Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Expert Advice Required: Is AD integration on OS mandatory for ranger group policy to work?

Labels:
sriramhadoop27
Contributor

Created ‎09-07-2018 02:27 PM

Hi,

In my environment, because of some constraints AD Integration on OS is not allowed.

Can I use Ranger group policies in this case?

Note: Ranger group policies fail in case AD integration on OS is not done via SSSD or other source.

2,492 Views
0 Kudos
14 REPLIES 14

rtheron
Contributor

Created ‎09-07-2018 05:41 PM

You should be able to use ranger group policies in this scenario..., are your end users using any edge nodes to access the HDP environment? they would still need to kinit (which would require AD credentials) on those edge nodes, so the local host account may not be AD authorized but access into any HDP service would be

2,289 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎09-07-2018 05:54 PM

I mean, users perform analysis using Zeppelin tool only. Servers on OS level are not integrated with AD.

2,289 Views
0 Kudos

rtheron
Contributor

Created ‎09-07-2018 06:38 PM

Then yes, that is supported as far as I'm aware

2,289 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎09-07-2018 05:45 PM

@rtheron. We are not using Kerberos and they use only zeppelin.

2,289 Views
0 Kudos

Shelton
Mentor

Created ‎09-07-2018 10:46 PM

@Sriram

Working Shiro.ini for my AD.COM domain, I have scrambled sensitive data, you can use it as if after substituting values to match your AD domain admin user/password and valid ldapsearch for your users and groups

See attached shiro.ini

I commented out under [users] all local accounts so authentication is through AD, and in the last part under [urls] I commented everything except /**=authc which compels to logins to be authenticated by AD

HTH

Preview file
3 KB
2,289 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎09-07-2018 11:03 PM

Thanks for your time. My primary question is "Is OS integration with AD is mandatory for group policies in Ranger to work?"

2,289 Views
0 Kudos

spolavarapu
Expert Contributor

Created ‎09-10-2018 06:22 PM

@Sriram,

Ranger user/group policies work as long as the user/group name that hadoop is requesting authorization for (in general it is the hdfs groups from hadoop) should be available in Ranger with case sensitivity. It doesn't matter where hadoop or ranger is pulling these users or groups from.

2,289 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎09-10-2018 06:26 PM

@spolavarapu,

I did two test cases -

Test case1: OS is integrated with AD using SSSD and group policy worked.

Test Case2: OS is not integrated with AD ( id <username> ) does not give any user details and hdfs groups <username> does not give user details and in this case group policy failed, but if I attach the policy to user then it worked.

Why this difference?

2,289 Views
0 Kudos

spolavarapu
Expert Contributor

Created ‎09-10-2018 06:45 PM

@Sriram,

For authorization in ranger to work, the prerequisite is that hadoop and Ranger user group mapping should be in sync. During authorization in Ranger, each component, like hdfs, sends username and groupnames (groupnames are the ones that are returned from hdfs groups) to ranger. Ranger then evaluates the configured policies for either or both username and groupnames and responds with allow or deny.

In the test case2, if hdfs groups doesn't return the groups properly, then ranger won't get the groupnames as part of the authorization request and hence fails to find the matching policy. You can verify this in ranger audit logs as well as enabling debug logs for ranger in hdfs component.

Hope this helps.

2,289 Views
0 Kudos

rtheron
Contributor

Created ‎09-10-2018 06:33 PM

This would depend on your Ranger configuration, your Group dn and membership/member of attribute need to be correct for your AD setup, try testing your configuration using ldap search commands with the parameters you've configured to ensure you are getting the proper membership response from your config

1,392 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎09-10-2018 06:36 PM

ldapsearch command does not work on server via command.

1,392 Views
0 Kudos

rtheron
Contributor

Created ‎09-10-2018 06:38 PM

Install ldap utils via yum (you may need to Google or check whatprovides ldapsearch, I think it's ldaputils), or you can test it from another server that does have ldapsearch installed. If you're not familiar with the ldapsearch syntax you will have to do a bit of research on how to structure the group membership filter correctly

1,392 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎09-10-2018 06:43 PM

Hi,

Thanks I will try that.

Any idea on question related to two test cases, above?

1,392 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎09-10-2018 06:50 PM

@spolavarapu....thanks your explanation on hdfs groups helped me. Thanks.

1,392 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
What's New @ Cloudera
Release of Cloudera Streaming Analytics (CSA) 1.9.0 for CDP 7.1.7 SP2 & CDP 7.1.8
View More Announcements