Repository: incubator-ranger Updated Branches: refs/heads/master 47c035603 -> 1d5471ae3
Ranger-869: Including review comments for Group based search Signed-off-by: Velmurugan Periasamy <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/1d5471ae Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/1d5471ae Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/1d5471ae Branch: refs/heads/master Commit: 1d5471ae30e6231e9475f447ded24033efe3547d Parents: 47c0356 Author: Sailaja Polavarapu <[email protected]> Authored: Thu Mar 31 14:09:37 2016 -0700 Committer: Velmurugan Periasamy <[email protected]> Committed: Sat Apr 2 10:09:17 2016 -0400 ---------------------------------------------------------------------- .../process/LdapUserGroupBuilder.java | 456 ++++++++++++++----- .../config/UserGroupSyncConfig.java | 42 ++ .../process/PolicyMgrUserGroupBuilder.java | 45 ++ .../ranger/usergroupsync/UserGroupSink.java | 2 + .../ranger/usergroupsync/LdapUserGroupTest.java | 152 ++++++- .../PolicyMgrUserGroupBuilderTest.java | 7 + ugsync/src/test/resources/ADSchema.ldif | 24 + .../src/test/resources/ranger-ugsync-site.xml | 10 + 8 files changed, 609 insertions(+), 129 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java index 670d8c5..e68a52f 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java @@ -21,6 +21,7 @@ import java.util.ArrayList; +import java.util.Arrays; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -77,6 +78,8 @@ public class LdapUserGroupBuilder implements UserGroupSource { private boolean pagedResultsEnabled = true; private int pagedResultsSize = 500; + private boolean groupSearchFirstEnabled = false; + private boolean userSearchEnabled = false; private boolean groupSearchEnabled = true; private String[] groupSearchBase; private int groupSearchScope; @@ -101,6 +104,7 @@ public class LdapUserGroupBuilder implements UserGroupSource { Mapper userNameRegExInst = null; Mapper groupNameRegExInst = null; private Map<String, UserInfo> userGroupMap; + private Set<String> usersList; public static void main(String[] args) throws Throwable { LdapUserGroupBuilder ugBuilder = new LdapUserGroupBuilder(); @@ -162,31 +166,24 @@ public class LdapUserGroupBuilder implements UserGroupSource { LOG.error("Failed to load " + mappingGroupNameHandler + " " + cne); } catch (Throwable te) { LOG.error("Failed to instantiate " + mappingGroupNameHandler + " " + te); - } + } + } @Override - public void init() { - // do nothing + public void init() throws Throwable{ + setConfig(); } private void createLdapContext() throws Throwable { - LOG.info("LdapUserGroupBuilder initialization started"); - - ldapUrl = config.getLdapUrl(); - ldapBindDn = config.getLdapBindDn(); - ldapBindPassword = config.getLdapBindPassword(); - //ldapBindPassword = "admin-password"; - ldapAuthenticationMechanism = config.getLdapAuthenticationMechanism(); - ldapReferral = config.getContextReferral(); Properties env = new Properties(); env.put(Context.INITIAL_CONTEXT_FACTORY, - "com.sun.jndi.ldap.LdapCtxFactory"); + "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, ldapUrl); if (ldapUrl.startsWith("ldaps") && (config.getSSLTrustStorePath() != null && !config.getSSLTrustStorePath().trim().isEmpty())) { env.put("java.naming.ldap.factory.socket", "org.apache.ranger.ldapusersync.process.CustomSSLSocketFactory"); - } - + } + ldapContext = new InitialLdapContext(env, null); if (!ldapUrl.startsWith("ldaps")) { if (config.isStartTlsEnabled()) { @@ -199,14 +196,26 @@ public class LdapUserGroupBuilder implements UserGroupSource { LOG.info("Starting TLS session..."); } } - + ldapContext.addToEnvironment(Context.SECURITY_PRINCIPAL, ldapBindDn); ldapContext.addToEnvironment(Context.SECURITY_CREDENTIALS, ldapBindPassword); ldapContext.addToEnvironment(Context.SECURITY_AUTHENTICATION, ldapAuthenticationMechanism); ldapContext.addToEnvironment(Context.REFERRAL, ldapReferral) ; - - searchBase = config.getSearchBase(); + } + + private void setConfig() throws Throwable { + LOG.info("LdapUserGroupBuilder initialization started"); + groupSearchFirstEnabled = config.isGroupSearchFirstEnabled(); + userSearchEnabled = config.isUserSearchEnabled(); + ldapUrl = config.getLdapUrl(); + ldapBindDn = config.getLdapBindDn(); + ldapBindPassword = config.getLdapBindPassword(); + //ldapBindPassword = "admin-password"; + ldapAuthenticationMechanism = config.getLdapAuthenticationMechanism(); + ldapReferral = config.getContextReferral(); + searchBase = config.getSearchBase(); + userSearchBase = config.getUserSearchBase().split(";"); userSearchScope = config.getUserSearchScope(); userObjectClass = config.getUserObjectClass(); @@ -217,6 +226,7 @@ public class LdapUserGroupBuilder implements UserGroupSource { if (!customFilter.startsWith("(")) { customFilter = "(" + customFilter + ")"; } + extendedUserSearchFilter = "(&" + extendedUserSearchFilter + customFilter + ")"; } @@ -256,14 +266,22 @@ public class LdapUserGroupBuilder implements UserGroupSource { extendedGroupSearchFilter = extendedGroupSearchFilter + customFilter; } extendedAllGroupsSearchFilter = "(&" + extendedGroupSearchFilter + ")"; - extendedGroupSearchFilter = "(&" + extendedGroupSearchFilter + "(" + groupMemberAttributeName + "={0})" + ")"; - + if (!groupSearchFirstEnabled) { + extendedGroupSearchFilter = "(&" + extendedGroupSearchFilter + "(" + groupMemberAttributeName + "={0})" + ")"; + } groupUserMapSyncEnabled = config.isGroupUserMapSyncEnabled(); groupSearchControls = new SearchControls(); groupSearchControls.setSearchScope(groupSearchScope); - String[] groupSearchAttributes = new String[]{groupNameAttribute}; - groupSearchControls.setReturningAttributes(groupSearchAttributes); + //String[] groupSearchAttributes = new String[]{groupNameAttribute}; + //groupSearchControls.setReturningAttributes(groupSearchAttributes); + + Set<String> groupSearchAttributes = new HashSet<String>(); + groupSearchAttributes.add(groupNameAttribute); + groupSearchAttributes.add(groupMemberAttributeName); + + groupSearchControls.setReturningAttributes(groupSearchAttributes.toArray( + new String[groupSearchAttributes.size()])); if (LOG.isInfoEnabled()) { LOG.info("LdapUserGroupBuilder initialization completed with -- " @@ -272,7 +290,7 @@ public class LdapUserGroupBuilder implements UserGroupSource { + ", ldapBindPassword: ***** " + ", ldapAuthenticationMechanism: " + ldapAuthenticationMechanism + ", searchBase: " + searchBase - + ", userSearchBase: " + userSearchBase + + ", userSearchBase: " + Arrays.toString(userSearchBase) + ", userSearchScope: " + userSearchScope + ", userObjectClass: " + userObjectClass + ", userSearchFilter: " + userSearchFilter @@ -283,7 +301,7 @@ public class LdapUserGroupBuilder implements UserGroupSource { + ", pagedResultsEnabled: " + pagedResultsEnabled + ", pagedResultsSize: " + pagedResultsSize + ", groupSearchEnabled: " + groupSearchEnabled - + ", groupSearchBase: " + groupSearchBase + + ", groupSearchBase: " + Arrays.toString(groupSearchBase) + ", groupSearchScope: " + groupSearchScope + ", groupObjectClass: " + groupObjectClass + ", groupSearchFilter: " + groupSearchFilter @@ -291,7 +309,10 @@ public class LdapUserGroupBuilder implements UserGroupSource { + ", extendedAllGroupsSearchFilter: " + extendedAllGroupsSearchFilter + ", groupMemberAttributeName: " + groupMemberAttributeName + ", groupNameAttribute: " + groupNameAttribute + + ", groupSearchAttributes: " + groupSearchAttributes + ", groupUserMapSyncEnabled: " + groupUserMapSyncEnabled + + ", groupSearchFirstEnabled: " + groupSearchFirstEnabled + + ", userSearchEnabled: " + userSearchEnabled + ", ldapReferral: " + ldapReferral ); } @@ -302,7 +323,6 @@ public class LdapUserGroupBuilder implements UserGroupSource { if (tls != null) { tls.close(); } - if (ldapContext != null) { ldapContext.close(); } @@ -318,9 +338,71 @@ public class LdapUserGroupBuilder implements UserGroupSource { public void updateSink(UserGroupSink sink) throws Throwable { LOG.info("LDAPUserGroupBuilder updateSink started"); userGroupMap = new HashMap<String, UserInfo>(); + if (!groupSearchFirstEnabled) { + LOG.info("Performing user search first"); + getUsers(sink); + + LOG.debug("Total No. of users saved = " + userGroupMap.size()); + //Iterator<UserInfo> userInfoIterator = userGroupMap. + for (UserInfo userInfo : userGroupMap.values()) { + String userName = userInfo.getUserName(); + if (groupSearchEnabled) { + // Perform group search + LOG.info("groupSearch is enabled, would search for groups and compute memberships"); + getGroups(sink, userInfo); + } + List<String> groupList = userInfo.getGroups(); + try { + sink.addOrUpdateUser(userName, groupList); + } catch (Throwable t) { + LOG.error("sink.addOrUpdateUser failed with exception: " + t.getMessage() + + ", for user: " + userName + + ", groups: " + groupList); + } + } + + } else { + LOG.info("Performing Group search first"); + getGroups(sink, null); + if (userSearchEnabled) { + LOG.info("User search is enabled and hence computing user membership."); + getUsers(sink); + } else { + LOG.info("User search is disabled and hence using the group member attribute for username."); + // Go through the userInfo map and update ranger admin. + for (UserInfo userInfo : userGroupMap.values()) { + String userName = userInfo.getUserName(); + if (userNameCaseConversionFlag) { + if (userNameLowerCaseFlag) { + userName = userName.toLowerCase() ; + } + else { + userName = userName.toUpperCase() ; + } + } + + if (userNameRegExInst != null) { + userName = userNameRegExInst.transform(userName); + } + List<String> groupList = userInfo.getGroups(); + try { + sink.addOrUpdateUser(userName, groupList); + } catch (Throwable t) { + LOG.error("sink.addOrUpdateUser failed with exception: " + t.getMessage() + + ", for user: " + userName + + ", groups: " + groupList); + } + } + } + } + } + + private void getUsers(UserGroupSink sink) throws Throwable { + UserInfo userInfo; NamingEnumeration<SearchResult> userSearchResultEnum = null; NamingEnumeration<SearchResult> groupSearchResultEnum = null; try { + //setConfig(); createLdapContext(); int total; // Activate paged results @@ -337,6 +419,7 @@ public class LdapUserGroupBuilder implements UserGroupSource { userSearchResultEnum = ldapContext .search(userSearchBase[ou], extendedUserSearchFilter, userSearchControls); + while (userSearchResultEnum.hasMore()) { // searchResults contains all the user entries final SearchResult userEntry = userSearchResultEnum.next(); @@ -389,63 +472,85 @@ public class LdapUserGroupBuilder implements UserGroupSource { userName = userNameRegExInst.transform(userName); } - UserInfo userInfo = new UserInfo(userName, userEntry.getNameInNamespace()); - Set<String> groups = new HashSet<String>(); - - // Get all the groups from the group name attribute of the user only when group search is not enabled. - if (!groupSearchEnabled) { - for (String useGroupNameAttribute : userGroupNameAttributeSet) { - Attribute userGroupfAttribute = userEntry.getAttributes().get(useGroupNameAttribute); - if (userGroupfAttribute != null) { - NamingEnumeration<?> groupEnum = userGroupfAttribute.getAll(); - while (groupEnum.hasMore()) { - String gName = getShortGroupName((String) groupEnum - .next()); - if (groupNameCaseConversionFlag) { - if (groupNameLowerCaseFlag) { - gName = gName.toLowerCase(); - } else { - gName = gName.toUpperCase(); + if (!groupSearchFirstEnabled) { + userInfo = new UserInfo(userName, userEntry.getNameInNamespace()); + Set<String> groups = new HashSet<String>(); + + // Get all the groups from the group name attribute of the user only when group search is not enabled. + if (!groupSearchEnabled) { + for (String useGroupNameAttribute : userGroupNameAttributeSet) { + Attribute userGroupfAttribute = userEntry.getAttributes().get(useGroupNameAttribute); + if (userGroupfAttribute != null) { + NamingEnumeration<?> groupEnum = userGroupfAttribute.getAll(); + while (groupEnum.hasMore()) { + String gName = getShortGroupName((String) groupEnum + .next()); + if (groupNameCaseConversionFlag) { + if (groupNameLowerCaseFlag) { + gName = gName.toLowerCase(); + } else { + gName = gName.toUpperCase(); + } } + if (groupNameRegExInst != null) { + gName = groupNameRegExInst.transform(gName); + } + groups.add(gName); } - if (groupNameRegExInst != null) { - gName = groupNameRegExInst.transform(gName); - } - groups.add(gName); } } } - } - userInfo.addGroups(groups); - //populate the userGroupMap with username, userInfo. - //userInfo contains details of user that will be later used for - //group search to compute group membership as well as to call sink.addOrUpdateUser() - if (userGroupMap.containsKey(userName)) { - LOG.warn("user object with username " + userName + " already exists and is replaced with the latest user object." ); - } - userGroupMap.put(userName, userInfo); - - //List<String> groupList = new ArrayList<String>(groups); - List<String> groupList = userInfo.getGroups(); - counter++; - if (counter <= 2000) { - if (LOG.isInfoEnabled()) { - LOG.info("Updating user count: " + counter - + ", userName: " + userName + ", groupList: " - + groupList); + userInfo.addGroups(groups); + //populate the userGroupMap with username, userInfo. + //userInfo contains details of user that will be later used for + //group search to compute group membership as well as to call sink.addOrUpdateUser() + if (userGroupMap.containsKey(userName)) { + LOG.warn("user object with username " + userName + " already exists and is replaced with the latest user object." ); } - if ( counter == 2000 ) { - LOG.info("===> 2000 user records have been synchronized so far. From now on, only a summary progress log will be written for every 100 users. To continue to see detailed log for every user, please enable Trace level logging. <==="); + userGroupMap.put(userName, userInfo); + + //List<String> groupList = new ArrayList<String>(groups); + List<String> groupList = userInfo.getGroups(); + counter++; + if (counter <= 2000) { + if (LOG.isInfoEnabled()) { + LOG.info("Updating user count: " + counter + + ", userName: " + userName + ", groupList: " + + groupList); + } + if ( counter == 2000 ) { + LOG.info("===> 2000 user records have been synchronized so far. From now on, only a summary progress log will be written for every 100 users. To continue to see detailed log for every user, please enable Trace level logging. <==="); + } + } else { + if (LOG.isTraceEnabled()) { + LOG.trace("Updating user count: " + counter + + ", userName: " + userName + ", groupList: " + + groupList); + } else { + if ( counter % 100 == 0) { + LOG.info("Synced " + counter + " users till now"); + } + } } } else { - if (LOG.isTraceEnabled()) { - LOG.trace("Updating user count: " + counter - + ", userName: " + userName + ", groupList: " - + groupList); - } else { - if ( counter % 100 == 0) { - LOG.info("Synced " + counter + " users till now"); + // If the user from the search result is present in the usersList, + // then update user name in the userInfo map with the value from the search result + // and update ranger admin. + String userFullName = (userEntry.getNameInNamespace()).toLowerCase(); + LOG.info("Chekcing if the user " + userFullName + " is part of the retrieved groups"); + if (usersList != null && usersList.contains(userFullName)) { + counter++; + userInfo = userGroupMap.get(userFullName); + LOG.info("Updating username for " + userFullName + " with " + userName); + userInfo.updateUserName(userName); + List<String> groupList = userInfo.getGroups(); + try { + sink.addOrUpdateUser(userName, groupList); + } catch (Throwable t) { + LOG.error("sink.addOrUpdateUser failed with exception: " + t.getMessage() + + ", for user: " + userName + + ", groups: " + groupList); } } } @@ -477,7 +582,7 @@ public class LdapUserGroupBuilder implements UserGroupSource { new PagedResultsControl(PAGE_SIZE, cookie, Control.CRITICAL) }); } } while (cookie != null); - LOG.info("LDAPUserGroupBuilder.updateSink() completed with user count: " + LOG.info("LDAPUserGroupBuilder.getUsers() completed with user count: " + counter); } @@ -491,80 +596,158 @@ public class LdapUserGroupBuilder implements UserGroupSource { } closeLdapContext(); } - // Perform group search - getUserGroups(sink); } - private void getUserGroups(UserGroupSink sink) throws Throwable { + private void getGroups(UserGroupSink sink, UserInfo userInfo) throws Throwable { NamingEnumeration<SearchResult> groupSearchResultEnum = null; - LOG.debug("Total No. of users saved = " + userGroupMap.size()); - if (groupSearchEnabled) { - LOG.info("groupSearch is enabled, would search for groups and compute memberships"); + usersList = new HashSet<String>(); + try { + //setConfig(); createLdapContext(); - } - - //java.util.Iterator<UserInfo> userInfoIterator = userGroupMap. - for (UserInfo userInfo : userGroupMap.values()) { - //UserInfo userInfo = userInfoIterator.next(); - String userName = userInfo.getUserName(); - if (groupSearchEnabled) { - for (int ou=0; ou<groupSearchBase.length; ou++) { - try { + int total; + // Activate paged results + if (pagedResultsEnabled) { + ldapContext.setRequestControls(new Control[]{ + new PagedResultsControl(pagedResultsSize, Control.NONCRITICAL) }); + } + for (int ou=0; ou<groupSearchBase.length; ou++) { + byte[] cookie = null; + int counter = 0; + do { + if (!groupSearchFirstEnabled) { + if (userInfo == null) { + // Should never reach this. + LOG.error("No user information provided for group search!"); + return; + } groupSearchResultEnum = ldapContext .search(groupSearchBase[ou], extendedGroupSearchFilter, new Object[]{userInfo.getUserFullName()}, groupSearchControls); - Set<String> computedGroups = new HashSet<String>(); - while (groupSearchResultEnum.hasMore()) { - final SearchResult groupEntry = groupSearchResultEnum.next(); - if (groupEntry != null) { - Attribute groupNameAttr = groupEntry.getAttributes().get(groupNameAttribute); - if (groupNameAttr == null) { - if (LOG.isInfoEnabled()) { - LOG.info(groupNameAttribute + " empty for entry " + groupEntry.getNameInNamespace() + - ", skipping sync"); - } + } else { + // If group based search is enabled, then first retrieve all the groups based on the group configuration. + groupSearchResultEnum = ldapContext + .search(groupSearchBase[ou], extendedAllGroupsSearchFilter, + groupSearchControls); + } + //Set<String> computedGroups = new HashSet<String>(); + while (groupSearchResultEnum.hasMore()) { + final SearchResult groupEntry = groupSearchResultEnum.next(); + if (groupEntry != null) { + counter++; + Attribute groupNameAttr = groupEntry.getAttributes().get(groupNameAttribute); + if (groupNameAttr == null) { + if (LOG.isInfoEnabled()) { + LOG.info(groupNameAttribute + " empty for entry " + groupEntry.getNameInNamespace() + + ", skipping sync"); + } + continue; + } + String gName = (String) groupNameAttr.get(); + if (groupNameCaseConversionFlag) { + if (groupNameLowerCaseFlag) { + gName = gName.toLowerCase(); + } else { + gName = gName.toUpperCase(); + } + } + if (groupNameRegExInst != null) { + gName = groupNameRegExInst.transform(gName); + } + if (!groupSearchFirstEnabled) { + //computedGroups.add(gName); + if (LOG.isInfoEnabled()) { + LOG.info("computed groups for user: " + userInfo.getUserName() +", groups: " + gName); + } + userInfo.addGroup(gName); + } else { + // If group based search is enabled, then + // update the group name to ranger admin + // check for group members and populate userInfo object with user's full name and group mapping + Attribute groupMemberAttr = groupEntry.getAttributes().get(groupMemberAttributeName); + LOG.debug("Update Ranger admin with " + gName); + sink.addOrUpdateGroup(gName); + int userCount = 0; + if (groupMemberAttr == null || groupMemberAttr.size() <= 0) { + LOG.info("No members available for " + gName); continue; } - String gName = (String) groupNameAttr.get(); - if (groupNameCaseConversionFlag) { - if (groupNameLowerCaseFlag) { - gName = gName.toLowerCase(); + NamingEnumeration<?> userEnum = groupMemberAttr.getAll(); + while (userEnum.hasMore()) { + String userFullName = (String) userEnum.next(); + if (userFullName == null || userFullName.trim().isEmpty()) { + continue; + } + userFullName = userFullName.toLowerCase(); + userCount++; + /* If user search is enabled, then the username is updated later + * based on the user search config (in getUsers() method) else + * use user's short name as the username and use that in the map. + */ + if (userSearchEnabled) { + if (!userGroupMap.containsKey(userFullName)) { + userInfo = new UserInfo(userFullName, userFullName); + userGroupMap.put(userFullName, userInfo); + } else { + userInfo = userGroupMap.get(userFullName); + } + LOG.info("Adding " + gName + " to user " + userInfo.getUserFullName()); + userInfo.addGroup(gName); + usersList.add(userFullName); } else { - gName = gName.toUpperCase(); + String userShortName = getShortUserName(userFullName); + if (!userGroupMap.containsKey(userShortName)) { + userInfo = new UserInfo(userShortName, userFullName); + userGroupMap.put(userShortName, userInfo); + } else { + userInfo = userGroupMap.get(userShortName); + } + LOG.debug("Adding " + gName + " to user " + userInfo.getUserName()); + userInfo.addGroup(gName); } } - if (groupNameRegExInst != null) { - gName = groupNameRegExInst.transform(gName); - } - computedGroups.add(gName); + LOG.info("No. of members in the group " + gName + " = " + userCount); } } - if (LOG.isInfoEnabled()) { - LOG.info("computed groups for user: " + userName +", groups: " + computedGroups); - } - userInfo.addGroups(computedGroups); - - } finally { - if (groupSearchResultEnum != null) { - groupSearchResultEnum.close(); + } + // Examine the paged results control response + Control[] controls = ldapContext.getResponseControls(); + if (controls != null) { + for (int i = 0; i < controls.length; i++) { + if (controls[i] instanceof PagedResultsResponseControl) { + PagedResultsResponseControl prrc = + (PagedResultsResponseControl)controls[i]; + total = prrc.getResultSize(); + if (total != 0) { + LOG.debug("END-OF-PAGE total : " + total); + } else { + LOG.debug("END-OF-PAGE total : unknown"); + } + cookie = prrc.getCookie(); + } } + } else { + LOG.debug("No controls were sent from the server"); } - } + // Re-activate paged results + if (pagedResultsEnabled) { + ldapContext.setRequestControls(new Control[]{ + new PagedResultsControl(PAGE_SIZE, cookie, Control.CRITICAL) }); + } + } while (cookie != null); + LOG.info("LDAPUserGroupBuilder.getGroups() completed with group count: " + + counter); } - List<String> groupList = userInfo.getGroups(); - try { - sink.addOrUpdateUser(userName, groupList); - } catch (Throwable t) { - LOG.error("sink.addOrUpdateUser failed with exception: " + t.getMessage() - + ", for user: " + userName - + ", groups: " + groupList); + + + } finally { + if (groupSearchResultEnum != null) { + groupSearchResultEnum.close(); } - } - if (groupSearchEnabled) { closeLdapContext(); } } + private static String getShortGroupName(String longGroupName) throws InvalidNameException { if (longGroupName == null) { @@ -582,6 +765,22 @@ public class LdapUserGroupBuilder implements UserGroupSource { return groupName; } + private static String getShortUserName(String longUserName) throws InvalidNameException { + if (longUserName == null) { + return null; + } + StringTokenizer stc = new StringTokenizer(longUserName, ","); + String firstToken = stc.nextToken(); + StringTokenizer ste = new StringTokenizer(firstToken, "="); + String userName = ste.nextToken(); + if (ste.hasMoreTokens()) { + userName = ste.nextToken(); + } + userName = userName.trim(); + LOG.info("longUserName: " + longUserName + ", userName: " + userName); + return userName; + } + } class UserInfo { @@ -595,6 +794,10 @@ class UserInfo { this.groupList = new HashSet<String>(); } + public void updateUserName(String userName) { + this.userName = userName; + } + public String getUserName() { return userName; } @@ -604,6 +807,9 @@ class UserInfo { public void addGroups(Set<String> groups) { groupList.addAll(groups); } + public void addGroup(String group) { + groupList.add(group); + } public List<String> getGroups() { return (new ArrayList<String>(groupList)); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java index e7b00ca..6cfb394 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java @@ -149,6 +149,16 @@ public class UserGroupSyncConfig { private static final String LGSYNC_GROUP_SEARCH_ENABLED = "ranger.usersync.group.searchenabled"; private static final boolean DEFAULT_LGSYNC_GROUP_SEARCH_ENABLED = false; + + private static final String LGSYNC_GROUP_SEARCH_FIRST_ENABLED = "ranger.usersync.group.search.first.enabled"; + private static final boolean DEFAULT_LGSYNC_GROUP_SEARCH_FIRST_ENABLED = false; + +/*This flag (ranger.usersync.user.searchenabled) is used only when group search first is enabled to get username either - + * from the group member attribute of the group or + * from the additional user search based on the user attribute configuration + */ + private static final String LGSYNC_USER_SEARCH_ENABLED = "ranger.usersync.user.searchenabled"; + private static final boolean DEFAULT_LGSYNC_USER_SEARCH_ENABLED = false; private static final String LGSYNC_GROUP_USER_MAP_SYNC_ENABLED = "ranger.usersync.group.usermapsyncenabled"; private static final boolean DEFAULT_LGSYNC_GROUP_USER_MAP_SYNC_ENABLED = false; @@ -657,6 +667,28 @@ public class UserGroupSyncConfig { } return groupSearchEnabled; } + + public boolean isGroupSearchFirstEnabled() { + boolean groupSearchFirstEnabled; + String val = prop.getProperty(LGSYNC_GROUP_SEARCH_FIRST_ENABLED); + if(val == null || val.trim().isEmpty()) { + groupSearchFirstEnabled = DEFAULT_LGSYNC_GROUP_SEARCH_FIRST_ENABLED; + } else { + groupSearchFirstEnabled = Boolean.valueOf(val); + } + return groupSearchFirstEnabled; + } + + public boolean isUserSearchEnabled() { + boolean userSearchEnabled; + String val = prop.getProperty(LGSYNC_USER_SEARCH_ENABLED); + if(val == null || val.trim().isEmpty()) { + userSearchEnabled = DEFAULT_LGSYNC_USER_SEARCH_ENABLED; + } else { + userSearchEnabled = Boolean.valueOf(val); + } + return userSearchEnabled; + } public boolean isGroupUserMapSyncEnabled() { boolean groupUserMapSyncEnabled; @@ -887,4 +919,14 @@ public class UserGroupSyncConfig { public void setGroupSearchBase(String groupSearchBase) throws Throwable { prop.setProperty(LGSYNC_GROUP_SEARCH_BASE, groupSearchBase); } + + /* Used only for unit testing */ + public void setGroupSearchFirstEnabled(boolean groupSearchFirstEnabled) { + prop.setProperty(LGSYNC_GROUP_SEARCH_FIRST_ENABLED, String.valueOf(groupSearchFirstEnabled)); + } + + /* Used only for unit testing */ + public void setUserSearchEnabled(boolean userSearchEnabled) { + prop.setProperty(LGSYNC_USER_SEARCH_ENABLED, String.valueOf(userSearchEnabled)); + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java index 67379d5..20466ab 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java @@ -815,5 +815,50 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { return ret; } + + @Override + public void addOrUpdateGroup(String groupName) { + XGroupInfo group = groupName2XGroupInfoMap.get(groupName) ; + + if (group == null) { // Does not exists + + //* Build the group info object and do the rest call + if ( ! isMockRun ) { + group = addGroupInfo(groupName); + if ( group != null) { + addGroupToList(group); + } + } + } + } + + private XGroupInfo addGroupInfo(String groupName){ + XGroupInfo ret = null; + XGroupInfo group = null; + + LOG.debug("INFO: addPMXAGroup(" + groupName + ")" ) ; + if (! isMockRun) { + group = addXGroupInfo(groupName) ; + } + + Client c = getClient(); + + WebResource r = c.resource(getURL(PM_ADD_GROUP_URI)); + + Gson gson = new GsonBuilder().create(); + + String jsonString = gson.toJson(group); + + LOG.debug("Group" + jsonString); + + String response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString) ; + + LOG.debug("RESPONSE: [" + response + "]") ; + + ret = gson.fromJson(response, XGroupInfo.class); + + return ret; + } + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java b/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java index 0443185..c9b5f1a 100644 --- a/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java +++ b/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java @@ -25,4 +25,6 @@ public interface UserGroupSink { public void init() throws Throwable; public void addOrUpdateUser(String user, List<String> groups); + + public void addOrUpdateGroup(String group); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java ---------------------------------------------------------------------- diff --git a/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java b/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java index 8d75e10..df8adf3 100644 --- a/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java +++ b/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java @@ -22,8 +22,6 @@ package org.apache.ranger.usergroupsync; import static org.junit.Assert.assertEquals; import org.apache.directory.server.annotations.CreateLdapConnectionPool; -import org.apache.directory.server.annotations.CreateLdapServer; -import org.apache.directory.server.annotations.CreateTransport; import org.apache.directory.server.core.annotations.ApplyLdifFiles; import org.apache.directory.server.core.annotations.ContextEntry; import org.apache.directory.server.core.annotations.CreateDS; @@ -37,7 +35,6 @@ import org.apache.ranger.unixusersync.config.UserGroupSyncConfig; import org.junit.After; import org.junit.Assert; import org.junit.Before; -import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; @@ -93,7 +90,6 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{ getLdapServer().start(); config = UserGroupSyncConfig.getInstance(); ldapBuilder = new LdapUserGroupBuilder(); - ldapBuilder.init(); } @Test @@ -103,6 +99,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{ config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); config.setGroupSearchEnabled(false); config.setPagedResultsEnabled(true); + config.setGroupSearchFirstEnabled(false); + ldapBuilder.init(); PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); sink.init(); ldapBuilder.updateSink(sink); @@ -116,6 +114,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{ config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); config.setGroupSearchEnabled(false); config.setPagedResultsEnabled(false); + config.setGroupSearchFirstEnabled(false); + ldapBuilder.init(); PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); sink.init(); ldapBuilder.updateSink(sink); @@ -129,6 +129,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{ config.setUserSearchFilter("(|(memberof=CN=Group10,OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com)(memberof=CN=Group11,OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com))"); config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); config.setGroupSearchEnabled(false); + config.setGroupSearchFirstEnabled(false); + ldapBuilder.init(); PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); sink.init(); ldapBuilder.updateSink(sink); @@ -142,6 +144,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{ config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); config.setGroupSearchFilter(""); config.setGroupSearchEnabled(true); + config.setGroupSearchFirstEnabled(false); + ldapBuilder.init(); PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); sink.init(); ldapBuilder.updateSink(sink); @@ -155,6 +159,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{ config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); config.setGroupSearchFilter("cn=Group19"); config.setGroupSearchEnabled(true); + config.setGroupSearchFirstEnabled(false); + ldapBuilder.init(); PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); sink.init(); ldapBuilder.updateSink(sink); @@ -168,6 +174,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{ config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); config.setGroupSearchFilter("cn=Group19"); config.setGroupSearchEnabled(false); + config.setGroupSearchFirstEnabled(false); + ldapBuilder.init(); PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); sink.init(); ldapBuilder.updateSink(sink); @@ -181,6 +189,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{ config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); config.setGroupSearchFilter("cn=*Group10"); config.setGroupSearchEnabled(true); + config.setGroupSearchFirstEnabled(false); + ldapBuilder.init(); PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); sink.init(); ldapBuilder.updateSink(sink); @@ -195,6 +205,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{ config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); config.setGroupSearchFilter("cn=*Group10"); config.setGroupSearchEnabled(false); + config.setGroupSearchFirstEnabled(false); + ldapBuilder.init(); PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); sink.init(); ldapBuilder.updateSink(sink); @@ -209,6 +221,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{ config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); config.setGroupSearchFilter("cn=*Group10"); config.setGroupSearchEnabled(false); + config.setGroupSearchFirstEnabled(false); + ldapBuilder.init(); PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); sink.init(); ldapBuilder.updateSink(sink); @@ -223,6 +237,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{ config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); config.setGroupSearchFilter("cn=*"); config.setGroupSearchEnabled(true); + config.setGroupSearchFirstEnabled(false); + ldapBuilder.init(); PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); sink.init(); ldapBuilder.updateSink(sink); @@ -237,6 +253,8 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{ config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); config.setGroupSearchFilter("cn=*Group10"); config.setGroupSearchEnabled(true); + config.setGroupSearchFirstEnabled(false); + ldapBuilder.init(); PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); sink.init(); ldapBuilder.updateSink(sink); @@ -244,6 +262,132 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{ assertEquals(2, sink.getTotalGroups()); } + @Test + public void testGroupBasedAllUsers() throws Throwable { + config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;"); + config.setUserSearchFilter("cn=*"); + config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); + config.setGroupSearchFilter("cn=*Group10"); + config.setGroupSearchFirstEnabled(true); + ldapBuilder.init(); + PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); + sink.init(); + ldapBuilder.updateSink(sink); + assertEquals(2, sink.getTotalUsers()); + assertEquals(2, sink.getTotalGroups()); + } + + @Test + public void testGroupBasedWithUserFilter() throws Throwable { + config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;"); + config.setUserSearchFilter("cn=User*"); + config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); + config.setGroupSearchFilter("cn=*Group10"); + config.setGroupSearchFirstEnabled(true); + config.setUserSearchEnabled(true); + ldapBuilder.init(); + PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); + sink.init(); + ldapBuilder.updateSink(sink); + assertEquals(1, sink.getTotalUsers()); + assertEquals(2, sink.getTotalGroups()); + } + + @Test + public void testGroupBasedWithNoUsers() throws Throwable { + config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;"); + config.setUserSearchFilter("cn=*"); + config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); + config.setGroupSearchFilter("cn=Group2*"); + config.setGroupSearchFirstEnabled(true); + config.setUserSearchEnabled(true); + ldapBuilder.init(); + PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); + sink.init(); + ldapBuilder.updateSink(sink); + assertEquals(0, sink.getTotalUsers()); + assertEquals(2, sink.getTotalGroups()); + } + + @Test + public void testGroupBasedWithAllUsersAndGroups() throws Throwable { + config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;"); + config.setUserSearchFilter("cn=*"); + config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); + config.setGroupSearchFilter("cn=*"); + config.setGroupSearchFirstEnabled(true); + config.setUserSearchEnabled(true); + ldapBuilder.init(); + PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); + sink.init(); + ldapBuilder.updateSink(sink); + assertEquals(100, sink.getTotalUsers()); + assertEquals(13, sink.getTotalGroups()); + } + + @Test + public void testGroupBasedWithSingleOU() throws Throwable { + config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;"); + config.setUserSearchFilter("cn=*"); + config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); + config.setGroupSearchFilter("cn=*"); + config.setGroupSearchFirstEnabled(true); + config.setUserSearchEnabled(true); + ldapBuilder.init(); + PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); + sink.init(); + ldapBuilder.updateSink(sink); + assertEquals(99, sink.getTotalUsers()); + assertEquals(12, sink.getTotalGroups()); + } + + @Test + public void testUpdateSinkWithEmptyUserSearchBase() throws Throwable { + config.setUserSearchBase(""); + config.setUserSearchFilter(""); + config.setGroupSearchBase("OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); + config.setGroupSearchEnabled(false); + config.setPagedResultsEnabled(true); + config.setGroupSearchFirstEnabled(false); + ldapBuilder.init(); + PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); + sink.init(); + ldapBuilder.updateSink(sink); + assertEquals(111, sink.getTotalUsers()); + } + + @Test + public void testGBWithUserSearchDisabled() throws Throwable { + config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;"); + config.setUserSearchFilter("cn=User*"); + config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); + config.setGroupSearchFilter("cn=*Group10"); + config.setGroupSearchFirstEnabled(true); + config.setUserSearchEnabled(false); + ldapBuilder.init(); + PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); + sink.init(); + ldapBuilder.updateSink(sink); + assertEquals(2, sink.getTotalUsers()); + assertEquals(2, sink.getTotalGroups()); + } + + @Test + public void testGBWithNoUsersAndUserSearchDisabled() throws Throwable { + config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;"); + config.setUserSearchFilter("cn=*"); + config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); + config.setGroupSearchFilter("cn=Group2*"); + config.setGroupSearchFirstEnabled(true); + config.setUserSearchEnabled(false); + ldapBuilder.init(); + PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); + sink.init(); + ldapBuilder.updateSink(sink); + assertEquals(0, sink.getTotalUsers()); + assertEquals(2, sink.getTotalGroups()); + } + @After public void shutdown() throws Exception { if (getService().isStarted()) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/test/java/org/apache/ranger/usergroupsync/PolicyMgrUserGroupBuilderTest.java ---------------------------------------------------------------------- diff --git a/ugsync/src/test/java/org/apache/ranger/usergroupsync/PolicyMgrUserGroupBuilderTest.java b/ugsync/src/test/java/org/apache/ranger/usergroupsync/PolicyMgrUserGroupBuilderTest.java index e106e9c..0d817f6 100644 --- a/ugsync/src/test/java/org/apache/ranger/usergroupsync/PolicyMgrUserGroupBuilderTest.java +++ b/ugsync/src/test/java/org/apache/ranger/usergroupsync/PolicyMgrUserGroupBuilderTest.java @@ -27,6 +27,7 @@ import org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder; public class PolicyMgrUserGroupBuilderTest extends PolicyMgrUserGroupBuilder { private static int totalUsers = 0; + //private static int totalGroups = 0; private Set<String> allGroups; @Override @@ -42,6 +43,12 @@ public class PolicyMgrUserGroupBuilderTest extends PolicyMgrUserGroupBuilder { allGroups.addAll(groups); //System.out.println("Username: " + user + " and associated groups: " + groups); } + + @Override + public void addOrUpdateGroup(String group) { + //totalGroups++; + allGroups.add(group); + } public int getTotalUsers() { return totalUsers; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/test/resources/ADSchema.ldif ---------------------------------------------------------------------- diff --git a/ugsync/src/test/resources/ADSchema.ldif b/ugsync/src/test/resources/ADSchema.ldif index 9d5a4c2..59402f1 100644 --- a/ugsync/src/test/resources/ADSchema.ldif +++ b/ugsync/src/test/resources/ADSchema.ldif @@ -2473,4 +2473,28 @@ member: CN=User1801,CN=Users,DC=ranger,DC=qe,DC=hortonworks,DC=com distinguishedName: CN=Group19,OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com sAMAccountName: Group19 sn: Group19 +#groupType: -2147483644 + +dn: CN=Group20,OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com +changetype: add +objectClass: extensibleObject +objectClass: top +objectClass: groupOfNames +cn: Group20 +member: +distinguishedName: CN=Group20,OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com +sAMAccountName: Group20 +sn: Group20 +#groupType: -2147483644 + +dn: CN=Group21,OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com +changetype: add +objectClass: extensibleObject +objectClass: top +objectClass: groupOfNames +cn: Group21 +member: +distinguishedName: CN=Group21,OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com +sAMAccountName: Group21 +sn: Group21 #groupType: -2147483644 \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1d5471ae/ugsync/src/test/resources/ranger-ugsync-site.xml ---------------------------------------------------------------------- diff --git a/ugsync/src/test/resources/ranger-ugsync-site.xml b/ugsync/src/test/resources/ranger-ugsync-site.xml index 9ae522b..f1232de 100644 --- a/ugsync/src/test/resources/ranger-ugsync-site.xml +++ b/ugsync/src/test/resources/ranger-ugsync-site.xml @@ -64,6 +64,16 @@ </property> <property> + <name>ranger.usersync.group.search.first.enabled</name> + <value>false</value> + </property> + + <property> + <name>ranger.usersync.user.searchenabled</name> + <value>true</value> + </property> + + <property> <name>ranger.usersync.keystore.file</name> <value>/usr/hdp/current/ranger-usersync/conf/unixauthservice.jks</value> </property>
