This topic describes how to integrate Ranger Admin with an LDAP server. After the
integration, you can use an account in the LDAP server to log on to the Ranger web
UI.
Background information
Ranger has both internal users and external users. The LDAP and UNIX users synchronized
to Ranger are external users. Users created in the Ranger web UI are internal users.
You can grant permissions to both internal and external users in Ranger.
After Ranger Admin is integrated with an LDAP server, a user of the LDAP server can
log on to the Ranger web UI. After logon, Ranger automatically creates this user as
an external user on the Users page. By default, this user can only view the information
of Ranger services and policies. The admin user can upgrade standard users to administrators
on the Users page.
Limits
You can enable LDAP authentication with one click for a Hadoop cluster only in EMR
V3.34.0 and later V3.X.X, and in EMR V4.8.0 and later V4.X.X.
EMR V3.28.0 and later V3.X.X, and EMR V4.3.0 and later V4.X.X
- Go to the Configure tab for the Ranger service.
- Log on to the Alibaba Cloud EMR console.
- In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
- Click the Cluster Management tab.
- Find your cluster and click Details in the Actions column.
- In the left-side navigation pane, choose .
- Click the Configure tab.
- Configure parameters on the ranger-admin-site tab.
- In the Service Configuration section, click the ranger-admin-site tab.
- Configure the parameters listed in the following table to synchronize LDAP users to
Ranger.
Parameter |
Required value |
ranger.ldap.bind.dn |
uid=admin,o=emr
|
ranger.ldap.bind.password |
Value of the manager_password parameter on the Configure tab for the OpenLDAP service |
ranger.ldap.base.dn |
ou=people,o=emr
|
ranger.authentication.method |
LDAP
|
ranger.ldap.url |
ldap://emr-header-1:10389
|
ranger.ldap.user.dnpattern |
uid={0},ou=people,o=emr
|
- Restart Ranger Admin for the configurations to take effect.
- In the left-side navigation pane, choose .
- In the Components section, find the RangerAdmin parameter and click Restart in the Actions column.
- In the Cluster Activities dialog box, configure the parameters.
- Click OK.
- In the Confirm message, click OK.
EMR V3.X.X earlier than V3.28.0 and EMR V4.X.X earlier than V4.3.0
- Connect to the emr-header-1 node of the cluster. For more information, see Log on to a cluster.
- Open the install.properties file.
cd /usr/lib/ranger-usersync-current
vim install.properties
- Configure the following information in the file:
authentication_method = LDAP
xa_ldap_url = ldap://emr-header-1:10389
xa_ldap_userDNpattern = uid={0},ou=people,o=emr
xa_ldap_base_dn = ou=people,o=emr
xa_ldap_bind_dn = uid=admin,o=emr
xa_ldap_bind_password = [password]
The preceding example demonstrates the integration of EMR OpenLDAP. If you integrate
Ranger Admin with a self-managed LDAP server, you must configure the parameters based
on the description in the following table. For more information about the parameters,
see the
official Ranger Admin installation guide.
Parameter |
Description |
xa_ldap_url |
The URL of the LDAP service. Example: ldap://ldap.example.com:389 .
|
xa_ldap_userDNpattern |
The pattern that matches a logon user with an LDAP distinguished name (DN). For example,
if the value of this parameter is uid={0},ou=users,dc=example,dc=com and the logon user is hadoop, the LDAP DN is uid=hadoop,ou=users,dc=example,dc=com .
|
xa_ldap_base_dn |
The user search domain in the LDAP server. Example: ou=users,dc=example,dc=com .
|
xa_ldap_bind_dn |
The distinguished name (DN) used to connect the LDAP server to query users and user
groups. Example: cn=ldapadmin,ou=users,dc=example,dc=com .
|
xa_ldap_bind_password |
The password of the DN that is used to connect to the LDAP server. |
- Run the
setup.sh
command in the /usr/lib/ranger-usersync-current directory of the emr-header-1 node. cd /usr/lib/ranger-usersync-current
sh setup.sh
- Restart Ranger Admin for the configurations to take effect.
- In the left-side navigation pane, choose .
- In the Components section, find the RangerAdmin parameter and click Restart in the Actions column.
- In the Cluster Activities dialog box, configure the parameters.
- Click OK.
- In the Confirm message, click OK.