In this post I would like to show you how to integrate Apache Ranger with LDAP. I'll be using a minimal development 6-node Hortonworks cluster and FreeIPA as our LDAP provider. This will of course work similarly in a HDP 2.5 sandbox.
I won't go into much detail in regards to Apache Ranger or FreeIPA, because I will assume you'll know about these products and what you are trying to accomplish if you are reading this. However, that said, taken from Rangers website:
Ranger is a framework to enable, monitor and manage comprehensive data security across the Hadoop platform. The vision with Ranger is to provide comprehensive security across the Apache Hadoop ecosystem. Apache Ranger has the following goals:
And FreeIPA has the following Main features (again taken from their website):
I personally like FreeIPA because it takes two difficult things to setup and does so very clean and easy with a wonderful website GUI. Also, open source is wonderful (and free!). Environment Setup
Operating System for HDP and FreeIPA: centos-release-6-8.el6.centos.12.3.x86_64
HDP Version: 2.5.3.0-37 Ambari Version: 2.4.2.0 Ranger Version: 0.6.0 FreeIPA 3.0.0 Openldap Version: 2.4.40 Configuration Changes
To enable and incorporate LDAP you must implement a few things first. First, you'll need to incorporate LDAP into your client nodes, for CentOS6, this will install freeIPA v3.0.0. To have the latest version you'll have to use the tarball:
yum -y install ipa-client
TIP:
Once installed you'll need to keep track of the basic info, your bind DN, bind password (for simple authentication), the LDAP url, port and base dn for search. I found using this command to be helpful to debug and find exactly what you are looking for: ldapsearch -x -h ldaps://<FREEIPA_SERVER_FQDN> -p <PORT_NUMBER> -D "<BIND DN>" -w <PASSWORD> -b "<BASE DN>" uid=<USEDNAME> for example: ldapsearch -x -h ldaps://freeipa.novalocal -p 636 -D "cn=Directory Manager" -w SuperSecretPassword -b "dc=novalocal" uid=admin Step One: Log into Ambari and go into Ranger service and the Configuration menu. Step Two: Enter the Ranger User Info. You will need to enable the User Sync. Once enabled, all of the sync information will be shown. You'll need to select:
Step Three: On the next tab, User Configs change the:
Group Configs will stay the default, not synced.
Step four: Go from the Ranger User Info to the Advanced tab all the way at the top of the screen and we will need to modify two spots, Ranger Settings, and LDAP Settings.
In Ranger Settings:
In LDAP Settings,
At this point you can hit save and restart the necessary services for it to work.
To have Ranger update the users/groups it will do it regularly, however to force an update, you can manually restart the ranger usersync process. One thing I noticed right away was that in ranger, groups were not syncing. You can verify this by kinit as a user which is part of a specific group, for example group1. kinit user01 > kinit user102 > groups user102 user102 : user102
So to correct this, put following line into domain section in /etc/sssd/sssd.conf
ldap_group_object_class = ipaUserGroup Now, when you do your group check, it'll report back correctly. If it still doesn't report back, you might need to clear your SSSD cache, to clear the cache and update all records: sss_cache -E > kinit user102 > groups user102 user102 : user102 group1 I hope this tutorial was helpful for you. If you have any questions, please let me know in the comments below!
Here is a quick and dirty guide on how to setup FreeIPA, an open source LDAP and Kerberos server. FreeIPA works best on Fedora, CentOS, and RedHat. Currently, the latest release, FreeIPA 4.2, are included in Fedora, however 4.1 is included in CentOS. This guide will help show you how to install FreeIPA 4.1 on CentOS 7. However, for those of you interested in installing it on a Ubuntu box, please add FreeIPA to your repository by:
# apt-add-repository ppa:freeipa/ppa # apt-add-repository ppa:sssd/updates # apt-get -y install openssh-server freeipa-client sssd However for CentOS you will need to: # yum install ipa-server Next we need to setup your freeipa server, I'll assume you know how to find your IP, but enter your IP and FQDN to the /etc/hosts file as shown below: # echo 192.168.1.2 ipa.mynetwork.local ipa >> /etc/hosts # echo ipa.mynetwork.local > /etc/hostname Next you have two options, you can manually go through the installation or you can enter a line similar to below to configure it all by you automatically. Using a one-liner like below has some additional benefits, for example, you cannot set the mkhomedir through the walk-through installation. However you can set it afterwards when you log into the system. # ipa-server-install -r MYNETWORK.LOCAL -n mynetwork.local --setup-dns --mkhomedir -p DirPass1234 -a AdminPass1234 --no-forwarders -U For those who are interested this is a break-down of the commands listed above. You'll want to be sure to change both the Directory and Administrator password to something secure.
Once this is complete you will need to be sure to open up your firewall by executing the following command: # firewall-cmd --permanent --add-service=ntp # firewall-cmd --permanent --add-service=http # firewall-cmd --permanent --add-service=https # firewall-cmd --permanent --add-service=ldap # firewall-cmd --permanent --add-service=ldaps # firewall-cmd --permanent --add-service=kerberos # firewall-cmd --permanent --add-service=kpasswd # firewall-cmd --reload Next you'll be able to log into your new server at: https://ipa.mynetwork.local/ipa/ui/ Be sure to log into it using the username admin, and the password you set up during the installation. |
AuthorJames Benson is an IT professional. Archives
August 2022
Categories
All
|