If you want to use an account in an LDAP server to log on to the Ranger UI, interconnect Ranger Admin with the LDAP server.

Background information

Ranger has both internal users and external users. The external users, such as users from an LDAP server or the UNIX system, have no impact on internal users. Only administrators can perform operations such as adding services or modifying policies. Common users can only view the information of services and policies. The default user admin can configure user permissions and upgrade common users to administrators in the Settings menu on the Ranger UI.

Configure interconnection

  1. Open the install.properties file.
    cd /usr/lib/ranger-admin-current
    vim install.properties
  2. Change the value of authentication_method to LDAP and configure the following items:
    xa_ldap_url = ldap://emr-header-1:10389
    xa_ldap_userDNpattern = uid={0},ou=people,o=emr
    xa_ldap_base_dn = ou=people,o=emr
    xa_ldap_bind_dn = uid=admin,o=emr
    xa_ldap_bind_password = [password]

    The preceding example demonstrates the interconnection of EMR OpenLDAP. If you interconnect Ranger Admin with a user-created LDAP server, you need to configure the items based on the description in the following table. For more information, see the official Ranger Admin installation guide.

    Configuration item Description
    xa_ldap_url The URL of the LDAP service. Example: ldap://127.0.0.1:389.
    xa_ldap_userDNpattern The pattern that matches a logon user with an LDAP distinguished name. For example, if the value of this parameter is uid={0},ou=users,dc=example,dc=com and the logon user is hadoop, the LDAP distinguished name is uid=hadoop,ou=users,dc=example,dc=com.
    xa_ldap_base_dn The user search domain in the LDAP server. Example: dc=example,dc=com.
    xa_ldap_bind_dn The distinguished name used to connect the LDAP server and query users and user groups. Example: cn=ldapadmin,ou=users,dc=example,dc=com.
    xa_ldap_bind_password The password of the distinguished name that is used to connect to the LDAP server.

Validate the interconnection

  1. After you configure the items, you must run the setup.sh command in the /usr/lib/ranger-admin-current path.
  2. Restart Ranger Admin in the EMR console to validate the interconnection.
    1. Log on to the Alibaba Cloud E-MapReduce console.
    2. Click the Cluster Management tab.
    3. Find the target cluster and click Details in the Actions column. In the left-side navigation pane, choose Cluster Service > RANGER.
    4. In the Component section, find RangerAdmin and click Restart in the Actions column.