TO_SYNC = 1000 # sync interval in minutes # user, groups would be synced again at the end of each sync interval # defaults to 5min if SYNC_SOURCE is unix # defaults to 360min if SYNC_SOURCE is ldap SYNC_INTERVAL = # sync source, only unix and ldap are supported at present # defaults to unix SYNC_SOURCE = unix
Save the
install.properties
file.
When synchronizing users from an LDAP service the agent can be installed on the HDP Security Administration server.
Note | |
---|---|
The LDAP configuration in the User and Group Synchronizer Agent is only used for synchronization. Authentication is configured during the installation of the HDP Security Administration Server, |
To synchronize user and groups from an LDAP service:
Log on to the host as root.
Copy the installation files to the target host and extract the files:
Create a temporary directory, such as
/tmp/xasecure
:mkdir /tmp/xasecure
Move the installation package into the temporary directory along with the MySQL Connector Jar.
Extract the contents:
tar xvf $xasecureinstallation.tar
Go to the directory where you extracted the installation files:
cd /tmp/xasecure/xasecure-$name-$build-version
Open the
install.properties
file for editing.Configure the LDAP user and group synchronization parameters:
Table 3.2. LDAP User/Group Sync Installation Parameters
Parameter Value Description POLICY_MGR_URL
$URL
Complete URL including protocol and port to the HDP Security Administration server. For example, http://policy-manager:6080
.MIN_UNIX_USER_ID_TO_SYNC
$integer
Specify the minimum user ID level to synchronize with HDP Security Administration. Typically system users are created with IDs lower than 1000. For example, 1000
SYNC_INTERVAL
$minutes
Specify the interval in minutes, the default when no value is set is 360
.SYNC_SOURCE
ldap
Specify unix
to allow remote authentication and user/group synchronization for users and groups on the host system.SYNC_LDAP_URL
$URL
Specify the full URL to the LDAP service, including port number. For example, ldap://ldap-host:389
.[a]SYNC_LDAP_BIND_DN
$userDN
Specify the user DN for the LDAP account to the LDAP service. SYNC_LDAP_BIND_PASSWORD
$password
Specify the password for the LDAP account. SYNC_LDAP_USER_SEARCH_BASE
$BaseDN
Specify the base DN for the user and groups search. SYNC_LDAP_USER_SEARCH_SCOPE
base
,one
orsub
Specify the search type (base, one or sub) for the search. SYNC_LDAP_USER_OBJECT_CLASS
$class
Specify the ObjectClass for users and groups to sync. For example, person
.[b]SYNC_LDAP_USER_SEARCH_FILTER
$filter
Specify the value to filter the search results on for synchronization. For example, dept=engineer
.SYNC_LDAP_USER_NAME_ATTRIBUTE
$attribute
Specify the attribute to return as the user or group name. This is the value synchronized. SYNC_LDAP_USERNAME_CASE_ CONVERSION
lower
Converts the user name case on import. The possible values are lower
orupper
.SYNC_LDAP_GROUPNAME_CASE_ CONVERSION
lower
Converts the group name case on import. The possible values are lower
orupper
.[a] Only Active Directory and OpenLDAP are supported.
[b] The default is
person
.
Example
install.properties
file for HDP Security Administration Server configured for LDAP authentication and LDAP user and group synchronization:# # The following URL should be the base URL for connecting to the policy manager web application # For example: # # POLICY_MGR_URL = http://policymanager.xasecure.net:6080 # POLICY_MGR_URL = http://policymgr:6080 # # Minumum Unix User-id to start SYNC. # This should avoid creating UNIX system-level users in the Policy Manager # MIN_UNIX_USER_ID_TO_SYNC = 1000 # sync interval in minutes # user, groups would be synced again at the end of each sync interval # defaults to 5min if SYNC_SOURCE is unix # defaults to 360min if SYNC_SOURCE is ldap SYNC_INTERVAL = # sync source, only unix and ldap are supported at present # defaults to unix SYNC_SOURCE = ldap # --------------------------------------------------------------- # The following properties are relevant only if SYNC_SOURCE = ldap # --------------------------------------------------------------- # URL of source ldap # a sample value would be: ldap://ldap.example.com:389 # Must specify a value if SYNC_SOURCE is ldap SYNC_LDAP_URL = ldap://sandbox:389 # ldap bind dn used to connect to ldap and query for users and groups # a sample value would be cn=admin,ou=users,dc=hadoop,dc=apache,dc-org # Must specify a value if SYNC_SOURCE is ldap SYNC_LDAP_BIND_DN = cn=admin,ou=users,dc=hadoop,dc=apache,dc-org # ldap bind password for the bind dn specified above # please ensure read access to this file is limited to root, to protect the password # Must specify a value if SYNC_SOURCE is ldap # unless anonymous search is allowed by the directory on users and group SYNC_LDAP_BIND_PASSWORD = # search base for users # sample value would be ou=users,dc=hadoop,dc=apache,dc=org SYNC_LDAP_USER_SEARCH_BASE = ou=users,dc=hadoop,dc=apache,dc=org # search scope for the users, only base, one and sub are supported values # please customize the value to suit your deployment # default value: sub SYNC_LDAP_USER_SEARCH_SCOPE = sub # objectclass to identify user entries # please customize the value to suit your deployment # default value: person SYNC_LDAP_USER_OBJECT_CLASS = person # optional additional filter constraining the users selected for syncing # a sample value would be (dept=eng) # please customize the value to suit your deployment # default value is empty SYNC_LDAP_USER_SEARCH_FILTER = # attribute from user entry that would be treated as user name # please customize the value to suit your deployment # default value: cn SYNC_LDAP_USER_NAME_ATTRIBUTE = cn # UserSync - Case Conversion Flags # possible values: none, lower, upper SYNC_LDAP_USERNAME_CASE_CONVERSION=lower SYNC_LDAP_GROUPNAME_CASE_CONVERSION=lower
Save the
install.properties
file.
After configuring the install.properties
file, install the
agent as root
:
Log on to the Linux system as root and go to the directory where you extracted the installation files:
cd /tmp/xasecure/xasecure-$name-$build-version
Run the agent installation script:
# ./install.sh