If you want to configure access policies for a user synchronized from an LDAP server, interconnect Ranger UserSync with the LDAP server.

Background information

After Ranger UserSync is interconnected with an LDAP server, you can select a user synchronized from that server when you configure access policies for a component. However, in this case, users in UNIX are unavailable.

Configure interconnection

  1. Open the install.properties file.
    cd /usr/lib/ranger-usersync-current
    vim install.properties
  2. Change the value of SYNC_SOURCE to ldap and modify the following items:
    SYNC_LDAP_URL = ldap:// emr-header-1:10389
    SYNC_LDAP_BIND_DN = uid=admin,o=emr
    SYNC_LDAP_BIND_PASSWORD = [password]
    SYNC_LDAP_USER_SEARCH_BASE = ou=people,o=emr

    The preceding example demonstrates the interconnection of EMR OpenLDAP. If you interconnect Ranger UserSync with a user-created LDAP server, you need to configure the items based on the description in the following table. For more information, see the official Ranger UserSync installation guide.

    Configuration item Description
    SYNC_LDAP_URL The URL of the LDAP service. Example: ldap://ldap.example.com:389.
    SYNC_LDAP_BIND_DN The distinguished name used to connect the LDAP server and query users and user groups. Example: cn=ldapadmin,ou=users,dc=example,dc=com.
    SYNC_LDAP_BIND_PASSWORD The password of the distinguished name that is used to connect to the LDAP server.
    EARCH_BASE The user search domain in the LDAP server. Example: ou=users,dc=example,dc=com.

Synchronize user groups

After you configure the preceding items, users in the LDAP server are synchronized to Ranger. However, user groups are not synchronized. If you want to authorize user groups in the LDAP server for a component, you need to synchronize the user groups from LDAP to Ranger. User group synchronization is complex. The main configuration items are as follows. (Currently, user groups in EMR OpenLDAP cannot be synchronized.)

SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = gitNumber
SYNC_GROUP_SEARCH_ENABLED = true
SYNC_GROUP_USER_MAP_SYNC_ENABLED = true
SYNC_GROUP_SEARCH_BASE = ou=group,o=emr
SYNC_GROUP_OBJECT_CLASS = posixGroup
SYNC_GROUP_NAME_ATTRIBUTE = cn
SYNC_GROUP_MEMBER_ATTRIBUTE_NAME = memberUid
Configuration item Description
SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE The name of the attribute that indicates a user group in a user entry. Example: gitNumber(user objectClass=posixAccount).
SYNC_GROUP_SEARCH_ENABLED Specifies whether to enable LDAP to search all user groups or use the user group attributes recorded in user entries to determine user groups. Example: true.
SYNC_GROUP_USER_MAP_SYNC_ENABLED Specifies whether to use the LDAP search function to determine the mapping between users and user groups. Example: true.
SYNC_GROUP_SEARCH_BASE The user search domain in the LDAP server. Example: ou=groups,dc=example,dc=com.
SYNC_GROUP_OBJECT_CLASS The objectClass type of a user group. Example: posixGroup.
SYNC_GROUP_NAME_ATTRIBUTE The identity of the user group name in a user group entry. Example: cn.
SYNC_GROUP_MEMBER_ATTRIBUTE_NAME The name of the attribute that indicates a user group in a user group entry. Example: memberUid.

Validate the interconnection

  1. After you configure the items, you must run the setup.sh file in the /usr/lib/ranger-admin-current path.
  2. Restart Ranger UserSync on the EMR console to validate the interconnection.
    1. Log on to the Alibaba Cloud E-MapReduce console.
    2. Click the Cluster Management tab.
    3. Find the target cluster and click Details in the Actions column. In the left-side navigation pane, choose Cluster Service > RANGER.
    4. In the Component section, find RangerUserSync and click Restart in the Actions column.