Ranger - stanislawbartkowski/hdpactivedirectory GitHub Wiki

Ranger

Ranger is a service which provides uniformed security management for Hadoop cluster. It is recommended to enable Ranger framework and to have a single security control center. Several lessons learned:

  • The minimal synchronization period for AD is 1 hour regardless of the value of ranger.usersync.sleeptimeinmillisbetweensynccycle. The only way to have Ranger synchronized with AD immediately is to restart Ranger service.
  • The effective group membership is the one reported by HDFS, hdfs groups {username}. If group membership in Ranger is not concerted with HDFS then Ranger group authorization is not effective. The user privileges are not inherited from groups.
  • "Enable Group Search First" switch means that AD users not belonging to AD groups under consideration are ignored.

Enable Ranger for Active Directory

Prerequisites

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/configuring_ranger_authentication.html
Make sure that LDAP/LDAPS connection to AD is working. More details:
https://github.com/stanislawbartkowski/hdpactivedirectory/wiki/Knox#prerequisites-for-active-directoryldap-authentication
On Ranger host, verify that /etc/ranger-usersync/2.6.5.1050-37/0/.ugsync.jceks.crc file can be read by ranger user. If not, run the command:

chown ranger:ranger /etc/ranger-usersync/2.6.5.1050-37/0/.ugsync.jceks.crc

Collect data

Configuration label Description AD Example
OpenLDAP Example
LDAP/AD URL AD/LDAP URL ldap://verse1.fyre.net

ldap://ldap.sb.com:389
Bind User DN of AD read-only user able to scan to AD directory tree. CN=hadoopsearch,CN=centos,DC=fyre,DC=net
cn=proxy,dc=sb,dc=com
Bind User Password Password ****
Username Attribute AD/LDAP name attribute sAMAccountName

uid
User Object Class AD/LDAP user object class person

posixAccount
User Search Base Container for users, allows to limit the range of users searched CN=centos,DC=fyre,DC=net

dc=sb,dc=com
Group Member Attribute AD/LDAP member attribute, attribute contains a list of users belonging to the group member

memberUid
Group Name Attribute AD/LDAP name attribute sAMAccountName

cn
Group Object Class AD/LDAP group object class group

posixGroup
Group Search Base AD container for groups CN=centos,DC=fyre,DC=net

dc=sb,dc=com

Configure Ranger for AD

Ranger->Configs->Ranger User Info->Common Configs

Switch on "Enable User Sync"
"Sync Source", select LDAP/AD
Fill in all information required. alt

Ranger->Configs->Ranger User Info->User configs

Switch on "Group User Map Sync" and "Enable User Search"
Fill in all information required. alt

Ranger->Configs->Ranger User Info->Group Configs

Switch on "Enable Group Sync" and "Enable Group Search First".
Fill in all information requested. alt

Verify

Check the content of /var/log/ranger/usersync/usersync.log file. Look for information about groups and users identified.

12 Feb 2019 14:41:17  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - longUserName: CN=User3,CN=centos,DC=fyre,DC=net, userName: User3
12 Feb 2019 14:41:17  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - longUserName: CN=User2,CN=centos,DC=fyre,DC=net, userName: User2
12 Feb 2019 14:41:17  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - longUserName: CN=User1,CN=centos,DC=fyre,DC=net, userName: User1
12 Feb 2019 14:41:17  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - No. of members in the group centosgroup = 3
12 Feb 2019 14:41:17  INFO LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Using principal = rangerusersync/[email protected] and keytab = /etc/security/keytabs/rangerusersync.service.keytab
12 Feb 2019 14:41:17  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - longUserName: CN=User3,CN=centos,DC=fyre,DC=net, userName: User3
12 Feb 2019 14:41:17  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - No. of members in the group datascience = 1
12 Feb 2019 14:41:17  INFO LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Using principal = rangerusersync/[email protected] and keytab = /etc/security/keytabs/rangerusersync.service.keytab
12 Feb 2019 14:41:17  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - longUserName: CN=User2,CN=centos,DC=fyre,DC=net, userName: User2
12 Feb 2019 14:41:17  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - No. of members in the group dataadmin = 1
12 Feb 2019 14:41:17  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder.getGroups() completed with group count: 3
12 Feb 2019 14:41:17  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - User search is enabled and hence computing user membership.
12 Feb 2019 14:41:17  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedUserSearchFilter = (&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101010000Z)))
12 Feb 2019 14:41:17  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal = 2548035and currentDeltaSyncTime = 2548035
12 Feb 2019 14:41:18  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Updating user count: 1, userName: user1
12 Feb 2019 14:41:18  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal = 2548201and currentDeltaSyncTime = 2548201
12 Feb 2019 14:41:18  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Updating user count: 2, userName: user2
12 Feb 2019 14:41:18  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal = 2548395and currentDeltaSyncTime = 2548395
12 Feb 2019 14:41:18  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Updating user count: 2, userName: sb
12 Feb 2019 14:41:18  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal = 2564611and currentDeltaSyncTime = 2564611
12 Feb 2019 14:41:18  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Updating user count: 2, userName: hadoopsearch
12 Feb 2019 14:41:18  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal = 2580283and currentDeltaSyncTime = 2580283
12 Feb 2019 14:41:19  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Updating user count: 3, userName: user3

Open Ranger admin panel, AD users and groups found should be reported there.

alt

Lower/upper case in user and group names

There are two additional configuration parameters to control it.

Parameter Description Default Value
ranger.usersync.ldap.groupname.caseconversion Modify group names to lower/upper case or keep unchanged none (preserve case) none
upper
lower
ranger.usersync.ldap.username.caseconversion The same for user names none (preserve case) none
upper
lower

Secure LDAP

Obtain AD certificate and make sure that secure connection with AD/LDAP is working. https://github.com/stanislawbartkowski/wikis/wiki/HDP-2.6.5-3.1-and-Active-Directory#get-ad-certificate
In Ranger configuration panel, change the LDAP URL to secure. Example: ldaps://verse1.fyre.net
Prepare the following data.

  • Usersync truststore, example: /usr/hdp/current/ranger-usersync/conf/mytruststore.jks
  • Usersync truststore password
  • AD certificate, example: /etc/openldap//adroot.crt

Create trusted store containing AD certificate.
(as user ranger)

keytool -import -file /etc/openldap//adroot.crt -alias usersync -keystore /usr/hdp/current/ranger-usersync/conf/mytruststore.jks

Verify:

keytool -list -keystore /usr/hdp/current/ranger-usersync/conf/mytruststore.jks

Enter keystore password:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

usersync, Mar 24, 2020, trustedCertEntry, 
Certificate fingerprint (SHA1): 67:E2:01:ED:36:1C:1F:4B:AA:2C:B5:07:D1:92:E6:5E:B3:70:ED:8E

In Ambari Console, configure trusted store. Ambari -> Ranger -> Advanced -> Advanced ranger-ugsycc-site. alt

⚠️ **GitHub.com Fallback** ⚠️