How to setup Apache Ranger and LDAP

In this post I would like to show you how to integrate Apache Ranger with LDAP.  I'll be using a minimal development 6-node Hortonworks cluster and FreeIPA as our LDAP provider.  This will of course work similarly in a HDP 2.5 sandbox.

I won't go into much detail in regards to Apache Ranger or FreeIPA, because I will assume you'll know about these products and what you are trying to accomplish if you are reading this.  However, that said, taken from Rangers website:
Ranger is a framework to enable, monitor and manage comprehensive data security across the Hadoop platform.  The vision with Ranger is to provide comprehensive security across the Apache Hadoop ecosystem. 
Apache Ranger has the following goals:

• Centralized security administration to manage all security related tasks in a central UI or using REST APIs.
• Fine grained authorization to do a specific action and/or operation with Hadoop component/tool and managed through a central administration tool
• Standardize authorization method across all Hadoop components.
• Enhanced support for different authorization methods - Role based access control, attribute based access control etc.
• Centralize auditing of user access and administrative actions (security related) within all the components of Hadoop

And FreeIPA has the following  Main features (again taken from their website):

• Integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag certificate system, SSSD and others.
• Built on top of well known Open Source components and standard protocols
• Strong focus on ease of management and automation of installation and configuration tasks.
• Full multi master replication for higher redundancy and scalability
• Extensible management interfaces (CLI, Web UI, XMLRPC and JSONRPC API) and Python SDK

​I personally like FreeIPA because it takes two difficult things to setup and does so very clean and easy with a wonderful website GUI.  Also, open source is wonderful (and free!).

Environment Setup

Operating System for HDP and FreeIPA: centos-release-6-8.el6.centos.12.3.x86_64
HDP Version:  2.5.3.0-37
Ambari Version: 2.4.2.0
Ranger Version: 0.6.0
FreeIPA 3.0.0
Openldap Version: 2.4.40

Configuration Changes

To enable and incorporate LDAP you must implement a few things first.  First, you'll need to incorporate LDAP into your client nodes, for CentOS6, this will install freeIPA v3.0.0.  To have the latest version you'll have to use the tarball: 
​

yum -y install ipa-client

TIP:

Once installed you'll need to keep track of the basic info, your bind DN, bind password (for simple authentication), the LDAP url, port and base dn for search.  I found using this command to be helpful to debug and find exactly what you are looking for:

ldapsearch -x -h ldaps://<FREEIPA_SERVER_FQDN> -p <PORT_NUMBER> -D "<BIND DN>" -w <PASSWORD> -b "<BASE DN>" uid=<USEDNAME>

for example:
ldapsearch -x -h ldaps://freeipa.novalocal -p 636 -D "cn=Directory Manager" -w SuperSecretPassword -b "dc=novalocal" uid=admin

Step One: Log into Ambari and go into Ranger service and the Configuration menu.
Step Two:  Enter the Ranger User Info.  You will need to enable the User Sync.  Once enabled, all of the sync information will be shown.  You'll need to select:

• Sync Source:  LDAP/AD
• Common Configs:
  • ​LDAP/AD URL:  Enter your ldap url it should be:
    ldap://<LDAP URL>:389 
    In my case it was
    ldap://freeipa.novalocal:389
    If possible start with the unencrypted port (389) first to verify everything works, then move to the encrypted port (636).
  • Enter your Bind User in format of:
    cn="<USER>"​
    Directory Manager comes by default in freeipa, so you can try that or admin, or the user you have specified. In my case it was:
    cn="Directory Manager"​
  • ​Enter your Bind Password

Step Three: On the next tab, User Configs change the:

• Username Attribute from blank to uid 
• User Search Base from blank to:
  dc=<your DC>
  In my case:
  dc=novalocal

Group Configs will stay the default, not synced.

Step four:  Go from the Ranger User Info to the Advanced tab all the way at the top of the screen and we will need to modify two spots, Ranger Settings, and LDAP Settings.

In Ranger Settings:

• Select LDAP if it not already selected and
• Enter the node that Ranger is hosted on:  
  http://<RANGER FQDN>:6080

In LDAP Settings, 

• Ranger.ldap.base.dn: should be changed
  • ​From: dc=example,dc=com
  • To: dc=novalocal

​

At this point you can hit save and restart the necessary services for it to work.  

To have Ranger update the users/groups it will do it regularly, however to force an update, you can manually restart the ranger usersync process.

One thing I noticed right away was that in ranger, groups were not syncing.  You can verify this by kinit as a user which is part of a specific group, for example group1.

kinit user01
​

> kinit user102
> groups user102
user102 : user102

So to correct this, put following line into domain section in /etc/sssd/sssd.conf
ldap_group_object_class = ipaUserGroup
Now, when you do your group check, it'll report back correctly.

If it still doesn't report back, you might need to clear your SSSD cache, to clear the cache and update all records:
 sss_cache -E
​

> kinit user102
> groups user102
user102 : user102 group1

I hope this tutorial was helpful for you.  If you have any questions, please let me know in the comments below!