This topic describes how to integrate Ranger UserSync with a Lightweight Directory Access Protocol (LDAP) server. After integration, you can grant LDAP users or user groups access permissions when you configure Ranger policies.

Prerequisites

An E-MapReduce (EMR) cluster is created. For more information, see Create a cluster.

Limits

You can enable LDAP authentication with one click for a Hadoop cluster only in EMR V3.34.0 and later V3.X.X, and in EMR V4.8.0 and later V4.X.X.

Precautions

By default, no user groups exist in the OpenLDAP service of an EMR cluster. If you want to configure user groups in an LDAP server, you must first create user groups. If you want to synchronize an LDAP user group to Ranger, you must configure LDAP parameters as needed.

EMR V3.28.0 and later V3.X.X, and EMR V4.3.0 and later V4.X.X

  1. Go to the Configure tab for the Ranger service.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. Find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane, choose Cluster Service > RANGER.
    6. Click the Configure tab.
  2. Configure parameters on the ranger-ugsync-site tab.
    1. In the Service Configuration section, click the ranger-ugsync-site tab.
    2. Configure the parameters listed in the following table to synchronize LDAP users to Ranger.
      Parameter Required value
      ranger.usersync.sync.source ldap
      ranger.usersync.ldap.binddn uid=admin,o=emr
      ranger.usersync.ldap.ldapbindpassword Value of the manager_password parameter on the Configure tab for the OpenLDAP service openldap_password
      ranger.usersync.ldap.searchBase o=emr
      ranger.usersync.ldap.url ldap://emr-header-1:10389
      ranger.usersync.ldap.user.nameattribute cn
      ranger.usersync.ldap.user.objectclass person
      ranger.usersync.ldap.user.searchbase ou=people,o=emr
      ranger.usersync.source.impl.class org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
      ranger.usersync.sleeptimeinmillisbetweensynccycle 3600000
      Note If you use a high-security cluster, set ranger.usersync.ldap.user.searchfilter to (!(cn=*/*)) to filter out the Kerberos principal records of the component services that have been created in OpenLDAP.
    3. Optional:If you want to synchronize LDAP user groups to Ranger, configure the parameters listed in the following table based on the actual LDAP information.
      Notice By default, no user groups exist in the OpenLDAP service of an EMR cluster. If you want to configure user groups in an LDAP server, you must first create user groups.
      Parameter Example value
      ranger.usersync.group.memberattributename member
      ranger.usersync.group.nameattribute cn
      ranger.usersync.group.objectclass groupofnames
      ranger.usersync.group.searchbase ou=groups,o=emr
      ranger.usersync.group.searchenabled true
      ranger.usersync.group.usermapsyncenabled true
      ranger.usersync.sleeptimeinmillisbetweensynccycle 3600000
  3. Restart Ranger UserSync for the configurations to take effect.
    1. In the left-side navigation pane, choose Cluster Service > RANGER.
    2. In the Components section, find the RangerUserSync parameter and click Restart in the Actions column.
    3. In the Cluster Activities dialog box, configure the parameters.
    4. Click OK.
    5. In the Confirm message, click OK.

EMR V3.X.X earlier than V3.28.0 and EMR V4.X.X earlier than V4.3.0

  1. Connect to the emr-header-1 node of the cluster. For more information, see Log on to a cluster.
  2. Open the install.properties file. 
    cd /usr/lib/ranger-usersync-current
vim install.properties
  3. Configure the following information in the file: 
    SYNC_SOURCE = ldap
SYNC_LDAP_URL = ldap://emr-header-1:10389
SYNC_LDAP_BIND_DN = uid=admin,o=emr
SYNC_LDAP_BIND_PASSWORD = [password]
SYNC_LDAP_USER_SEARCH_BASE = ou=people,o=emr
    Note If you use a high-security cluster, set SYNC_LDAP_USER_SEARCH_FILTER to (!(cn=*/*)) to filter out the Kerberos principal records of the component services that have been created in OpenLDAP.

    The preceding example demonstrates the integration of EMR OpenLDAP. If you integrate Ranger UserSync with a self-managed LDAP server, you must configure the parameters based on the description in the following table. For more information about the parameters, see the official Ranger UserSync installation guide.

    Parameter Description
    SYNC_LDAP_URL The URL of the LDAP service. Example: ldap://ldap.example.com:389.
    SYNC_LDAP_BIND_DN The distinguished name (DN) used to connect the LDAP server to query users and user groups. Example: cn=ldapadmin,ou=users,dc=example,dc=com.
    SYNC_LDAP_BIND_PASSWORD The password of the DN that is used to connect to the LDAP server.
    EARCH_BASE The user search domain in the LDAP server. Example: ou=users,dc=example,dc=com.
  4. Optional:If you want to synchronize LDAP user groups to Ranger, configure the parameters listed in the following table based on the actual LDAP information.
    Notice By default, no user groups exist in the OpenLDAP service of an EMR cluster. If you want to configure user groups in an LDAP server, you must first create user groups. 
    SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = gitNumber
SYNC_GROUP_SEARCH_ENABLED = true
SYNC_GROUP_USER_MAP_SYNC_ENABLED = true
SYNC_GROUP_SEARCH_BASE = ou=group,o=emr
SYNC_GROUP_OBJECT_CLASS = posixGroup
SYNC_GROUP_NAME_ATTRIBUTE = cn
SYNC_GROUP_MEMBER_ATTRIBUTE_NAME = memberUid
    Parameter Description
    SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE The name of the attribute that indicates a user group in a user entry. Example: gitNumber(user objectClass=posixAccount).
    SYNC_GROUP_SEARCH_ENABLED Specifies whether to use the user group attributes recorded in user entries to determine user groups. Example: true.
    SYNC_GROUP_USER_MAP_SYNC_ENABLED Specifies whether to use the LDAP search function to determine the mappings between users and user groups. Example: true.
    SYNC_GROUP_SEARCH_BASE The user search domain in the LDAP server. Example: ou=groups,dc=example,dc=com.
    SYNC_GROUP_OBJECT_CLASS The ObjectClass attribute of the user group. Example: posixGroup.
    SYNC_GROUP_NAME_ATTRIBUTE The identity of the user group name in a user group entry. Example: cn.
    SYNC_GROUP_MEMBER_ATTRIBUTE_NAME The name of the attribute that indicates a member of a user group in a user group entry. Example: memberUid.
  5. Run the setup.sh command in the /usr/lib/ranger-usersync-current directory of the emr-header-1 node. 
    cd /usr/lib/ranger-usersync-current
sh setup.sh
  6. Restart Ranger UserSync for the configurations to take effect.
    1. In the left-side navigation pane, choose Cluster Service > RANGER.
    2. In the Components section, find the RangerUserSync parameter and click Restart in the Actions column.
    3. In the Cluster Activities dialog box, configure the parameters.
    4. Click OK.
    5. In the Confirm message, click OK.