Add/Remove external LDAP users to/from an internal group in RangerUI   

• Best Practices In HDFS Authorization with Apache Ranger
• Configuring Ranger Policy Administration High Availability
• Installing Apache Ranger with Ambari Postgresql
• Ranger User Variables use for HDFS policies

Article

Use Case :

1 . ADDING a member to another group and being able to manage them internally without having to deal with outside or additional products.

2 . To be able to easily determine what members reside in what groups instead of having to scroll down page after page to see what members are in what groups especially when you have hundreds of users to keep track of.

3 . To easily administer various groups without having the hassle of creating more and more Active Directory/LDAP associations and having to submit change control requests to other departments for something we should be able to administer on our own.

Ranger User Sync Process supports reading users and group information from one of the following sources:

• Unix

• Text file - CSV or JSON format

• LADP/AD

CSV Format :

If the filename does not end with .json, each line in the file will be treated as a delimiter separated fields of the following format. Default delimiter is a comma; this can be changed using configuration shown above.

user-1,group-1,group-2,group-3
user-2,group-x,group-y,group-z


CSV File Format 
e.g. UserGroupSyncFile.txt

"user21","group20","group218","group26","group27","group262","group242","group219","group23"
"user22","group20","group218","group26"
"user23","user24","group20","group218"

To run it as Command Line tool:

java
-Dlogdir=/var/log/ranger/usersync -cp
/usr/hdp/current/ranger-usersync/dist/*:/usr/hdp/current/ranger-usersync/lib/*:/usr/hdp/current/ranger-usersync/conf
org.apache.ranger.unixusersync.process.FileSourceUserGroupBuilder
/tmp/UserGroupSyncFile.txt

Steps :

Create a group called solr_group and add certain users (imported from LDAP) into that group that we know will use SOLR. All the users are associated with the groups defined through LDAP and nothing else but we want to create additional groups and link users to those groups on Ranger.

1. Cluster with Ranger and configure with LDAP users. Here it is "packer".

2. Create a internal group on Ranger UI. Here it is "solr_group".

3. Edit an external LDAP user to add it to the group that we created.

4. Unable to edit the group field(greyed out) on Ranger UI for that LDAP user.

[root@sandbox ~]# vi /tmp/ugsync.txt 
[root@sandbox ~]# cat /tmp/ugsync.txt
"packer","packer","mygrp","test","solr_group"
[root@sandbox ~]# java -Dlogdir=/var/log/ranger/usersync -cp
/usr/hdp/current/ranger-usersync/dist/*:/usr/hdp/current/ranger-usersync/lib/*:/usr/hdp/current/ranger-usersync/conf
org.apache.ranger.unixusersync.process.FileSourceUserGroupBuilder /tmp/ugsync.txt
log4j: reset
attribute= "false".log4j: Threshold
="null".log4j: Level value
for root is [info].log4j: root level
set to INFOlog4j: Class name:
[org.apache.log4j.DailyRollingFileAppender]log4j: Setting
property [file] to [/var/log/ranger/usersync/usersync.log].log4j: Setting
property [datePattern] to ['.'yyyy-MM-dd].log4j: Parsing
layout of class: "org.apache.log4j.PatternLayout"log4j: Setting
property [conversionPattern] to [%d{dd MMM yyyy HH:mm:ss} %5p %c{1} [%t] -
%m%n].log4j: setFile
called: /var/log/ranger/usersync/usersync.log, truelog4j: setFile endedlog4j: Appender
[logFile] to be rolled at midnight.log4j: Adding
appender named [logFile] to category [root].log4j:
/var/log/ranger/usersync/usersync.log ->
/var/log/ranger/usersync/usersync.log.2016-04-04log4j: setFile
called: /var/log/ranger/usersync/usersync.log, truelog4j: setFile ended
[root@sandbox ~]# cd
/var/log/ranger/usersync