If you want to configure access policies for a user synchronized from an LDAP server, interconnect Ranger UserSync with the LDAP server.
After Ranger UserSync is interconnected with an LDAP server, you can select a user synchronized from that server when you configure access policies for a component. However, in this case, users in UNIX are unavailable.
- Open the install.properties file.
cd /usr/lib/ranger-usersync-current vim install.properties
- Change the value of
SYNC_SOURCEto ldap and modify the following items:
SYNC_LDAP_URL = ldap:// emr-header-1:10389 SYNC_LDAP_BIND_DN = uid=admin,o=emr SYNC_LDAP_BIND_PASSWORD = [password] SYNC_LDAP_USER_SEARCH_BASE = ou=people,o=emr
The preceding example demonstrates the interconnection of EMR OpenLDAP. If you interconnect Ranger UserSync with a user-created LDAP server, you need to configure the items based on the description in the following table. For more information, see the official Ranger UserSync installation guide.
Configuration item Description SYNC_LDAP_URL The URL of the LDAP service. Example:
SYNC_LDAP_BIND_DN The distinguished name used to connect the LDAP server and query users and user groups. Example:
SYNC_LDAP_BIND_PASSWORD The password of the distinguished name that is used to connect to the LDAP server. EARCH_BASE The user search domain in the LDAP server. Example:
Synchronize user groups
After you configure the preceding items, users in the LDAP server are synchronized to Ranger. However, user groups are not synchronized. If you want to authorize user groups in the LDAP server for a component, you need to synchronize the user groups from LDAP to Ranger. User group synchronization is complex. The main configuration items are as follows. (Currently, user groups in EMR OpenLDAP cannot be synchronized.)
SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = gitNumber SYNC_GROUP_SEARCH_ENABLED = true SYNC_GROUP_USER_MAP_SYNC_ENABLED = true SYNC_GROUP_SEARCH_BASE = ou=group,o=emr SYNC_GROUP_OBJECT_CLASS = posixGroup SYNC_GROUP_NAME_ATTRIBUTE = cn SYNC_GROUP_MEMBER_ATTRIBUTE_NAME = memberUid
|SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE||The name of the attribute that indicates a user group in a user entry. Example:
|SYNC_GROUP_SEARCH_ENABLED||Specifies whether to enable LDAP to search all user groups or use the user group attributes
recorded in user entries to determine user groups. Example:
|SYNC_GROUP_USER_MAP_SYNC_ENABLED||Specifies whether to use the LDAP search function to determine the mapping between
users and user groups. Example:
|SYNC_GROUP_SEARCH_BASE||The user search domain in the LDAP server. Example:
|SYNC_GROUP_OBJECT_CLASS||The objectClass type of a user group. Example:
|SYNC_GROUP_NAME_ATTRIBUTE||The identity of the user group name in a user group entry. Example:
|SYNC_GROUP_MEMBER_ATTRIBUTE_NAME||The name of the attribute that indicates a user group in a user group entry. Example:
Validate the interconnection
- After you configure the items, you must run the
setup.shfile in the
- Restart Ranger UserSync on the EMR console to validate the interconnection.
- Log on to the Alibaba Cloud E-MapReduce console.
- Click the Cluster Management tab.
- Find the target cluster and click Details in the Actions column. In the left-side navigation pane, choose .
- In the Component section, find RangerUserSync and click Restart in the Actions column.