Oracle Cloud Infrastructure Documentation

Configuring Apache Ranger Authentication with LDAP/Active Directory

Authorized Active Directory users must be configured to gain access to services and resources provided in a Big Data services cluster. To do this, Apache Ranger must be configured so that Active Directory users can be synchronized to Apache Ranger in Big Data Service. Addionally, users might want to sign in to the Apache Ranger UI as Active Directory users.

Configuring Ranger UserSync

Configuring Ranger UserSync enables you to perform group-based user synchronization from the Active Directory server. Active Directory groups and users in specific groups are synchronized into Ranger.

  1. Access Apache Ambari.
  2. From the side toolbar, under Services click Ranger.
  3. Click Configs, and then click Ranger User Info.
  4. Set Enable User Sync to Yes.
  5. Select LDAP/AD from the Sync Source dropdown menu.
  6. Click Common Configs.
    1. Enter the following:
      • LDAP/AD URL: Enter the LDAP/AD URL.
      • Bind User: Enter the bind user information. For example, CN=Administrator,CN=Users,DC=<domain_controller>,DC=COM.
      • Bind User Password Enter and confirm password.
    2. Set Incremental Sync to True.
    3. Set Enable LDAP STARTTLS to No.
  7. Click User Configs.
    1. Enter the following based on your LDAP configuration:
      • Username Attribute: Enter the LDAP username attribute. For example, sAMAccountName.
      • User Object Class: Enter the object class username.
      • User Search Base: Provide the Distinguished Name (DN) where the search for user accounts should begin. The DN specifies the starting point in the LDAP hierarchy for Ranger UserSync to locate users.

        Examples:

        • For a single Organizational Unit (OU):

          If the target OU is ParentOU under the domain example.com:
          • OU=ParentOU,DC=example,DC=com

        • For a nested OU hierarchy:

          If the target OU is ChildOU under ParentOU in the domain example.com:
          • OU=ChildOU,OU=ParentOU,DC=example,DC=com

        • Multiple OUs:

          To search multiple OUs, separate them with a semicolon (;):
          • OU=ParentOU1,DC=example,DC=com;OU=ParentOU2,DC=example,DC=com
      • User Search Filter: Enter search filters. This is the standard LDAP filter expression. You can specify to filter users in a specific group. See LDAP filter syntax. This field can remain empty.
      • User Search Scope: Enter sub.
      • User Group Name Attribute: Enter group name attributes. For example, memberof,ismemberof.
    2. Set Group User Map Sync to True.
    3. Set Enable User Search to Yes.
  8. To sync the group, click Group Configs.
    1. Set Enable Group Sync to Yes. If you don't want to sync the group, select No and continue to the following step.
    2. Enter the following:
      • Group Member Attribute: Enter the LDAP group member attributes. For example, member.
      • Group Name Attribute: Enter the group name attributes. For example, cn.
      • Group Object Class: Enter the group object class. For example, group.
      • Group Search Base: Enter the full domain name of the container where your group resides.

        This text is the same as the User Search Base field on the User Configs tab.

      • Group Search Filter: Enter Active Directory group search filters. For example, (|(CN=group1)(CN=group2)(CN=*admin))
        Note

        This filter is the standard LDAP filter expression. See LDAP filter syntax.
    3. Set Enable Group Search First to Yes.
    4. Set Sync Nested Groups to Yes.
  9. To save the configuration and restart the Ranger User Sync service, click Save.
  10. Wait until the Ranger User Sync service is up and running without any errors.

Configuring Active Directory Authentication for Ranger

  1. Access Apache Ambari.
  2. From the side toolbar, under Services click Ranger.
  3. Click Configs, and then click Advanced.
  4. Click Ranger Settings.
  5. Select ACTIVE_DIRECTORY for the Authentication method.
  6. Enter the following AD Settings:
    • AD URL: Enter the Active Directory URL
    • AD Bind DN: Enter the Active Directory DN
    • AD Bind Password: Enter and confirm the Active Directory bind password. For example, <AD_BIND_USER_PWD>
    • AD Base DN: Enter the Active Directory domain name. For example, <AD_SEARCH_BASE>
    • AD Referral: Ignore
    • AD User Search Filter: Enter the Active Directory username attribute. For example, (sAMAccountName={0})
  7. To save the configuration and restart the Ranger Admin service, click Save.
  8. Wait until the Ranger Admin service is up and running without any errors.
  9. Validate configuration:
    1. Sign in to Ranger using the cluster admin credentials.
    2. Click any service policy, and in the Select User column, the Active Directory users are listed that can have authorization policies applied.
    3. Sign in to the cluster node and run:
      kinit <user>@<ad-realm>
    4. Verify the ticket is granted for the Active Directory user. Run:
      klist

      Example Output:

      Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: <user>@<ad-realm>
Valid starting       Expires              Service principal
09/01/2021 20:44:07  09/02/2021 06:44:07  krbtgt/<ad-realm>@<ad-realm>
renew until 09/08/2021 20:44:04
    5. Go to the Hadoop service and verify you can access resources.