Syncing Users and Groups from LDAP into Apache Ranger

The previous post [on Colm's blog] covered how to install the Apache Ranger Admin service. The Apache Ranger Admin UI supports creating authorization policies for various Big Data components, by giving users and/or groups permissions on resources. This means that we need to import users/groups into the Apache Ranger Admin service from some backend service in order to create meaningful authorization policies. Apache Ranger supports syncing users into the Admin service from both unix and ldap. In this post, we'll look at syncing in users and groups from an OpenDS LDAP backend.

1) The OpenDS backend

For the purposes of this tutorial, we will use OpenDS as the LDAP server. It contains a domain called "dc=example,dc=com", and 5 users (alice/bob/dave/oscar/victor) and 2 groups (employee/manager). Victor, Oscar and Bob are employees, Alice and Dave are managers. Here is a screenshot using Apache Directory Studio:
 

 



 

 

 

 

Webinar >> Talend Open Studio for Big Data for Dummies

2) Build the Apache Ranger usersync module

Follow the steps in the previous tutorial to build Apache Ranger and to setup and start the Apache Ranger Admin service. Once this is done, go back to the Apache Ranger distribution that you have built and copy the usersync module:

- tar zxvf target/ranger-0.6.0-usersync.tar.gz

- mv ranger-0.6.0-usersync ${usersync.home}

3) Configure and build the Apache Ranger usersync service 

You will need to install the Apache Ranger Usersync service using "sudo". If the root user does not have a JAVA_HOME property defined, then edit ${usersync.home}/setup.sh + add in, e.g.:

- export JAVA_HOME=/opt/jdk1.8.0_91

Next edit ${usersync.home}/install.properties and make the following changes:

- POLICY_MGR_URL = http://localhost:6080

- SYNC_SOURCE = ldap

- SYNC_INTERVAL = 1 (just for testing purposes....)

- SYNC_LDAP_URL = ldap://localhost:2389

- SYNC_LDAP_BIND_DN = cn=Directory Manager,dc=example,dc=com

- SYNC_LDAP_BIND_PASSWORD = test

- SYNC_LDAP_SEARCH_BASE = dc=example,dc=com

- SYNC_LDAP_USER_SEARCH_BASE = ou=users,dc=example,dc=com

- SYNC_GROUP_SEARCH_BASE=ou=groups,dc=example,dc=com

Now you can run the setup script via "sudo ./setup.sh". 

4) Start the Usersync service

The Apache Ranger Usersync service can be started via "sudo ./ranger-usersync-services.sh start". After 1 minute (see SYNC_INTERVAL above), it should successfully copy the users/groups from the OpenDS backend into the Apache Ranger Admin. Open a browser and go to "http://localhost:6080", and click on "Settings" and then "Users/Groups". You should see the users and groups synced successfully from OpenDS.
 

 

More about Colm O hEigeartaigh

Colm O hEigeartaigh is an ASF member and committer of Apache Santuario, Apache Webservices and Apache CXF.
Colm has an expert knowledge of computer security, and holds a doctorate in cryptography. At Talend, he is a software architect in the Application Integration division. In addition to his other Apache leadership positions, he leads development on the Apache WSS4j subproject.

Related Resources

5 Ways to Become A Data Integration Hero

Products Mentioned

Talend Data Integration

 

Share

Leave a comment

Neuen Kommentar schreiben

More information?