Support Questions

Lorenzo · ‎02-05-2024

Good evening everyone, I have a problem on ranger, the users have access to the databases and everything works, but on the ranger web ui if I try to search for users belonging to the groups the following screen is shown. Even if checking in Unix the group contains several users:

I saw that there is a KB for the same problem after upgrade but I already upgraded to 7.1.7sp1. Can anyone help me? Thank you

vamsi_redd · ‎03-15-2024

Hi @Lorenzo,

We need to check the logs and ldap structure for the groups. Please contact support.

View solution in original post

avs2211 · ‎02-05-2024

Most likely, there was a synchronization error.
Where are users with groups stored - in Active Directory?
It is advisable to provide a fragment of the log and settings related to the synchronization of users and groups in ranger-ugsync-site.xml

which version of Apache Ranger is used?

Lorenzo · ‎02-07-2024

Hello,

the ranger version is 2.1.0 and there are no error logs.

the ranger-ugsync-site.xml file contains:

<?xml version="1.0" encoding="UTF-8"?>

<configuration>
<property>
<name>ranger.usersync.cookie.enabled</name>
<value>true</value>
</property>
<property>
<name>ranger.usersync.enabled</name>
<value>true</value>
</property>
<property>
<name>ranger.usersync.filesource.text.delimiter</name>
<value>,</value>
</property>
<property>
<name>ranger.usersync.group.memberattributename</name>
<value>member</value>
</property>
<property>
<name>ranger.usersync.group.nameattribute</name>
<value>cn</value>
</property>
<property>
<name>ranger.usersync.group.objectclass</name>
<value>group</value>
</property>
<property>
<name>ranger.usersync.group.searchbase</name>
<value>OU=CLOUDERA,OU=APPLICATION GROUPS,OU=GRUPPI,DC=test,DC=test</value>
</property>
<property>
<name>ranger.usersync.group.searchscope</name>
<value>sub</value>
</property>
<property>
<name>ranger.usersync.keystore.password</name>
<value>/var/run/cloudera-scm-agent/process/1546329977-ranger-RANGER_USERSYNC/altscript.sh sec-0-ranger.usersync.keystore.password</value>
</property>
<property>
<name>ranger.usersync.ldap.binddn</name>
<value>CN=clouderabind,OU=CLOUDERA,OU=USER DI SERVIZIO,OU=UTENTI,DC=test,DC=test</value>
</property>
<property>
<name>ranger.usersync.ldap.dtestasync</name>
<value>false</value>
</property>
<property>
<name>ranger.usersync.ldap.grouphierarchylevels</name>
<value>0</value>
</property>
<property>
<name>ranger.usersync.ldap.groupname.caseconversion</name>
<value>lower</value>
</property>
<property>
<name>ranger.usersync.ldap.ldapbindpassword</name>
<value>/var/run/cloudera-scm-agent/process/1546329977-ranger-RANGER_USERSYNC/altscript.sh sec-0-ranger.usersync.ldap.ldapbindpassword</value>
</property>
<property>
<name>ranger.usersync.ldap.referral</name>
<value>ignore</value>
</property>
<property>
<name>ranger.usersync.ldap.starttls</name>
<value>false</value>
</property>
<property>
<name>ranger.usersync.ldap.url</name>
<value>ldap://test-dc08.test.test:389</value>
</property>
<property>
<name>ranger.usersync.ldap.user.nameattribute</name>
<value>sAMAccountName</value>
</property>
<property>
<name>ranger.usersync.ldap.user.objectclass</name>
<value>user</value>
</property>
<property>
<name>ranger.usersync.ldap.user.searchbase</name>
<value>OU=UTENTI,DC=test,DC=test</value>
</property>
<property>
<name>ranger.usersync.ldap.user.searchscope</name>
<value>sub</value>
</property>
<property>
<name>ranger.usersync.ldap.username.caseconversion</name>
<value>lower</value>
</property>
<property>
<name>ranger.usersync.logdir</name>
<value>/var/log/ranger/usersync</value>
</property>
<property>
<name>ranger.usersync.metrics.enabled</name>
<value>true</value>
</property>
<property>
<name>ranger.usersync.metrics.filename</name>
<value>metrics.json</value>
</property>
<property>
<name>ranger.usersync.metrics.filepath</name>
<value>/var/log/ranger/metrics-usersync</value>
</property>
<property>
<name>ranger.usersync.metrics.frequencytimeinmillis</name>
<value>60000</value>
</property>
<property>
<name>ranger.usersync.pagedresultsenabled</name>
<value>true</value>
</property>
<property>
<name>ranger.usersync.pagedresultssize</name>
<value>500</value>
</property>
<property>
<name>ranger.usersync.policymanager.maxrecordsperapicall</name>
<value>1000</value>
</property>
<property>
<name>ranger.usersync.policymgr.username</name>
<value>rangerusersync</value>
</property>
<property>
<name>ranger.usersync.port</name>
<value>5151</value>
</property>
<property>
<name>ranger.usersync.role.assignment.list.delimiter</name>
<value>&</value>
</property>
<property>
<name>ranger.usersync.sleeptimeinmillisbetweensynccycle</name>
<value>60000</value>
</property>
<property>
<name>ranger.usersync.source.impl.class</name>
<value>org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder</value>
</property>
<property>
<name>ranger.usersync.truststore.file</name>
<value>/var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks</value>
</property>
<property>
<name>ranger.usersync.truststore.password</name>
<value>/var/run/cloudera-scm-agent/process/1546329977-ranger-RANGER_USERSYNC/altscript.sh sec-0-ranger.usersync.truststore.password</value>
</property>
<property>
<name>ranger.usersync.unix.backend</name>
<value>passwd</value>
</property>
<property>
<name>ranger.usersync.unix.minUserId</name>
<value>500</value>
</property>
<property>
<name>ranger.usersync.user.searchenabled</name>
<value>true</value>
</property>
<property>
<name>ranger.usersync.username.groupname.assignment.list.delimiter</name>
<value>,</value>
</property>
<property>
<name>ranger.usersync.users.groups.assignment.list.delimiter</name>
<value>:</value>
</property>
<property>
<name>ranger.usersync.kerberos.keytab</name>
<value>/var/run/cloudera-scm-agent/process/1546329977-ranger-RANGER_USERSYNC/ranger.keytab</value>
</property>
<property>
<name>ranger.usersync.policymanager.baseURL</name>
<value>https://test-clmaster03.test.test:6182</value>
</property>
<property>
<name>ranger.usersync.credstore.filename</name>
<value>/var/run/cloudera-scm-agent/process/1546329977-ranger-RANGER_USERSYNC/conf/rangerusersync.jceks</value>
</property>
<property>
<name>ranger.usersync.policymgr.keystore</name>
<value>/var/run/cloudera-scm-agent/process/1546329977-ranger-RANGER_USERSYNC/conf/rangerusersync.jceks</value>
</property>
<property>
<name>ranger.usersync.keystore.file</name>
<value>/var/run/cloudera-scm-agent/process/1546329977-ranger-RANGER_USERSYNC/conf/unixauthservice.jks</value>
</property>
<property>
<name>ranger.usersync.policymanager.mockrun</name>
<value>false</value>
</property>
<property>
<name>ranger.usersync.passwordvalidator.path</name>
<value>/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/lib/ranger-usersync/native/pamCredValidator.uexe</value>
</property>
<property>
<name>ranger.usersync.sink.impl.class</name>
<value>org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder</value>
</property>
<property>
<name>ranger.usersync.ssl</name>
<value>true</value>
</property>
<property>
<name>ranger.usersync.unix.group.file</name>
<value>/etc/group</value>
</property>
<property>
<name>ranger.usersync.unix.password.file</name>
<value>/etc/passwd</value>
</property>
<property>
<name>ranger.usersync.ldap.bindalias</name>
<value>ranger.usersync.ldap.bindalias</value>
</property>
<property>
<name>ranger.usersync.policymgr.alias</name>
<value>ranger.usersync.policymgr.password</value>
</property>
<property>
<name>ranger.keystore.file.type</name>
<value>jks</value>
</property>
<property>
<name>ranger.truststore.file.type</name>
<value>jks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.type</name>
<value>jks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.type</name>
<value>jks</value>
</property>
<property>
<name>ranger.usersync.kerberos.principal</name>
<value>rangerusersync/_HOST@test.test</value>
</property>
</configuration>

ranger.usersync.ldap.user.searchbase	OU=utenti,DC=test,DC=test
ranger.usersync.group.searchbase	OU=Cloudera, OU=Application Groups,OU=Gruppi, DC=test,DC=test

Thanks in advance.

vamsi_redd · ‎03-11-2024

Hi @Lorenzo , can you please recheck ranger.usersync.group.memberattributename if it is member or memberof?

Lorenzo · ‎03-14-2024

Hi,

it's member.

Thanks

vamsi_redd · ‎03-15-2024

Hi @Lorenzo,

We need to check the logs and ldap structure for the groups. Please contact support.

Cloudera Community

Support Questions

Groups not visible in Ranger web UI