Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Kerberos users not showing up in Ranger policy creation UI

avatar
author-rank RobertCare
Contributor

Created on ‎12-16-2019 05:11 AM - last edited on ‎12-16-2019 06:39 AM by Community Manager Community Manager

I have installed the HDP sandbox HDP-3.0.1.0 (3.0.1.0-187) using Docker and Kerberized the cluster.

 

This works, i can kinit myuser and make an API request to Atlas:

 

 

curl --negotiate -u : sandbox-hdp.hortonworks.com:21000/api/atlas/admin/version

 

 

 

Now I would like to create a Ranger policy that includes my Kerberos user, however the autocomplete for users does not show any of my Kerberos users... I did read this post (https://community.cloudera.com/t5/Support-Questions/Autocompletion-of-names-not-working-in-Ranger/td...), however this problem seems to be slightly different.

 

What do I need to do to make Kerberos users show up in the Ranger policy creation UI?

1,295 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank Shelton
Master Mentor

Created on ‎12-16-2019 02:32 PM - edited ‎12-16-2019 02:33 PM

@RobertCare 

 

You will need to run the Ranger AD user sync  see good  document here https://community.cloudera.com/t5/Community-Articles/Configuring-Ranger-Usersync-with-AD-LDAP-for-a-...

 

To test-run loading User and Group data into Ranger before committing to the changes:

  1. Set ranger.usersync.policymanager.mockrun=true. This parameter can be found in Ambari> Ranger> Configs> Advanced> Advanced ranger-ugsync-site.

  2. View the Users and Groups that will be loaded into Ranger: tail -f /var/log/ranger/usersync/usersync.log.

  3. After confirming that the users and groups are retrieved as intended, set ranger.usersync.policymanager.mockrun=false and restart Ranger Usersync.

    This will sync the users shown in the usersync log to the Ranger database.

HTH 

View solution in original post

1,271 Views
0 Kudos
0
2 REPLIES 2

avatar
author-rank Shelton
Master Mentor

Created on ‎12-16-2019 02:32 PM - edited ‎12-16-2019 02:33 PM

@RobertCare 

 

You will need to run the Ranger AD user sync  see good  document here https://community.cloudera.com/t5/Community-Articles/Configuring-Ranger-Usersync-with-AD-LDAP-for-a-...

 

To test-run loading User and Group data into Ranger before committing to the changes:

  1. Set ranger.usersync.policymanager.mockrun=true. This parameter can be found in Ambari> Ranger> Configs> Advanced> Advanced ranger-ugsync-site.

  2. View the Users and Groups that will be loaded into Ranger: tail -f /var/log/ranger/usersync/usersync.log.

  3. After confirming that the users and groups are retrieved as intended, set ranger.usersync.policymanager.mockrun=false and restart Ranger Usersync.

    This will sync the users shown in the usersync log to the Ranger database.

HTH 

1,272 Views
0 Kudos
0

avatar
author-rank RobertCare
Contributor

Created ‎12-18-2019 06:26 AM

For some reason I thought that it wasn't necessary to have LDAP in addition to Kerberos. 

 

I went on setting up an LDAP environment and was able to sync users to Ranger. Thanks!

1,255 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements