In this post I would like to show you how to integrate Apache Ranger with LDAP. I'll be using a minimal development 6-node Hortonworks cluster and FreeIPA as our LDAP provider. This will of course work similarly in a HDP 2.5 sandbox.
I won't go into much detail in regards to Apache Ranger or FreeIPA, because I will assume you'll know about these products and what you are trying to accomplish if you are reading this. However, that said, taken from Rangers website:
Ranger is a framework to enable, monitor and manage comprehensive data security across the Hadoop platform. The vision with Ranger is to provide comprehensive security across the Apache Hadoop ecosystem. Apache Ranger has the following goals:
And FreeIPA has the following Main features (again taken from their website):
I personally like FreeIPA because it takes two difficult things to setup and does so very clean and easy with a wonderful website GUI. Also, open source is wonderful (and free!). Environment Setup
Operating System for HDP and FreeIPA: centos-release-6-8.el6.centos.12.3.x86_64
HDP Version: 2.5.3.0-37 Ambari Version: 2.4.2.0 Ranger Version: 0.6.0 FreeIPA 3.0.0 Openldap Version: 2.4.40 Configuration Changes
To enable and incorporate LDAP you must implement a few things first. First, you'll need to incorporate LDAP into your client nodes, for CentOS6, this will install freeIPA v3.0.0. To have the latest version you'll have to use the tarball:
yum -y install ipa-client
TIP:
Once installed you'll need to keep track of the basic info, your bind DN, bind password (for simple authentication), the LDAP url, port and base dn for search. I found using this command to be helpful to debug and find exactly what you are looking for: ldapsearch -x -h ldaps://<FREEIPA_SERVER_FQDN> -p <PORT_NUMBER> -D "<BIND DN>" -w <PASSWORD> -b "<BASE DN>" uid=<USEDNAME> for example: ldapsearch -x -h ldaps://freeipa.novalocal -p 636 -D "cn=Directory Manager" -w SuperSecretPassword -b "dc=novalocal" uid=admin Step One: Log into Ambari and go into Ranger service and the Configuration menu. Step Two: Enter the Ranger User Info. You will need to enable the User Sync. Once enabled, all of the sync information will be shown. You'll need to select:
Step Three: On the next tab, User Configs change the:
Group Configs will stay the default, not synced.
Step four: Go from the Ranger User Info to the Advanced tab all the way at the top of the screen and we will need to modify two spots, Ranger Settings, and LDAP Settings.
In Ranger Settings:
In LDAP Settings,
At this point you can hit save and restart the necessary services for it to work.
To have Ranger update the users/groups it will do it regularly, however to force an update, you can manually restart the ranger usersync process. One thing I noticed right away was that in ranger, groups were not syncing. You can verify this by kinit as a user which is part of a specific group, for example group1. kinit user01 > kinit user102 > groups user102 user102 : user102
So to correct this, put following line into domain section in /etc/sssd/sssd.conf
ldap_group_object_class = ipaUserGroup Now, when you do your group check, it'll report back correctly. If it still doesn't report back, you might need to clear your SSSD cache, to clear the cache and update all records: sss_cache -E > kinit user102 > groups user102 user102 : user102 group1 I hope this tutorial was helpful for you. If you have any questions, please let me know in the comments below! Your comment will be posted after it is approved.
Leave a Reply. |
AuthorJames Benson is an IT professional. Archives
August 2022
Categories
All
|