Colm: LDAP users, when synced, get USER role by default. An existing ADMIN user can then change the role (via UI) to "ADMIN" for select LDAP users. Once this is done, those LDAP users can access ADMIN functions within Ranger. I believe there is also REST API available for changing the role.
Thanks, Vel From: Colm O hEigeartaigh <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, December 15, 2016 at 6:03 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: LDAP authentication Hi all, I've been experimenting with LDAP authentication with the Admin web app a bit. It's fairly straightforward getting authentication to work. However, what I'm wondering is if there is any way to automatically assign an "admin" role to such a user? The group/role configuration seems to be discarded by the code in RangerAuthenticationProvider, which ends up setting the granted authorities by calling "userMgr.getRolesByLoginId". However, as the userMgr object does not know about this user (which is in LDAP) it never returns an admin role. IMO there is a bug in the RangerAuthenticationProvider in that it should check a configuration option for a list of groups that can be assigned "Admin" roles, and if the authenticated user is a member of such a group, then it is granted "ADMIN_ROLE". WDYT or am I missing something? Colm. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
