Member since
10-22-2015
69
Posts
40
Kudos Received
14
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
6268 | 07-24-2018 11:19 PM | |
3263 | 03-01-2018 06:18 PM | |
12042 | 02-26-2018 06:51 PM | |
3510 | 11-10-2017 07:35 PM | |
2898 | 09-08-2017 11:32 PM |
05-03-2021
10:01 AM
@VidyaSargur Thanks, will open a new thread.
... View more
10-09-2020
11:45 AM
It's working for me now with our AD. I had to add the group as external with @domainname.com, even if Ranger imports this without. You don't have to do anything else. The reason for this: in our environment if I executing groups [userid], I get the AD Groups in FQDN format, so you have to have it in Ranger in FQDN format too.
... View more
02-13-2019
09:20 AM
Why do we synch users into Apache ranger? It would be great if someone can explain the reason along with one example.
... View more
02-27-2018
06:35 PM
Thanks @spolavarapu. This worked for me.
... View more
11-17-2017
01:09 AM
1 Kudo
In order to utilize the directory server's nested groups information across hadoop, nested groups information must be retrieved for hadoop group mapping as well as for Ranger policy authorization. Retrieving nested group information for Ranger is explained here. This article covers the configuration required for retrieving nested group information for hadoop LdapGroupMapping. Nested group membership in LdapGroupMapping is introduced as part of HADOOP-12291 and is available in HDP 2.6. Let's take the same directory server structure example that is used for Ranger. Sample Active directory structure with Nested groups Usecase: Admin wants "Marketing Group" and "AMER Marketing Group" to be represented as hdfs groups for users "Adam Will", "John Doe", and "Mary Sam" In the above example, user "John Doe" is a member of "US Marketing Group". But the directory server structure also contains multiple nested group levels like - “US Marketing Group” is a member of “AMER Marketing Group” which again is a member of “Marketing Group”. With out nested group membership support on hadoop, "hdfs groups" for user "John Doe" returns only the immediate group "US Marketing Group". In order for hdfs groups to retrieve parent groups like "AMER Marketing Group" and "Marketing Group", then the LdapGroupMapping must be configured with nested group membership information. Hadoop LdapGroupMapping configuration
... View more
Labels:
11-16-2017
12:39 AM
Yes, for each configured OU in group search base, ranger usersync computes the nested groups. Group hierarchy level is applied for each OU independently. Few points to note: 1. If the directory server contains more levels of nested groups than the ones configured in the usersync group hierarchy levels, then usersync limits the nested group computation based on the usersync configuration 2. If the directory server contains less levels of nested groups than the ones configured in the usersync group hierarchy levels, then usersync limits the nested group computation based on the directory server nested group levels 3. Nested groups are computed only for the groups that are part of the group search base. For example, group search base is configured as "ou=groups,dc=test,dc=com;ou=groups2,dc=test,dc=test,dc=com" and if a group (grp1) that is part of the one of these configured OU has a member group (grp2) that is not part of any of the configured OUs, then grp2 is ignored from group computation. 4. Nested group computation is supported with Incremental sync as well as Full sync.
... View more
07-19-2018
12:43 AM
This is a useful article, but I would be better by explaining what the different main configurations do instead of listing interpretation of the best use case (as perceived by the creator) for each combination. By knowing what each of these few options do or how do they affect the behavior regarding the matching of users and groups from LDAP, I'm pretty sure most of us IT professionals will be able to find out in which case each combination is more appropriate for our use case. Indeed that is a recurrent problem with Ranger documentation in HDP and with many other aspects of security components, you usually will find out "subjective" interpretation of what combination of settings are best for this or that scenario, but the objective description of how each options behaves is much harder to find, and sometimes the only way to find out this is going to the source code.
... View more
06-01-2017
07:59 AM
@spolavarapu thank! It is exactly my case
... View more
03-06-2017
11:44 PM
3 Kudos
Many deployments in hadoop use Centrify LDAP proxy to integrate Active Directory users with linux accounts. Centrify ldapproxy uses posix properties like uid, gidNumber, uidNumber, memberUid, etc... and are made available for ldap search attributes to the clients like Apache Ranger. Ranger interacts with Centrify ldapproxy for configuring hadoop authorization policies as well as for authentication to ranger UI. In order to sync users and groups from Centrify, ranger performs ldap search against Centrify using all the configured LDAP attributes. Some of the common issues noticed during this integration can be: Issue #1. Users are unable to login to Ranger UI but were successfully sync'd to ranger: For AD/LDAP authentication, Ranger uses the complete DN of the login user for performing an LDAP search. Ranger also uses group search base and group search filter for group membership for obtaining user role information. Few configuration parameters to verify on ranger are: ranger.ldap.user.dnpattern - This value should match the exact DN pattern of the login user Group Search Base - This value should be the search base of the groups which contains the login users as members Group Search Filter - This value can be a simple filter like "cn=*" Let's look at one small example: ========================================= Ldapsearch with Centrify for one of the user contains following information: dn: cn=alice bob,ou=Users,ou=us,ou=Contractor,dc=apache,dc=org description: c001038@apache.org email: abob@apache.org gecos: Alice Bob gidNumber: 422222198 homeDirectory: /home/c001038 loginShell: /bin/bash uid: c001038 uidNumber: 42222045 userPassword:: WWIEphZ2FkZWVzYW4= accountExpires: 131470704000000000 badPasswordTime: 131140254848671173 badPwdCount: 0 cn: Alice Bob codePage: 0 countryCode: 0 displayName: Alice Bob distinguishedName: CN=Alice Bob,OU=Users,OU=us,OU=C ontractor,DC=apache,DC=org givenName: Alice instanceType: 4 lastLogoff: 0 lastLogon: 131140358889710142 logonCount: 185 mail: Abob@hortonworks.com manager: CN=Joe Dave,OU=Corporate,OU=Users,OU=us,DC=apache,DC=org memberOf: CN=hdp_admin,OU=Hadoop,OU=Applications,OU=Groups,DC=apache,DC=org memberOf: cn=hdp_group1,ou=Hadoop,ou=Groups,dc=apache,dc=org name: Alice Bob objectClass: top objectClass: posixaccount objectGUID:: W6rekfmZXECSiIgFeOTnPw== objectSid:: AQUAAAAAAAUVAAAAYKiAHXLIYdQjI9RcxRQCAA== primaryGroupID: 500 pwdLastSet: 131123031899439530 sAMAccountName: c001038 sAMAccountType: 805306300 sn: Bob uSNChanged: 153583075 uSNCreated: 151863255 userAccountControl: 510 userPrincipalName: c001038@apache.org whenChanged: 20160716210250.0Z whenCreated: 20160705200144.0Z As you can observe the complete DN of the user is configured as “dn: cn=alice bob,ou=Users,ou=us,ou=Contractor,dc=apache,dc=org”. But say the user is using uid (c001038) for logging in to ranger admin and the “ranger.ldap.user.dnpattern” is configured as “uid={0},ou=Users,ou=us,ou=Contractor,dc=apache,dc=org”. In this case the ranger login fails because of the mismatch DN pattern. In order to have a successful login with uid, then Centrify config has to be changed to match the DN to be “uid=c001038,ou=Users,ou=us,ou=Contractor,dc=apache,dc=org”. Otherwise, the user can use cn (alice bob) as the login user and “ranger.ldap.user.dnpattern” can be configured as “cn={0},ou=Users,ou=us,ou=Contractor,dc=apache,dc=org” Issue #2. Groups not sync'd to Ranger: In order to provide flexibility and support different deployment scenarios, ranger provides multiple ways to configure group sync. 1. Sync groups from User’s Group name attribute (like “memberof” or “ismemberof”) - One of the use case here is to “Get all the users from the configured user search base and user search filter and get all the groups that the users belong to” In this case “Group User Map Sync” is set to “true” and “Enable Group Sync” is set to false. The only way ranger gets the group information is by using the User’s Group name attribute (which is generally “memberof” or “ismemberof” attribute of the user). Since Centrify ldapproxy uses posix attributes, most of the times “memberof” or “ismemberof” attribute is not available for the user. In this case groups will not be sync’d to Ranger. There are two ways to solve this issue - a. Without any changes to Centrify, Ranger can be configured with “Enable Group Sync” option (#2 below). b. Modify Centrify to populate “memberof” attribute for the user as in example above (memberOf:cn=hdp_admin,ou=Hadoop,ou=Applications, ou=Groups,dc=apache,dc=org memberOf: cn=hdp_group1,ou=Hadoop,ou=Groups,dc=apache,dc=org) 2. Sync groups by computing group membership of the users - One of the use case here is to “Get all the users from the configured user search base and user search filter and get only particular groups that these users belong to”. This also targets the case where LDAP server doesn’t support “memberof” attribute for the user. In this case “Group User Map Sync” should be set to “true” and “Enable Group Sync” is also should be set to true. In this case ranger first syncs all the users based on the “User Info” configuration. Then for each user ranger computes the group memberships based on the “Group Member Attribute” (like member, memberUID, etc…). Some of the common scenarios where the groups fail to sync to ranger are: a. When “Group User Map Sync” or “Enable Group Sync” not set to true b. When Group search base or group search filter are misconfigured and no matching groups are found. c. When “username” that is configured for User search is not matching the value for configured Group Member Attribute. For this let’s take an example as below: ==================================== Let’s say “User name Attribute” is configured as “uid” and “Group Member Attribute” is configured as “member” in Ranger. Following is the ldapsearch output for a group from Centrify: dn: hdp_group1,ou=Hadoop,ou=Groups,dc=apache,dc=org cn: hdp_group1 gidNumber: 478287198 memberUid: bdave memberUid: c001038 memberUid: c001140 memberUid: djoe groupType: -2122223646 member: <GUID=0b01714af9d97047aa0d55d813a20385>;<SID=0105000000000005150000006 0a8801d72c861d42323d45ce7170200>;CN=Dave Joe,OU=Users,OU=us,OU=Contractor,DC=apache,DC=org member: <GUID=3fef7ee4aa1fd84092fce8d25cfed798>;<SID=0105000000000005150000006 0a8801d72c861d42323d45ca5170200>;CN=bob dave,OU=Users,OU=us,DC=apache,DC=org member: <GUID=5baade91f9995c409288880578e4e73f>;<SID=0105000000000005150000006 0a8801d72c861d42323d45cc5140200>;CN=Alice Bob,OU=Users,OU=us,OU=C ontractor,DC=apache,DC=org objectClass: top objectClass: posixgroup sAMAccountName: hdp_grp1 uSNChanged: 152222220 Since “User name Attribute” in ranger is configured to uid, the users are sync’d to ranger using this attribute (like “c001038”). And for computing group memberships for this user, ranger uses “Group Member Attribute” which is configured as “member”. Ranger performs ldap search to get all the group configured in the group search base that contains the “member” as “uid=c001038”. But as you can see the “member” attribute returned from Centrify doesn’t contain info with uid of the user. Hence the no groups are sync’d to ranger. This issue can be fixed by configuring “Group Member Attribute” in ranger as “memberuid” so that it matches with the value of uid. 3. Sync groups from the configured search base and group search filter - One of the use case here is to “Get all the groups from the configured group search base and group search filter”. This also targets the use case to sync groups with no members. In this case“Group User Map Sync”, “Enable Group Sync” and “Enable Group Search First” should be set to true. The only reason that the groups are not sync’d to ranger because of the misconfiguration of Group search base or group search filter. Issue #3: Issues with Syncing ranger users and groups with centrify AD: Ranger retrieves only the values of the attributes configured in ranger. Hence for syncing users and/or groups ranger performs ldap search against the server (like Centrify) with all these attributes. When users and/or groups not sync’d to ranger, perform ldap search using ldapsearch utility with any particular user and/or group and with the configured attributes. Sometimes a particular attribute (like “memberof”, “member”, etc…) are not configured in Centrify and hence the user sync fails. In this case following error can be found in ranger usersync logs (/var/log/ranger/usersync/usersync.log): javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - cdcLdapSearch :No such attribute (cdcRC=8), errSystem=Ldap, errCode=16, errString=No such attribute];
In general since Centrify uses posix attributes, “member” attribute might not be configured for a group. Instead the users are mapped to groups using “memberuid” attribute. In order to solve this issue, verify the “Group Member Attribute” is configured accordingly (memberuid in this case) in Ranger.
... View more
Labels:
02-07-2018
06:19 AM
I had same problem "ranger can sync users with ldap but can't login to ranger UI with ldap password." Finally I could solved this problem, so, let me share lessons learned and how I solved to help you guys who has same problem as I faced. lessons learned 1. We have to configure ranger admin to speak ldaps protocol if we want to use ldaps for user authentication. paramaters in ranger-admin-site: ranger.truststore.file, ranger.truststore.password I had to import self-signed CA from LDAP team to "/etc/ranger/admin/conf/ranger-admin-keystore.jks". Set password which I specified for this import to "ranger.truststore.password". Command example: keytool -importcert -alias rangeradmin -noprompt -trustcacerts -file ./ca.crt -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -storepass xasecure ref: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_security/content/configure_non_ambari_ranger_ssl_self_signed_cert_admin.html 2. setting syncing user info with ldap and setting to use ldap for authentication are technically different. For example, we can use ldap authentication for ranger UI login even when we disable "Enable User Sync". In other words, we can use ldap authentication when "Ranger Usersync" service is not running. 3. debug logs from "org.springframework" and "org.apache.ranger" were very useful for the trouble shooting. We can change the log level with "admin-log4j.xml". log4j.category.org.springframework=debug,xa_log_appender log4j.category.org.apache.ranger=debug,xa_log_appender 4. Here are the key configurations for ldap authentication (not for user sync with ldap.) Authentication method: LDAP LDAP URL: ldaps://xxxxxx User Search Filter: (uid={0}) Group Search Filter: (member=uid={0},ou=xxxxx,o=xxxxx) ranger.ldap.user.dnpattern: uid={0},ou=xxxxx,o=xxxxx ranger.truststore.file: /etc/ranger/admin/conf/ranger-admin-keystore.jks <= in case with ldaps. ranger.truststore.password: xasecure <= in case with ldaps. this is the passwoed you set when you import ca to jks. I hope, this memo help guys who have same problem as I faced 🙂
... View more