This topic describes how to integrate Ranger Admin with an LDAP server. After the integration, you can use an account in the LDAP server to log on to the Ranger web UI.

Background information

Ranger has both internal users and external users. The LDAP and UNIX users synchronized to Ranger are external users. Users created in the Ranger web UI are internal users. You can grant permissions to both internal and external users in Ranger.

After Ranger Admin is integrated with an LDAP server, a user of the LDAP server can log on to the Ranger web UI. After logon, Ranger automatically creates this user as an external user on the Users page. By default, this user can only view the information of Ranger services and policies. The admin user can upgrade standard users to administrators on the Users page.

Limits

You can enable LDAP authentication with one click for a Hadoop cluster only in EMR V3.34.0 and later V3.X.X, and in EMR V4.8.0 and later V4.X.X.

EMR V3.28.0 and later V3.X.X, and EMR V4.3.0 and later V4.X.X

  1. Go to the Configure tab for the Ranger service.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. Find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane, choose Cluster Service > RANGER.
    6. Click the Configure tab.
  2. Configure parameters on the ranger-admin-site tab.
    1. In the Service Configuration section, click the ranger-admin-site tab.
    2. Configure the parameters listed in the following table to synchronize LDAP users to Ranger.
      Parameter Required value
      ranger.ldap.bind.dn uid=admin,o=emr
      ranger.ldap.bind.password Value of the manager_password parameter on the Configure tab for the OpenLDAP serviceopenldap_password
      ranger.ldap.base.dn ou=people,o=emr
      ranger.authentication.method LDAP
      ranger.ldap.url ldap://emr-header-1:10389
      ranger.ldap.user.dnpattern uid={0},ou=people,o=emr
  3. Restart Ranger Admin for the configurations to take effect.
    1. In the left-side navigation pane, choose Cluster Service > RANGER.
    2. In the Components section, find the RangerAdmin parameter and click Restart in the Actions column.
    3. In the Cluster Activities dialog box, configure the parameters.
    4. Click OK.
    5. In the Confirm message, click OK.

EMR V3.X.X earlier than V3.28.0 and EMR V4.X.X earlier than V4.3.0

  1. Connect to the emr-header-1 node of the cluster. For more information, see Log on to a cluster.
  2. Open the install.properties file. 
    cd /usr/lib/ranger-usersync-current
vim install.properties
  3. Configure the following information in the file: 
    authentication_method = LDAP
xa_ldap_url = ldap://emr-header-1:10389
xa_ldap_userDNpattern = uid={0},ou=people,o=emr
xa_ldap_base_dn = ou=people,o=emr
xa_ldap_bind_dn = uid=admin,o=emr
xa_ldap_bind_password = [password]
    The preceding example demonstrates the integration of EMR OpenLDAP. If you integrate Ranger Admin with a self-managed LDAP server, you must configure the parameters based on the description in the following table. For more information about the parameters, see the official Ranger Admin installation guide.
    Parameter Description
    xa_ldap_url The URL of the LDAP service. Example: ldap://ldap.example.com:389.
    xa_ldap_userDNpattern The pattern that matches a logon user with an LDAP distinguished name (DN). For example, if the value of this parameter is uid={0},ou=users,dc=example,dc=com and the logon user is hadoop, the LDAP DN is uid=hadoop,ou=users,dc=example,dc=com.
    xa_ldap_base_dn The user search domain in the LDAP server. Example: ou=users,dc=example,dc=com.
    xa_ldap_bind_dn The distinguished name (DN) used to connect the LDAP server to query users and user groups. Example: cn=ldapadmin,ou=users,dc=example,dc=com.
    xa_ldap_bind_password The password of the DN that is used to connect to the LDAP server.
  4. Run the setup.sh command in the /usr/lib/ranger-usersync-current directory of the emr-header-1 node. 
    cd /usr/lib/ranger-usersync-current
sh setup.sh
  5. Restart Ranger Admin for the configurations to take effect.
    1. In the left-side navigation pane, choose Cluster Service > RANGER.
    2. In the Components section, find the RangerAdmin parameter and click Restart in the Actions column.
    3. In the Cluster Activities dialog box, configure the parameters.
    4. Click OK.
    5. In the Confirm message, click OK.