Providing Authorization with Apache Ranger
Also available as:
PDF
loading table of contents...

Configure Advanced Usersync Settings

To access Usersync settings, select the Advanced tab on the Customize Service page. Usersync pulls in users from UNIX, LDAP, or AD and populates Ranger's local user tables with these users.

Configure advanced User Sync settings for the following:
  • Unix
  • (Required) LDAP/AD
  • (Optional) LDAP/AD
  • Automatically Assign ADMIN KEYADMIN Role for External Users
  • Unix: If you are using UNIX authentication, the default values for the Advanced ranger-ugsync-site properties are the settings for UNIX authentication:

    Under Ambari > Ranger > Configs > Advanced > Advanced ranger-ugsync-site.
  • (Required) LDAP/AD
    1. LDAP Advanced ranger-ugsync-site Settings
      Table 1. LDAP Advanced ranger-ugsync-site Settings
      Property Name LDAP Value
      ranger.usersync.ldap.bindkeystore

      Set this to the same value as the ranger.usersync.credstore.filename property, i.e, the default value is /usr/hdp/current/ranger-usersync/conf/ugsync.jceks

      ranger.usersync.ldap.bindalias ranger.usersync.ldap.bindalias
      ranger.usersync.source.impl.class ldap
    2. AD Advanced ranger-ugsync-site Settings
      Table 2. AD Advanced ranger-ugsync-site Settings
      Property Name LDAP Value
      ranger.usersync.source.impl.class ldap
  • (Optional) LDAP/AD. If you are using LDAP or Active Directory authentication, you may need to update the following properties, depending upon your specific deployment characteristics.
    1. Advanced ranger-ugsync-site Settings for LDAP and AD
      Table 3. Advanced ranger-ugsync-site Settings for LDAP and AD
      Property Name LDAP ranger-ugsync-site Value AD ranger-ugsync-site Value

      ranger.usersync.ldap.url

      ldap://127.0.0.1:389 ldap://ad-conrowoller-hostname:389

      ranger.usersync.ldap.binddn

      cn=ldapadmin,ou=users, dc=example,dc=com cn=adadmin,cn=Users, dc=example,dc=com

      ranger.usersync.ldap.ldapbindpassword

      secret secret

      ranger.usersync.ldap.searchBase

      dc=example,dc=com dc=example,dc=com
      ranger.usersync.source.impl.class org.apache.ranger. ladpusersync. process.LdapUserGroupBuilder

      ranger.usersync.ldap.user.searchbase

      ou=users, dc=example, dc=com dc=example,dc=com

      ranger.usersync.ldap.user.searchscope

      sub sub

      ranger.usersync.ldap.user.objectclass

      person person

      ranger.usersync.ldap.user.searchfilter

      Set to single empty space if no value. Do not leave it as “empty” (objectcategory=person)

      ranger.usersync.ldap.user.nameattribute

      uid or cn sAMAccountName

      ranger.usersync.ldap.user.groupnameattribute

      memberof,ismemberof memberof,ismemberof

      ranger.usersync.ldap.username.caseconversion

      none none

      ranger.usersync.ldap.groupname.caseconversion

      none none

      ranger.usersync.group.searchenabled *

      false false

      ranger.usersync.group.usermapsyncenabled *

      false false

      ranger.usersync.group.searchbase *

      ou=groups, dc=example, dc=com dc=example,dc=com

      ranger.usersync.group.searchscope *

      sub sub

      ranger.usersync.group.objectclass *

      groupofnames groupofnames

      ranger.usersync.group.searchfilter *

      needed for AD authentication (member=CN={0}, OU=MyUsers, DC=AD-HDP, DC=COM)

      ranger.usersync.group.nameattribute *

      cn cn

      ranger.usersync.group.memberattributename *

      member member

      ranger.usersync.pagedresultsenabled *

      true true

      ranger.usersync.pagedresultssize *

      500 500

      ranger.usersync.user.searchenabled *

      false false

      ranger.usersync.group.search.first.enabled *

      false false

      * Only applies when you want to filter out groups.

      After you have finished specifying all of the settings on the Customize Services page, click Next at the bottom of the page to continue with the installation.

  • Automatically Assign ADMIN KEYADMIN Role for External Users. You can use usersync to mark specific external users, or users in a specific external group, with ADMIN or KEYADMIN role within Ranger. This is useful in cases where internal users are not allowed to login to Ranger.
    1. From Ambari>Ranger>Configs>Advanced>Custom ranger-ugsync-site, select Add Property.
    2. Add the following properties:
      • ranger.usersync.role.assignment.list.delimiter = &

        The default value is &.

      • ranger.usersync.users.groups.assignment.list.delimiter = :

        The default value is :.

      • ranger.usersync.username.groupname.assignment.list.delimiter = ,

        The default value is ,.

      • ranger.usersync.group.based.role.assignment.rules = ROLE_SYS_ADMIN:u:userName1,userName2&ROLE_SYS_ADMIN:g:groupName1,groupName2&ROLE_KEY_ADMIN:u:userName&ROLE_KEY_ADMIN:g:groupName&ROLE_USER:u:userName3,userName4&ROLE_USER:g:groupName

    3. Click Add.
    4. Restart Ranger.
    ranger.usersync.role.assignment.list.delimiter = &
    ranger.usersync.users.groups.assignment.list.delimiter = :
    ranger.usersync.username.groupname.assignment.list.delimiter = ,
    ranger.usersync.group.based.role.assignment.rules : &ROLE_SYS_ADMIN:u:ldapuser_12,ldapuser2