This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Page tree
Skip to end of metadata
Go to start of metadata

Overview 

This feature has been implemented as part of RANGER-1491. With inclusion of this feature, external users can be made Administrators at the time of getting synced in Ranger itself. This will help organizations who has User Group mapping in a organized manner and they can dedicate all users belonging to a group to be set role in Ranger as Administrators. 

In order to provide different roles to externally synced users, set of properties needs to be defined. 

Ranger Usersync properties to be defined : 

Manual Install : 

If Ranger Usersync is to be installed manually then, below given set of properties needs to be updated in "install.properties".


ROLE_ASSIGNMENT_LIST_DELIMITER = <change the delimiter for role separation and default value is ‘&’>

USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = <change the delimiter for user differentiate between user and group, default value is ‘:’>

USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = <change the delimiter to differentiate between two or more users/groups default value is ‘,’>

With the combination of above three properties enter the external users/groups present in mentioned sync source  and their roles in
GROUP_BASED_ROLE_ASSIGNMENT_RULES “ property With default delimiters the value will be for example

GROUP_BASED_ROLE_ASSIGNMENT_RULES = ROLE_SYS_ADMIN:u:User1, User2&ROLE_SYS_ADMIN:g:Group1, Group2&ROLE_KEY_ADMIN:u:kmsUser&ROLE_KEY_ADMIN:g:kmsGroup&ROLE_USER:u:User3, User4&ROLE_USER:g:Group3, Group4&ROLE_ADMIN_AUDITOR:u:auditorUsers, auditors&ROLE_ADMIN_AUDITOR:g:adminAuditorGroup, rangerAuditors&ROLE_KEY_ADMIN_AUDITOR:u:kmsAuditors&ROLE_KEY_ADMIN_AUDITOR:g:kmsAuditorGroup

NOTE: “u” indicates user and “g” indicates group

Once these properties are set and other basic properties of Ranger Usersync are set, restart Ranger Usersync. This will enable syncing users from sync source with their designated role in Ranger. 

Ambari based Install : 

  • Go to the ambari cluster => select ranger component
  • Got to configs => advance tab
  • Select Custom ranger-ugsync-site

    Click on add property enter the following values

ranger.usersync.role.assignment.list.delimiter = <change the delimiter for role separation and default value is ‘&’>

ranger.usersync.users.groups.assignment.list.delimiter = <change the delimiter for user differentiate between user and group, default value is ‘:’>

ranger.usersync.username.groupname.assignment.list.delimiter = <change the delimiter to differentiate between two or more users/groups default value is ‘,’>

With the combination of above three properties enter the external users/groups present in mentioned sync source  and their roles in ranger.usersync.group.based.role.assignment.rules With default delimiters the value will be for example

ranger.usersync.group.based.role.assignment.rules =   ROLE_SYS_ADMIN:u:User1, User2&ROLE_SYS_ADMIN:g:Group1, Group2&ROLE_KEY_ADMIN:u:kmsUser&ROLE_KEY_ADMIN:g:kmsGroup&ROLE_USER:u:User3, User4&ROLE_USER:g:Group3, Group4&ROLE_ADMIN_AUDITOR:u:auditorUsers, auditors&ROLE_ADMIN_AUDITOR:g:adminAuditorGroup, rangerAuditors&ROLE_KEY_ADMIN_AUDITOR:u:kmsAuditors&ROLE_KEY_ADMIN_AUDITOR:g:kmsAuditorGroup

NOTEu indicates user and g indicate group

  • Add and save these config changes
  • Restart Ranger Usersync.

This will enable syncing users from sync source with their designated role in Ranger. 

  • No labels

2 Comments

  1. The list of roles in the example could be updated to reflect the ones added in  RANGER-1948 - Getting issue details... STATUS

    The roles are:

    ROLE_ADMIN_AUDITOR
    ROLE_KEY_ADMIN_AUDITOR
  2. Thanks Ivan Omar Olguin Torres for suggestion, I have updated examples with sample values for newly added roles.