Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

What are Ranger user groups and why do they not map?

Highlighted

What are Ranger user groups and why do they not map?

Explorer

I have installed the HDP sandbox HDP-3.0.1.0 (3.0.1.0-187) using Docker and Kerberized the cluster. 

 

I also installed a test LDAP server and configured it to sync with Ranger.

 

Users are showing up (using inetOrgPerson), and the `ou` attribute value from LDAP is shown in the `groups` column in Ranger.

 

I altered the `core-site.xml` file to the best of my knowledge (used the /etc/hadoop/3.0.1.0-187/0/core-site.xml file).

 

There is no actual implementation for the following values:
- hadoop.security.group.mapping.ldap.search.filter.group

- hadoop.security.group.mapping.ldap.search.attr.group.name

 

 

 

<property>
<name>hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.bind.user</name>
<value>cn=admin,dc=customdomain,dc=com</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.bind.password</name>
<value>mypassword</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.url</name>
<value>ldap://myldapserver:389/</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.base</name>
<value></value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.search.filter.user</name>
<value>(&amp;(|(objectclass=person)(objectclass=inetOrgPerson))(cn={0}))</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.search.filter.group</name>
<value></value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.search.attr.member</name>
<value>ou</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>
<value></value>
</property>

 

 

 

I ran the hdfs dfsadmin -refreshUserToGroupsMappings command successfully.

 

However when I run hdfs groups it just shows:

myuser@MYCUSTOMDOMAIN.COM

 

I'm assuming that the Kerberos principal (myuser@MYCUSTOMDOMAIN) should be the same as the LDAP cn for the inetOrgPerson (cn=myuser@MYCUSTOMDOMAIN.COM)

 

I must be missing something but it's not really clear what...

1 REPLY 1
Highlighted

Re: What are Ranger user groups and why do they not map?

Explorer

I'm assuming that the Kerberos principal (myuser@MYCUSTOMDOMAIN) should be the same as the LDAP cn for the inetOrgPerson (cn=myuser@MYCUSTOMDOMAIN.COM)


I made a subtle mistake here. It should read:

Kerberos principal = myuser@MYCUSTOMDOMAIN.COM

I tried both LDAP variations:

  1. cn=myuser@MYCUSTOMDOMAIN.COM,dc=mycustomdomain,dc=com
  2. cn=myuser,dc=mycustomdomain,dc=com
Don't have an account?
Coming from Hortonworks? Activate your account here