Member since
10-22-2015
69
Posts
39
Kudos Received
14
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
2680 | 07-24-2018 11:19 PM | |
1056 | 03-01-2018 06:18 PM | |
5581 | 02-26-2018 06:51 PM | |
1519 | 11-10-2017 07:35 PM | |
1565 | 09-08-2017 11:32 PM |
09-12-2018
06:40 PM
@Sriram Can you post your usersync configuration? Screenshots or usersync logs are fine. That way we can check if the filters for user and group search are configured correct.
... View more
09-10-2018
08:58 PM
@Sriram Not sure if you are still looking for help here. If you configured ranger with AD/LDAP sync, then most of the properties in core-site.xml should be very similar. Following are the properties I generally add with sample values to the custom core-site.xml section in HDFS configuration in Ambari: hadoop.security.group.mapping=org.apache.hadoop.security.LdapGroupsMapping hadoop.security.group.mapping.ldap.base=dc=hortonworks,dc=com hadoop.security.group.mapping.ldap.bind.password=<password> hadoop.security.group.mapping.ldap.bind.user=cn=administrator,CN=Users,dc=hortonworks,dc=com hadoop.security.group.mapping.ldap.search.attr.group.name=cn hadoop.security.group.mapping.ldap.search.attr.member=member hadoop.security.group.mapping.ldap.search.filter.group =(objectclass=group) hadoop.security.group.mapping.ldap.search.filter.user=(&(|(objectclass=person)(objectclass=applicationProcess))(cn={0})) hadoop.security.group.mapping.ldap.url=ldap://10.10.10.10:389
... View more
09-10-2018
06:45 PM
@Sriram, For authorization in ranger to work, the prerequisite is that hadoop and Ranger user group mapping should be in sync. During authorization in Ranger, each component, like hdfs, sends username and groupnames (groupnames are the ones that are returned from hdfs groups) to ranger. Ranger then evaluates the configured policies for either or both username and groupnames and responds with allow or deny. In the test case2, if hdfs groups doesn't return the groups properly, then ranger won't get the groupnames as part of the authorization request and hence fails to find the matching policy. You can verify this in ranger audit logs as well as enabling debug logs for ranger in hdfs component. Hope this helps.
... View more
09-10-2018
06:29 PM
so what does hdfs groups for that user return then? In section (C) of your initial post, you mentioned that the hdfs groups match the ones under Ranger groups.
... View more
09-10-2018
06:22 PM
@Sriram, Ranger user/group policies work as long as the user/group name that hadoop is requesting authorization for (in general it is the hdfs groups from hadoop) should be available in Ranger with case sensitivity. It doesn't matter where hadoop or ranger is pulling these users or groups from.
... View more
09-10-2018
06:17 PM
@Sriram, Can you post the output of the hdfs groups and the screenshot of ranger groups? Also, it will be good to enable debug for "org.apache.ranger" for hdfs logs so that we can see what is the group name that is coming in for authorization request.
... View more
07-24-2018
11:19 PM
@Steven Matison With the above configuration (after "Enable User Search" is turned on), you should now be able to see the user (smatison) with samaccountname. Do you see that user in ranger admin? Few points to consider: 1. When "Enable Group Search First" is "ON" and "Enable User Search" is "OFF", Ranger syncs users using the "Group Member Attribute" which is in general configured with "CN" of the user. 2. When "Enable Group Search First" is "ON" and "Enable User Search" is "ON", Ranger syncs users using the value configured for "Username Attribute" (which is samaccountname in your case). 3. Once the users or groups are sync'd to Ranger, they are not deleted by Ranger automatically. It is a manual operation by ranger admin to go and delete the unused users/groups from UI. 4. For more details on how ranger syncs users and groups with different configuration options, you can refer to these articles: - https://community.hortonworks.com/articles/105620/configuring-ranger-usersync-with-adldap-for-a-comm.html - https://community.hortonworks.com/articles/105623/various-options-supported-in-ranger-usersync-with.html Thanks, Sailaja.
... View more
07-23-2018
08:53 PM
@Steven Matison, Is it possible to provide usersync.log file and/or screenshot of "User Configs" and "Group Configs" tabs in Ambari?
... View more
07-20-2018
07:02 PM
@Steven Matison Do you have "Group Search First" enabled (under Group Config tab in Ambari)? If so, please enable "User search" (under User Config tab) as well. Then you can configure the username attribute to "sAMAccountName" so that the users are mapped correctly. Please provide your usersync configuration if you need more help. >> I am also wondering how to get the First Name, Last Name and Email Address mapped correctly as well? The First Name, Last Name is the same as User Name and Email Address is empty. This is currently not supported in Ranger. We have an internal jira for tracking this. Please let us know the customer info that is asking for this feature so that we can prioritize accordingly. Thanks, Sailaja.
... View more
03-21-2018
06:40 PM
@Farrukh Munir Ranger Usersync supports configuring multiple OUs. Please refer to this JIRA for more info https://issues.apache.org/jira/browse/RANGER-803 For more details on various options supported by Ranger Usersync with AD/LDAP as sync source, please refer to https://community.hortonworks.com/content/kbentry/105623/various-options-supported-in-ranger-usersync-with.html Thanks, Sailaja
... View more
03-21-2018
06:31 PM
@Prashant Chaudhari Can you look at this JIRA https://issues.apache.org/jira/browse/RANGER-1491? Which version of Range are you using?
... View more
03-21-2018
06:27 PM
@Junfeng Chen, From the posted log message, looks like you have enabled "Incremental Sync" during which the group config is mandatory. Not sure what exactly you mean by "leave group configs blank". This is not supported configuration. For more details on "Incremental Sync", please refer to https://issues.apache.org/jira/browse/RANGER-1211 Also, please refer to below article on how to configure ranger usersync for integrating with AD/LDAP. https://community.hortonworks.com/articles/105620/configuring-ranger-usersync-with-adldap-for-a-comm.html Hope this helps. Thanks, Sailaja
... View more
03-01-2018
06:18 PM
1 Kudo
@Pit Err, You are in right direction with option #3 above. One minor change is that, you can use "cn=*" in the user search filter instead. When group search first is enabled and user search is enabled, then the logic is - 1. First sync all the groups based on the group configuration (including group search base and group search filter). 2. Cache all the members for each group using the member attribute. 3. For syncing the users - a. If user search is not enabled, then just use the short name for the user names (from member attribute of the user) b. If user search is enabled, then sync the users based on the user configuration (including user search base and user search filter) and the cached users from step2. For the users that are in the cache, update the username with samaccountname retrieved from the user search. Discard all the other users from the user search base and user search filter that doesn't match the cached users from step2. Effectively, you are just getting all the users from the groups that are sync'd from step1. Hope this helps, Thanks, Sailaja.
... View more
02-26-2018
06:51 PM
@GN_Exp, In order to disable incremental sync following properties are to be set in ranger-ugsync-site.xml: <property> <name>ranger.usersync.ldap.deltasync</name> <value>false</value> </property>
<property>
<name>ranger.usersync.sink.impl.class</name>
<value>org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder</value>
</property>
... View more
02-23-2018
05:37 AM
@Sagar Shimpi This is not related as the issue here is even the users are not sync'd. And about RANGER-1615, the way we retrieve the groups when incremental sync is enabled is different from when the incremental sync is disabled. For more details on the incremental sync design and implementation, please refer to https://issues.apache.org/jira/browse/RANGER-1211
... View more
02-23-2018
01:57 AM
@GN_Exp, From the logs I see that ranger is able to connect to the ldap server but the server return 0 users and 0 groups. Can you run the following ldap search command: ldapsearch -h localhost -p 33389 -D "uid=admin,ou=people,dc=hadoop,dc=apache,dc=org" -b "ou=people,dc=hadoop,dc=apache,dc=org" "(&(objectclass=person)(uid=*))" -W enter admin password when prompted. If this returns all the entries from ou=people, then can you try the following ldap search command: ldapsearch -h localhost -p 33389 -D "uid=admin,ou=people,dc=hadoop,dc=apache,dc=org" -b "ou=people,dc=hadoop,dc=apache,dc=org" "(&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101120000Z))(uid=*))" -W enter admin password when prompted. If this doesn't return any entries, then you can try disable "incremental sync" from ranger user info config. May be your ldap doesn't support modifyTimestamp attribute? Hope this helps!
... View more
02-22-2018
10:14 PM
Ranger doens't support sync from sql database. But one more option that Ranger usersync supports is to sync from file (which can be of csv, json, or text file format). One option is to dump the users and groups from sql to a file and sync from file. https://community.hortonworks.com/questions/1372/how-to-configure-ranger-usersync-to-sync-users-fro.html
... View more
02-22-2018
10:08 PM
Currently ranger usersync doesn't support multiple LDAP. But once the users and groups are sync'd to Ranger, they are mainly used for configuring policies in Ranger. Ranger doesn't contact AD/LDAP during authorization or policy enforcement. Mostly it relies on hadoop group mapping for during authorization. I am not sure what exactly is the use case you are trying to solve. Can you share some details?
... View more
12-07-2017
06:32 PM
@Pedro Antonio Gonzalez Perez This issue is fixed as part of https://issues.apache.org/jira/browse/RANGER-1632
... View more
12-07-2017
06:29 PM
@Pedro Antonio Gonzalez Perez This issue is fixed as part of https://issues.apache.org/jira/browse/RANGER-1632
... View more
11-17-2017
01:09 AM
1 Kudo
In order to utilize the directory server's nested groups information across hadoop, nested groups information must be retrieved for hadoop group mapping as well as for Ranger policy authorization. Retrieving nested group information for Ranger is explained here. This article covers the configuration required for retrieving nested group information for hadoop LdapGroupMapping. Nested group membership in LdapGroupMapping is introduced as part of HADOOP-12291 and is available in HDP 2.6. Let's take the same directory server structure example that is used for Ranger. Sample Active directory structure with Nested groups Usecase: Admin wants "Marketing Group" and "AMER Marketing Group" to be represented as hdfs groups for users "Adam Will", "John Doe", and "Mary Sam" In the above example, user "John Doe" is a member of "US Marketing Group". But the directory server structure also contains multiple nested group levels like - “US Marketing Group” is a member of “AMER Marketing Group” which again is a member of “Marketing Group”. With out nested group membership support on hadoop, "hdfs groups" for user "John Doe" returns only the immediate group "US Marketing Group". In order for hdfs groups to retrieve parent groups like "AMER Marketing Group" and "Marketing Group", then the LdapGroupMapping must be configured with nested group membership information. Hadoop LdapGroupMapping configuration
... View more
- Find more articles tagged with:
- active-directory
- hadoop-ldap
- How-ToTutorial
- Security
Labels:
11-16-2017
06:45 PM
@David Williamson, Can you check the ranger audit logs and see which policy is denying access? Also, you can enable debug logs on the hdfs and see what is the group name sent as part of the authorization request to ranger. If you can post the output of the "hdfs groups" for the failed case and the corresponding group names for policy configuration, that will be helpful. Thanks, Sailaja.
... View more
11-16-2017
12:39 AM
Yes, for each configured OU in group search base, ranger usersync computes the nested groups. Group hierarchy level is applied for each OU independently. Few points to note: 1. If the directory server contains more levels of nested groups than the ones configured in the usersync group hierarchy levels, then usersync limits the nested group computation based on the usersync configuration 2. If the directory server contains less levels of nested groups than the ones configured in the usersync group hierarchy levels, then usersync limits the nested group computation based on the directory server nested group levels 3. Nested groups are computed only for the groups that are part of the group search base. For example, group search base is configured as "ou=groups,dc=test,dc=com;ou=groups2,dc=test,dc=test,dc=com" and if a group (grp1) that is part of the one of these configured OU has a member group (grp2) that is not part of any of the configured OUs, then grp2 is ignored from group computation. 4. Nested group computation is supported with Incremental sync as well as Full sync.
... View more
11-15-2017
07:31 PM
5 Kudos
Introduction Adding a group as a member to another group is called nesting. If a group (groupA) is a member of another group (groupB), then the users belonging to the member group (groupA) are part of the parent group (groupB) as well. Nesting can be very useful in delegating access through inheritance. Several large enterprises have their groups in LDAP/AD nested within other groups. Security admins want the users in those nested groups to be associated in Ranger so that they are available for policy authoring in Ranger Admin. In HDP 2.6 (RANGER-1735), ranger usersync introduced support of nested group membership representation for policy authoring. Note:- In order to utilize the nested group mapping across hadoop, this feature must be configured for hadoop LdapGroupMapping as well. Configuring hadoop LdapGroupMapping for nested groups is explained here. Sample Active directory structure with Nested groups Usecase: Admin wants to give access to some resources for all the users under “AMER Marketing Group” In the above sample directory structure, all the marketing users are under one OU “Marketing Users”. All these users are members of different groups based on the location like US, Canada, London, etc… For example, user “Adam Will” from “Marketing Users” OU is a member of “Canada Marketing Group”. Also, the above sample directory structure contains multiple nested group levels like - “US Marketing Group” is a member of “AMER Marketing Group” which again is a member of “Marketing Group”. Ranger Usersync configuration Ranger Usersync, by default, computes only the immediate groups for the users. For example, user “Adam Will” is part of “Canada Marketing Group” and only this information is available in ranger without nested group sync configuration. With this information, if an admin wants to provide access to all the users under “AMER Marketing Group”, then all the sub groups - “US Marketing Group” and “Canada Marketing Group” must be added in the ranger policy. In order to simplify the policy configuration at parent level groups, Ranger supports evaluating nested group memberships by configuring “ranger.usersync.ldap.grouphierarchylevels”. If ranger.usersync.ldap.grouphierarchylevels is set to “3”, Ranger Usersync computes the group memberships for user “Adam Will” as “Canada Marketing Group”, “AMER Marketing Group”, “Marketing Group”. This way, admin can configure ranger policy at the parent group level (“AMER Marketing Group”) which will be applied for all the users (Mary Sam, John Doe, and Adam Will) under each sub group (US Marketing Group and Canada Marketing Group).
... View more
- Find more articles tagged with:
- active-directory
- How-ToTutorial
- ranger-usersync
- Security
Labels:
11-10-2017
07:35 PM
@David Williamson Please take at look at the following link if this helps: https://community.hortonworks.com/articles/145832/ranger-user-sync-issues-due-to-case-difference.html
... View more
11-10-2017
07:32 PM
@Cibi Chakaravarthi, From the usersync logs, looks like you have group search first enabled, but the no. of groups sync'd are zero. When group search first is enabled, the logic to update the ranger admin is - Retrieve all the groups that match the group config and then retrieve the users that match the user config. We update ranger admin with all the retrieved groups and the retrieved user that are only part of these groups. So, in your case, since there are no groups are retrieved based on the group config, what ever the user that are pulled based on the user config are not updated to ranger admin. Ranger usersync supports multiple options to target different usecases for syncing users and group from AD/LDAP. Please refer to the following article for more details: https://community.hortonworks.com/content/kbentry/105623/various-options-supported-in-ranger-usersync-with.html Hope this helps. Thanks, Sailaja.
... View more
11-09-2017
06:40 PM
@Cibi Chakaravarthi Can you please verify if the group name from "hdfs groups" is the exact match with the one configured in Ranger policy? Ranger group name and/or username are case sensitive while enforcing policies. Thanks, Sailaja.
... View more
11-09-2017
06:37 PM
@Cibi Chakaravarthi Which version of Ranger are you using? Have you noticed any errors while updating the users to ranger admin in either usersync logs (usersync.log) or ranger admin logs (xa_portal.log)? Can you also provide details of your usersync configuration?
... View more
10-31-2017
06:56 PM
@Surya Nuthalapati, As you know user/group names in ranger should match the ones used by hadoop for authorization to work. In this case, since the group names mapped by SSSD are different from the ones in AD, ranger usersync can configured to sync from SSSD instead. Ranger introduced the support of syncing from SSSD as part of https://issues.apache.org/jira/browse/RANGER-827 Thanks, Sailaja.
... View more
10-31-2017
05:52 PM
@Jacqualin jasmin Couple of things I noticed from the description: 1. ldaptool currently doesn't support ldaps 2. binddn used by ldaptool should be the distinguished name (generally the whole dn like cn=admin,ou=users,dc=example,dc=com) 3. In the ldapsearch that you posted, I don't see the "-D" (bindn) option in which case you are using anonymous bind. If this is not what you want to use, can you try the following ldapsearch command: >> ldapsearch -h free-ipa-dev-01.uat.txdc.datastax.com -x -D "<full dn of bind user>"-b "dc=txdc,dc=datastax,dc=com" -W enter password of binddn user when prompted. 4. ldaptool doesn't support anonymous bind Hope this helps. Thanks Sailaja.
... View more