Support Questions
Find answers, ask questions, and share your expertise

What are Ranger user groups and why do they not map?

What are Ranger user groups and why do they not map?

Explorer

I have installed the HDP sandbox HDP-3.0.1.0 (3.0.1.0-187) using Docker and Kerberized the cluster. 

 

I also installed a test LDAP server and configured it to sync with Ranger.

 

Users are showing up (using inetOrgPerson), and the `ou` attribute value from LDAP is shown in the `groups` column in Ranger.

 

I altered the `core-site.xml` file to the best of my knowledge (used the /etc/hadoop/3.0.1.0-187/0/core-site.xml file).

 

There is no actual implementation for the following values:
- hadoop.security.group.mapping.ldap.search.filter.group

- hadoop.security.group.mapping.ldap.search.attr.group.name

 

 

 

<property>
<name>hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.bind.user</name>
<value>cn=admin,dc=customdomain,dc=com</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.bind.password</name>
<value>mypassword</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.url</name>
<value>ldap://myldapserver:389/</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.base</name>
<value></value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.search.filter.user</name>
<value>(&amp;(|(objectclass=person)(objectclass=inetOrgPerson))(cn={0}))</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.search.filter.group</name>
<value></value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.search.attr.member</name>
<value>ou</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>
<value></value>
</property>

 

 

 

I ran the hdfs dfsadmin -refreshUserToGroupsMappings command successfully.

 

However when I run hdfs groups it just shows:

myuser@MYCUSTOMDOMAIN.COM

 

I'm assuming that the Kerberos principal (myuser@MYCUSTOMDOMAIN) should be the same as the LDAP cn for the inetOrgPerson (cn=myuser@MYCUSTOMDOMAIN.COM)

 

I must be missing something but it's not really clear what...

1 REPLY 1
Highlighted

Re: What are Ranger user groups and why do they not map?

Explorer

I'm assuming that the Kerberos principal (myuser@MYCUSTOMDOMAIN) should be the same as the LDAP cn for the inetOrgPerson (cn=myuser@MYCUSTOMDOMAIN.COM)


I made a subtle mistake here. It should read:

Kerberos principal = myuser@MYCUSTOMDOMAIN.COM

I tried both LDAP variations:

  1. cn=myuser@MYCUSTOMDOMAIN.COM,dc=mycustomdomain,dc=com
  2. cn=myuser,dc=mycustomdomain,dc=com
Don't have an account?