[
https://issues.apache.org/jira/browse/RANGER-321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14371698#comment-14371698
]
robinlin edited comment on RANGER-321 at 3/20/15 5:36 PM:
----------------------------------------------------------
Hi
More details for my problems
1. I traced the log, found the array "groupList" is same with LDAP. But the
view is not matched.
On the LDAP
{noformat}
[root@slavenode1 ~]# ldapsearch -x -LLL -H ldap:/// -b
cn=steven,ou=people,dc=iii,dc=org,dc=tw dn memberof
dn: cn=steven,ou=people,dc=iii,dc=org,dc=tw
[root@slavenode1 ~]#
{noformat}
On the Ranger user sync log
{noformat}
21 Mar 2015 00:34:36 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 2, userName: steven, groupList: []
{noformat}
On the Ranger Admin, User management
!RangerGroupBug.png!
2. I would still regard it as an issue, if the user can not be deleted. Let's
assume a scenario, suppose Robin had a "admin" permission to a policy of HDFS
root folder. But one day, Robin quit the job and left the company, then the
Robin's account would be deleted in LDAP, however, Robin's account and
privileges is still existed in Ranger database. Years latter, another guy also
named Robin join this company, then the two persons might have same dn such
that Ranger could not tell the differences between this two people. And so the
latter Robin would have permission to all the HDFS files and folders.
3. Here is my screenshot
!RangerInterGrpBug.png!
LDAP search result
{noformat}
[root@slavenode1 ~]# ldapsearch -x -LLL -H ldap:/// -b
ou=groups,dc=iii,dc=org,dc=tw
dn: ou=groups,dc=iii,dc=org,dc=tw
ou: groups
objectClass: organizationalUnit
description: groups
dn: cn=country,ou=groups,dc=iii,dc=org,dc=tw
member: cn=john,ou=people,dc=iii,dc=org,dc=tw
cn: country
objectClass: groupOfNames
objectClass: top
dn: cn=car_washing,ou=groups,dc=iii,dc=org,dc=tw
member: cn=jim,ou=people,dc=iii,dc=org,dc=tw
cn: car_washing
objectClass: groupOfNames
objectClass: top
dn: cn=rock,ou=groups,dc=iii,dc=org,dc=tw
member: cn=bette,ou=people,dc=iii,dc=org,dc=tw
member: cn=jimmy,ou=people,dc=iii,dc=org,dc=tw
cn: rock
objectClass: groupOfNames
objectClass: top
{noformat}
And Sync Log
{noformat}
21 Mar 2015 01:24:38 INFO UserGroupSync [UnixUserSyncThread] - Begin: update
user/group from source==>sink
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LDAPUserGroupBuilder updateSink started
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LdapUserGroupBuilder initialization started
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LdapUserGroupBuilder initialization completed with -- ldapUrl:
ldap://140.92.25.244:389, ldapBindDn: cn=admin,dc=iii,dc=org,dc=tw,
ldapBindPassword: ***** , ldapAuthenticationMechanism: simple,
userSearchBase: ou=people,dc=iii,dc=org,dc=tw, userSearchScope: 2,
userObjectClass: person, userSearchFilter: , extendedSearchFilter:
(objectclass=person), userNameAttribute: cn, userSearchAttributes: [cn,
ismemberof, memberof]
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
longGroupName: cn=country,ou=groups,dc=iii,dc=org,dc=tw, groupName: country
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 1, userName: john, groupList: [country]
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 2, userName: steven, groupList: []
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
longGroupName: cn=car_washing,ou=groups,dc=iii,dc=org,dc=tw, groupName:
car_washing
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 3, userName: jim, groupList: [car_washing]
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 4, userName: bbking, groupList: []
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
longGroupName: cn=rock,ou=groups,dc=iii,dc=org,dc=tw, groupName: rock
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 5, userName: jimmy, groupList: [rock]
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
longGroupName: cn=rock,ou=groups,dc=iii,dc=org,dc=tw, groupName: rock
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 6, userName: bette, groupList: [rock]
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 7, userName: robin, groupList: []
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LDAPUserGroupBuilder.updateSink() completed with user count: 7
{noformat}
4. I am not familiar with Knox configuration, but I copy the "GroupLookUp"
configuration from Knox user guide.
{noformat}
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<!-- session timeout in minutes, this is really idle
timeout, defaults
to 30mins, if the property value is not
defined,, current client authentication
would expire if client idles contiuosly for
more than this value -->
<!-- defaults to: 30 minutes <param>
<name>sessionTimeout</name> <value>30</value>
</param> -->
<!-- Use single KnoxLdapRealm to do authentication and
ldap group look
up -->
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapGroupContextFactory</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory
</value>
</param>
<param>
<name>main.ldapRealm.contextFactory</name>
<value>$ldapGroupContextFactory</value>
</param>
<!-- defaults to: simple <param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value> </param> -->
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://140.92.25.244:389</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>cn={0},ou=people,dc=iii,dc=org,dc=tw</value>
</param>
<param>
<name>main.ldapRealm.authorizationEnabled</name>
<!-- defaults to: false -->
<value>true</value>
</param>
<!-- defaults to: simple <param>
<name>main.ldapRealm.contextFactory.systemAuthenticationMechanism</name>
<value>simple</value> </param> -->
<param>
<name>main.ldapRealm.searchBase</name>
<value>ou=people,dc=iii,dc=org,dc=tw</value>
</param>
<!-- defaults to: groupOfNames <param>
<name>main.ldapRealm.groupObjectClass</name>
<value>groupOfNames</value> </param> -->
<!-- defaults to: member <param>
<name>main.ldapRealm.memberAttribute</name>
<value>member</value> </param> -->
<param>
<name>main.ldapRealm.groupIdAttribute</name>
<value>cn</value>
</param>
<param>
<name>main.cacheManager</name>
<value>org.apache.shiro.cache.MemoryConstrainedCacheManager</value>
</param>
<param>
<name>main.securityManager.cacheManager</name>
<value>$cacheManager</value>
</param>
<param>
<name>main.ldapRealm.memberAttributeValueTemplate</name>
<value>cn={0},ou=people,dc=iii,dc=org,dc=tw</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.systemUsername</name>
<value>cn=admin,dc=iii,dc=org,dc=tw</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.systemPassword</name>
<value>${ALIAS=ldcSystemPassword}</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>authorization</role>
<name>XASecurePDPKnox</name>
<enabled>true</enabled>
<param>
<name>knox.acl</name>
<value>admin;*;*</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
{noformat}
Is there any thing wrong?
Finally, one more question, I am curious about why the users in LDAP could not
login to Ranger Admin web, is there any reason?
Thanks
Robin.
was (Author: robinlin):
Hi
More details for my problems
1. I traced the log, found the array "groupList" is same with LDAP. But the
view is not matched.
On the LDAP
{noformat}
[root@slavenode1 ~]# ldapsearch -x -LLL -H ldap:/// -b
cn=steven,ou=people,dc=iii,dc=org,dc=tw dn memberof
dn: cn=steven,ou=people,dc=iii,dc=org,dc=tw
[root@slavenode1 ~]#
{noformat}
On the Ranger user sync log
{noformat}
21 Mar 2015 00:34:36 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 2, userName: steven, groupList: []
{noformat}
On the Ranger Admin, User management
!RangerGroupBug.png!
2. I would still regard it as an issue, if the user can not be deleted. Let's
assume a scenario, suppose Robin had a "admin" permission to a policy of HDFS
root folder. But one day, Robin quite the job and left the company, then the
Robin's account would be deleted in LDAP, however, Robin's account and
privileges is still existed in Ranger database. Years latter, another guy also
named Robin join this company, then the two persons might have same dn such
that Ranger could not tell the differences between this two people. And so the
latter Robin would have permission to all the HDFS files and folders.
3. Here is my screenshot
!RangerInterGrpBug.png!
LDAP search result
{noformat}
[root@slavenode1 ~]# ldapsearch -x -LLL -H ldap:/// -b
ou=groups,dc=iii,dc=org,dc=tw
dn: ou=groups,dc=iii,dc=org,dc=tw
ou: groups
objectClass: organizationalUnit
description: groups
dn: cn=country,ou=groups,dc=iii,dc=org,dc=tw
member: cn=john,ou=people,dc=iii,dc=org,dc=tw
cn: country
objectClass: groupOfNames
objectClass: top
dn: cn=car_washing,ou=groups,dc=iii,dc=org,dc=tw
member: cn=jim,ou=people,dc=iii,dc=org,dc=tw
cn: car_washing
objectClass: groupOfNames
objectClass: top
dn: cn=rock,ou=groups,dc=iii,dc=org,dc=tw
member: cn=bette,ou=people,dc=iii,dc=org,dc=tw
member: cn=jimmy,ou=people,dc=iii,dc=org,dc=tw
cn: rock
objectClass: groupOfNames
objectClass: top
{noformat}
And Sync Log
{noformat}
21 Mar 2015 01:24:38 INFO UserGroupSync [UnixUserSyncThread] - Begin: update
user/group from source==>sink
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LDAPUserGroupBuilder updateSink started
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LdapUserGroupBuilder initialization started
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LdapUserGroupBuilder initialization completed with -- ldapUrl:
ldap://140.92.25.244:389, ldapBindDn: cn=admin,dc=iii,dc=org,dc=tw,
ldapBindPassword: ***** , ldapAuthenticationMechanism: simple,
userSearchBase: ou=people,dc=iii,dc=org,dc=tw, userSearchScope: 2,
userObjectClass: person, userSearchFilter: , extendedSearchFilter:
(objectclass=person), userNameAttribute: cn, userSearchAttributes: [cn,
ismemberof, memberof]
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
longGroupName: cn=country,ou=groups,dc=iii,dc=org,dc=tw, groupName: country
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 1, userName: john, groupList: [country]
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 2, userName: steven, groupList: []
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
longGroupName: cn=car_washing,ou=groups,dc=iii,dc=org,dc=tw, groupName:
car_washing
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 3, userName: jim, groupList: [car_washing]
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 4, userName: bbking, groupList: []
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
longGroupName: cn=rock,ou=groups,dc=iii,dc=org,dc=tw, groupName: rock
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 5, userName: jimmy, groupList: [rock]
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
longGroupName: cn=rock,ou=groups,dc=iii,dc=org,dc=tw, groupName: rock
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 6, userName: bette, groupList: [rock]
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 7, userName: robin, groupList: []
21 Mar 2015 01:24:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LDAPUserGroupBuilder.updateSink() completed with user count: 7
{noformat}
4. I am not familiar with Knox configuration, but I copy the "GroupLookUp"
configuration from Knox user guide.
{noformat}
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<!-- session timeout in minutes, this is really idle
timeout, defaults
to 30mins, if the property value is not
defined,, current client authentication
would expire if client idles contiuosly for
more than this value -->
<!-- defaults to: 30 minutes <param>
<name>sessionTimeout</name> <value>30</value>
</param> -->
<!-- Use single KnoxLdapRealm to do authentication and
ldap group look
up -->
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapGroupContextFactory</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory
</value>
</param>
<param>
<name>main.ldapRealm.contextFactory</name>
<value>$ldapGroupContextFactory</value>
</param>
<!-- defaults to: simple <param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value> </param> -->
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://140.92.25.244:389</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>cn={0},ou=people,dc=iii,dc=org,dc=tw</value>
</param>
<param>
<name>main.ldapRealm.authorizationEnabled</name>
<!-- defaults to: false -->
<value>true</value>
</param>
<!-- defaults to: simple <param>
<name>main.ldapRealm.contextFactory.systemAuthenticationMechanism</name>
<value>simple</value> </param> -->
<param>
<name>main.ldapRealm.searchBase</name>
<value>ou=people,dc=iii,dc=org,dc=tw</value>
</param>
<!-- defaults to: groupOfNames <param>
<name>main.ldapRealm.groupObjectClass</name>
<value>groupOfNames</value> </param> -->
<!-- defaults to: member <param>
<name>main.ldapRealm.memberAttribute</name>
<value>member</value> </param> -->
<param>
<name>main.ldapRealm.groupIdAttribute</name>
<value>cn</value>
</param>
<param>
<name>main.cacheManager</name>
<value>org.apache.shiro.cache.MemoryConstrainedCacheManager</value>
</param>
<param>
<name>main.securityManager.cacheManager</name>
<value>$cacheManager</value>
</param>
<param>
<name>main.ldapRealm.memberAttributeValueTemplate</name>
<value>cn={0},ou=people,dc=iii,dc=org,dc=tw</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.systemUsername</name>
<value>cn=admin,dc=iii,dc=org,dc=tw</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.systemPassword</name>
<value>${ALIAS=ldcSystemPassword}</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>authorization</role>
<name>XASecurePDPKnox</name>
<enabled>true</enabled>
<param>
<name>knox.acl</name>
<value>admin;*;*</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
{noformat}
Is there any thing wrong?
Finally, one more question, I am curious about why the users in LDAP could not
login to Ranger Admin web, is there any reason?
Thanks
Robin.
> Several bugs on functionality
> ------------------------------
>
> Key: RANGER-321
> URL: https://issues.apache.org/jira/browse/RANGER-321
> Project: Ranger
> Issue Type: Bug
> Affects Versions: 0.4.0
> Reporter: robinlin
> Attachments: RangerGroupBug.png, RangerInterGrpBug.png
>
>
> Hi all
> I find some bugs in the version 0.4
> 1. Remove member from a group in LDAP but not sync.
> 2. Delete a user in LDAP but not sync.
> 3. The groups were synced from LDAP labeled internal.
> 4. Group permission does not work in Knox policy.
> Thanks and Best Regards
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
