Cloudera, Ranger, Active Directory, usersync - stanislawbartkowski/hdpactivedirectory GitHub Wiki
Prepare necessary data
| Information | Sample value |
|---|---|
| AD/LADP URL | ldap://verse1.fyre.net |
| User search base | CN=centos,DC=fyre,DC=net |
| Read-only bind user | CN=hadoopsearch,CN=centos,DC=fyre,DC=net |
| Bind user password | secret |
User synchronization
There is plenty of possible configuration options, but below is a good starting point.
- Enable LDAP groups : org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
- ranger.usersync.ldap.binddn : CN=hadoopsearch,CN=centos,DC=fyre,DC=net
- ranger.usersync.ldap.ldapbindpassword : secret
- ranger.usersync.ldap.url : ldaps//verse1.fyre.net
- ranger.usersync.ldap.searchBase : CN=centos,DC=fyre,DC=net
- ranger.usersync.group.search.first.enabled : checked This setting restricts the scope of users searched. Only users belonging to groups found in the search base are imported. Otherwise, there is a risk that the whole AD tree will be included in Ranger list of users. On the other hand, users not belonging to a group are ignored.
Group synchronization
- Usersync Enable User Search, ranger.usersync.user.searchenabled : true
- Usersync Enable Group Search First, ranger.usersync.group.search.first.enabled : true
- Usersync User Group Name Attribute, ranger.usersync.ldap.user.groupnameattribute : sAMAccountName
- Usersync Group Object Class, ranger.usersync.group.objectclass: group
- Usersync Group Member Attribute,ranger.usersync.group.memberattributename : member
- Usersync Group Search Base,ranger.usersync.group.searchbase: CN=centos,DC=fyre,DC=net
Enable Ranger authorization for services
https://github.com/stanislawbartkowski/hdpactivedirectory/wiki/Ranger-HDFS-plugin