Hortonworks.com
  • Explore
    • All Tags
    • All Questions
    • All Articles
    • All Ideas
    • All Repos
    • All SKB
    • All Users
    • All Badges
    • Leaderboard
  • Create
    • Ask a question
    • Create Article
    • Post Idea
    • Add Repo
  • Tracks
    • All Tracks
    • Community Help
    • Cloud & Operations
    • CyberSecurity
    • Data Ingestion & Streaming
    • Data Processing
    • Data Science & Advanced Analytics
    • Design & Architecture
    • Governance & Lifecycle
    • Hadoop Core
    • Sandbox & Learning
    • Security
    • Solutions
  • Login
HCC Hortonworks Community Connection
  • Home /
  • Security /
  • Home /
  • Security /
  • Apache Ranger and HDFS /
avatar image

Add/Remove external LDAP users to/from an internal group in RangerUI   
  • Best Practices In HDFS Authorization with Apache Ranger
  • Configuring Ranger Policy Administration High Availability
  • Installing Apache Ranger with Ambari Postgresql
  • Ranger User Variables use for HDFS policies

  • Export to PDF
Article by Harini Yadav · Jun 01, 2016 at 12:11 PM · edited · Jun 01, 2016 at 01:05 PM
2

Short Description:

Unable to add external LDAP users to an internal group created in Ranger admin UI

Article

Use Case :

1 . ADDING a member to another group and being able to manage them internally without having to deal with outside or additional products.

2 . To be able to easily determine what members reside in what groups instead of having to scroll down page after page to see what members are in what groups especially when you have hundreds of users to keep track of.

3 . To easily administer various groups without having the hassle of creating more and more Active Directory/LDAP associations and having to submit change control requests to other departments for something we should be able to administer on our own.

Ranger User Sync Process supports reading users and group information from one of the following sources:

    • Unix

    • Text file - CSV or JSON format

    • LADP/AD

    CSV Format :

    If the filename does not end with .json, each line in the file will be treated as a delimiter separated fields of the following format. Default delimiter is a comma; this can be changed using configuration shown above.

    user-1,group-1,group-2,group-3
    user-2,group-x,group-y,group-z
    
    
    CSV File Format 
    e.g. UserGroupSyncFile.txt
    
    "user21","group20","group218","group26","group27","group262","group242","group219","group23"
    "user22","group20","group218","group26"
    "user23","user24","group20","group218"

    To run it as Command Line tool:

    java
    -Dlogdir=/var/log/ranger/usersync -cp
    /usr/hdp/current/ranger-usersync/dist/*:/usr/hdp/current/ranger-usersync/lib/*:/usr/hdp/current/ranger-usersync/conf
    org.apache.ranger.unixusersync.process.FileSourceUserGroupBuilder
    /tmp/UserGroupSyncFile.txt

    Steps :

    Create a group called solr_group and add certain users (imported from LDAP) into that group that we know will use SOLR. All the users are associated with the groups defined through LDAP and nothing else but we want to create additional groups and link users to those groups on Ranger.

    1. Cluster with Ranger and configure with LDAP users. Here it is "packer".

    2. Create a internal group on Ranger UI. Here it is "solr_group".

    3. Edit an external LDAP user to add it to the group that we created.

    4. Unable to edit the group field(greyed out) on Ranger UI for that LDAP user.

    [root@sandbox ~]# vi /tmp/ugsync.txt 
    [root@sandbox ~]# cat /tmp/ugsync.txt
    "packer","packer","mygrp","test","solr_group"
    [root@sandbox ~]# java -Dlogdir=/var/log/ranger/usersync -cp
    /usr/hdp/current/ranger-usersync/dist/*:/usr/hdp/current/ranger-usersync/lib/*:/usr/hdp/current/ranger-usersync/conf
    org.apache.ranger.unixusersync.process.FileSourceUserGroupBuilder /tmp/ugsync.txt
    log4j: reset
    attribute= "false".log4j: Threshold
    ="null".log4j: Level value
    for root is [info].log4j: root level
    set to INFOlog4j: Class name:
    [org.apache.log4j.DailyRollingFileAppender]log4j: Setting
    property [file] to [/var/log/ranger/usersync/usersync.log].log4j: Setting
    property [datePattern] to ['.'yyyy-MM-dd].log4j: Parsing
    layout of class: "org.apache.log4j.PatternLayout"log4j: Setting
    property [conversionPattern] to [%d{dd MMM yyyy HH:mm:ss} %5p %c{1} [%t] -
    %m%n].log4j: setFile
    called: /var/log/ranger/usersync/usersync.log, truelog4j: setFile endedlog4j: Appender
    [logFile] to be rolled at midnight.log4j: Adding
    appender named [logFile] to category [root].log4j:
    /var/log/ranger/usersync/usersync.log ->
    /var/log/ranger/usersync/usersync.log.2016-04-04log4j: setFile
    called: /var/log/ranger/usersync/usersync.log, truelog4j: setFile ended
    [root@sandbox ~]# cd
    /var/log/ranger/usersync
    thub.nodes.view.add-new-comment
    Issue ResolutionHDFSRangerRangerhow-to-tutorialissue-resolutionprocess-groupsranger-usersyncsecurityuser-groups
    Add comment · Show 1
    10 |6000 characters needed characters left characters exceeded
    ▼
    • Viewable by all users
    • Viewable by moderators
    • Viewable by moderators and the original poster
    • Advanced visibility
    Viewable by all users

    Up to 5 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

    avatar image iperurena · Aug 23, 2017 at 01:30 PM 0
    Share

    Hi,

    I'm using SSL-enabled Ranger 0.7 with LDAP/AP usersync. I wiped the external groups added by the LDAP/AD sync process and I'm attempting to add a user imported from LDAP/AP (demo1) to an internal group (demo1_grp). So before starting the user demo1 had no groups.

    My /tmp/ugsync.txt file is as follows:

    # cat /tmp/ugsync.txt

    "demo1","demo1","demo1_grp"

    When launching the code above I get the following erros:

    log4j: reset attribute= "false".
    log4j: Threshold ="null".
    log4j: Level value for root is [info].
    log4j: root level set to INFO
    log4j: Class name: [org.apache.
    log4j.DailyRollingFileAppender]
    log4j: Setting property [file] to [/var/log/ranger/usersync/usersync.log].
    log4j: Setting property [datePattern] to ['.'yyyy-MM-dd].
    log4j: Parsing layout of class: "org.apache.log4j.PatternLayout"
    log4j: Setting property [conversionPattern] to [%d{dd MMM yyyy HH:mm:ss} %5p %c{1} [%t] - %m%n].
    log4j: setFile called: /var/log/ranger/usersync/usersync.log, true
    log4j: setFile ended
    log4j: Appender [logFile] to be rolled at midnight.
    log4j: Adding appender named [logFile] to category [root].
    Exception in thread "main" java.lang.NullPointerException at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:425) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:194) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:163) at org.apache.ranger.unixusersync.process.FileSourceUserGroupBuilder.main(FileSourceUserGroupBuilder.java:63)

    Any ideas? Thanks in advance.

    Article

    Contributors

    avatar image

    avatar image avatar image avatar image avatar image

    Navigation

    Apache Ranger and HDFS
    • Ranger User Variables use for HDFS policies
    • Configuring Ranger Policy Administration High Availability
    • Best Practices In HDFS Authorization with Apache Ranger
    • Installing Apache Ranger with Ambari Postgresql
    • Add/Remove external LDAP users to/from an internal group in RangerUI

    Related Articles

    Best Practices In HDFS Authorization with Apache Ranger

    Ranger User Variables use for HDFS policies

    Configuring Ranger Policy Administration High Availability

    Installing Apache Ranger with Ambari Postgresql

    Apache Ranger and HDFS

    Accessing hdfs from secure to non-secure cluster (hadoop 2.7 or below)

    Rest call to ranger on wire encrypted cluster

    Integrating Ranger with Centrify LDAP proxy

    Ranger KMS user group mapping

    Securing Solr Collections with Ranger + Kerberos

    This website uses cookies for analytics, personalisation and advertising. To learn more or change your cookie settings, please read our Cookie Policy. By continuing to browse, you agree to our use of cookies.

    HCC Guidelines | HCC FAQs | HCC Privacy Policy | Privacy Policy | Terms of Service

    © 2011-2019 Hortonworks Inc. All Rights Reserved.

    Hadoop, Falcon, Atlas, Sqoop, Flume, Kafka, Pig, Hive, HBase, Accumulo, Storm, Solr, Spark, Ranger, Knox, Ambari, ZooKeeper, Oozie and the Hadoop elephant logo are trademarks of the Apache Software Foundation.

    • Anonymous
    • Login
    • Create
    • Ask a question
    • Create Article
    • Post Idea
    • Add Repo
    • Create SupportKB
    • Tracks
    • Community Help
    • Cloud & Operations
    • CyberSecurity
    • Data Ingestion & Streaming
    • Data Processing
    • Data Science & Advanced Analytics
    • Design & Architecture
    • Governance & Lifecycle
    • Hadoop Core
    • Sandbox & Learning
    • Security
    • Solutions
    • Explore
    • All Tags
    • All Questions
    • All Articles
    • All Ideas
    • All Repos
    • All SKB
    • All Users
    • Leaderboard
    • All Badges