Hi Marc,
Some overview of Ranger Usersync -
Ranger Usersync has three main duties - 1. Syncing users and groups from
configured sync source, 2. Compute delta for each sync cycle, and 3. Update
Ranger admin the user and group information so that Ranger admin persists
this info in its DB
1. Syncing users and groups from sync source like AD/LDAP: For this Ranger
Usersync uses the bind DN and password to authenticate with AD/LDAP and
perform the search operation based on the search base and other properties
configured. Here we currently support username/password (Basic Auth) based
authentication to AD/LDAP
2. Updating Ranger admin: For this, Ranger Usersync uses rangerusersync
user to authenticate to Ranger Admin. Here we support basic
(username/password) or kerberos authentication. Hence you see
rangerUsersync_password, usersync_principal, usersync_keytab properties in
the install.properties.
a. For Basic auth, since rangerusersync user is created as part of
Ranger admin setup, this user should be added in the x_portal_user table
and the password is set in the install.properties
(rangerUsersync_password).
3. Compute delta for each sync cycle:
a. At the startup of usersync process, Ranger Usersync
i. Contacts Ranger admin to get the users and groups that are
currently in Ranger Admin to populate it's initial cache.
ii. Contacts AD/LDAP to sync all the users and groups based on
the configuration
iii. Computes the difference between above two steps and
updates Ranger admin only the differences/delta
iv. updates its cache after successful updates to Ranger admin
b. For every subsequent sync cycle, Ranger usersync repeats the
steps a.ii to a.iv (above)
In your case, if you see errors in ranger admin where rangerusersync user
authentication has failed, that indicates that authentication between
usersync and ranger admin has not been configured properly. This doesn't
have to do anything with your LDAP configuration. In order to debug further
on the authentication failures at Ranger admin side, you can enable debug
logs on Ranger Admin and see if you get more information.
Hope this helps.
Thanks,
Sailaja.
On Tue, Jun 11, 2024 at 6:30 AM Marc Hoppins <[email protected]> wrote:
> Hi,
>
>
>
> Rangerusersync is only in Ranger ADMIN not UNIX.
>
>
>
> Our HADOOP is kerberized but I don’t see how that affects ranger
> connecting to LDAP to gather users and group information.
>
>
>
> I have tested the LDAP parameters with a command-line ldapsearch and have
> success but the lack of results within usersync is a mystery, and the lack
> of a clear error does not help.
>
>
>
> *From:* Loïc CHANEL <[email protected]>
> *Sent:* Tuesday, June 11, 2024 2:41 PM
> *To:* [email protected]
> *Subject:* Re: No usersync
>
>
>
> EXTERNAL
>
> Hi Marc,
>
>
>
> If rangerusersync Unix user exists, then you may want to modify the
> unix_user and unix_group in install.properties to adapt to your case.
>
> Now for Kerberos, this applies only if you are in a kerberised
> environment. Otherwise you leave this blank.
>
> Best regards,
>
>
>
>
> Loïc
>
>
>
>
>
> Le mar. 11 juin 2024 à 14:28, Marc Hoppins <[email protected]> a
> écrit :
>
> Hi all,
>
>
>
> Sorry to appear dumb but am still trying to get this working.
>
>
>
> Why does install.properties have:
>
>
>
> #User and group for the usersync process
>
> unix_user=ranger
>
> unix_group=ranger
>
>
>
> If the rangerusersync ID exists?
>
>
>
> #change password of rangerusersync user. Please note that this password
> should be as per rangerusersync user in ranger
>
> rangerUsersync_password=
>
>
>
> and KERBEROS
>
>
>
> #Set to run in kerberos environment
>
> usersync_principal=
>
> usersync_keytab=
>
> hadoop_conf=/etc/hadoop/conf
>
>
>
> What does HADOOP Kerberos have to do with LDAP – our LDAP is active
> directory.
>
>
>
> Marc Hoppins
>
>
