Hi, Sailaja, If I am able to reset/change the password for rangerusersync in the UI then it has been done. There is a changed timestamp in the x_portal_user table to indicate that I did make a change last Friday.
I shall try to adjust the logging. It is sadly disappointing that for almost every public case out there people are using ranger within cloudera, hortonworks, primavercerahera (whatever that is) or some other collective data platform/suite where the configuration and use is mostly taken care of by the suite install process, and so little or no manual work is done to get it operational. From: Sailaja Polavarapu <[email protected]> Sent: Tuesday, June 11, 2024 5:53 PM To: [email protected] Subject: Re: No usersync EXTERNAL Hi Marc, Some overview of Ranger Usersync - Ranger Usersync has three main duties - 1. Syncing users and groups from configured sync source, 2. Compute delta for each sync cycle, and 3. Update Ranger admin the user and group information so that Ranger admin persists this info in its DB 1. Syncing users and groups from sync source like AD/LDAP: For this Ranger Usersync uses the bind DN and password to authenticate with AD/LDAP and perform the search operation based on the search base and other properties configured. Here we currently support username/password (Basic Auth) based authentication to AD/LDAP 2. Updating Ranger admin: For this, Ranger Usersync uses rangerusersync user to authenticate to Ranger Admin. Here we support basic (username/password) or kerberos authentication. Hence you see rangerUsersync_password, usersync_principal, usersync_keytab properties in the install.properties. a. For Basic auth, since rangerusersync user is created as part of Ranger admin setup, this user should be added in the x_portal_user table and the password is set in the install.properties (rangerUsersync_password). 3. Compute delta for each sync cycle: a. At the startup of usersync process, Ranger Usersync i. Contacts Ranger admin to get the users and groups that are currently in Ranger Admin to populate it's initial cache. ii. Contacts AD/LDAP to sync all the users and groups based on the configuration iii. Computes the difference between above two steps and updates Ranger admin only the differences/delta iv. updates its cache after successful updates to Ranger admin b. For every subsequent sync cycle, Ranger usersync repeats the steps a.ii to a.iv (above) In your case, if you see errors in ranger admin where rangerusersync user authentication has failed, that indicates that authentication between usersync and ranger admin has not been configured properly. This doesn't have to do anything with your LDAP configuration. In order to debug further on the authentication failures at Ranger admin side, you can enable debug logs on Ranger Admin and see if you get more information. Hope this helps. Thanks, Sailaja. On Tue, Jun 11, 2024 at 6:30 AM Marc Hoppins <[email protected]<mailto:[email protected]>> wrote: Hi, Rangerusersync is only in Ranger ADMIN not UNIX. Our HADOOP is kerberized but I don’t see how that affects ranger connecting to LDAP to gather users and group information. I have tested the LDAP parameters with a command-line ldapsearch and have success but the lack of results within usersync is a mystery, and the lack of a clear error does not help. From: Loïc CHANEL <[email protected]<mailto:[email protected]>> Sent: Tuesday, June 11, 2024 2:41 PM To: [email protected]<mailto:[email protected]> Subject: Re: No usersync EXTERNAL Hi Marc, If rangerusersync Unix user exists, then you may want to modify the unix_user and unix_group in install.properties to adapt to your case. Now for Kerberos, this applies only if you are in a kerberised environment. Otherwise you leave this blank. Best regards, Loïc Le mar. 11 juin 2024 à 14:28, Marc Hoppins <[email protected]<mailto:[email protected]>> a écrit : Hi all, Sorry to appear dumb but am still trying to get this working. Why does install.properties have: #User and group for the usersync process unix_user=ranger unix_group=ranger If the rangerusersync ID exists? #change password of rangerusersync user. Please note that this password should be as per rangerusersync user in ranger rangerUsersync_password= and KERBEROS #Set to run in kerberos environment usersync_principal= usersync_keytab= hadoop_conf=/etc/hadoop/conf What does HADOOP Kerberos have to do with LDAP – our LDAP is active directory. Marc Hoppins
