[
https://issues.apache.org/jira/browse/RANGER-1224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15783330#comment-15783330
]
Nicholas Hughes commented on RANGER-1224:
-----------------------------------------
Review board request closed. Thanks!
> Ranger UI: DN as Username
> -------------------------
>
> Key: RANGER-1224
> URL: https://issues.apache.org/jira/browse/RANGER-1224
> Project: Ranger
> Issue Type: Bug
> Environment: CentOS 6
> ranger_2_0_1_0_12-usersync-0.6.0.2.0.1.0-12.el6.x86_64
> ranger_2_0_1_0_12-admin-0.6.0.2.0.1.0-12.el6.x86_64
> Reporter: Nicholas Hughes
> Assignee: Nicholas Hughes
>
> We deployed Ranger in our HDF cluster for authorization in NiFi. We're
> testing user authentication and authorization with Microsoft Active Directory
> (AD) accounts in Ranger and NiFi.
> NiFi is able to use the sAMAccountName for authentication. However, it seems
> to only send the CN and DN to Ranger for authorization. [1]
> Until that issue is fixed in NiFi, we were thinking that we could have
> UserSync in Ranger import users from AD with the full DN (instead of the more
> desirable sAMAccountName) so NiFi can authorize users properly. Setting the
> "ranger.usersync.ldap.user.nameattribute" value to "distinguishedName"
> imports the users in this fashion. However, this has the unintended effect of
> breaking the ability to edit policies after initial creation.
> This behavior can be observed by creating a user account containing a comma
> as you would find in a DN (e.g. CN=Nick
> Hughes,OU=Users,OU=Accounts,DC=example,DC=com), adding it to a resource based
> policy, and then attempting to edit that policy. You'll only get a "spinning
> wheel" in the "Permissions" section of the "Allow Conditions".
> Specifically, the comma in the DN seems to be the issue. The API call only
> shows the DN up to the first comma:
> http://192.168.1.177:6080/service/xusers/users/userName/CN=Nick Hughes
> ...and returns a 400 error stating that user is not found. Manually editing
> the URL above to include the full DN returns the user information as expected.
> Can anyone confirm this behavior?
> Versions:
> ranger_2_0_1_0_12-usersync-0.6.0.2.0.1.0-12.el6.x86_64
> ranger_2_0_1_0_12-admin-0.6.0.2.0.1.0-12.el6.x86_64
> -Nick
> [1] https://issues.apache.org/jira/browse/NIFI-3020
> Hi Nicholas,
> Thank you for letting us know the issue. I tried in one of my setup and I see
> the same behavior. Looks like the get request is not built correct may be not
> urlencoding the comma character?
> I see the following in the ranger admin access logs:
> [18/Nov/2016:00:39:02 +0000] "GET /service/xusers/users/userName/CN=userou5
> HTTP/1.1" 400 166
> Where as the actual username is: CN=userou5,OU=OU1,DC=ranger,DC=com
> Please enter a ticket as this is a valid issue and needs to be fixed.
> Just a side note though - in general comma (,) is treated as special
> character and is not allowed in the username in unix as well as in AD. Hence
> the use case might not be valid but should be handled in the code properly.
> Thanks,
> Sailaja.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
