HDP Sandbox 2.6.0でKnox LDAP DemoをRanger Usersyncに使ってみる

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/bk_security/content/ranger_user_sync_settings.html

まず、Demo LDAPが起動しているか確認

[root@sandbox ~]# netstat -lopen | grep 33389
tcp        0      0 0.0.0.0:33389               0.0.0.0:*                   LISTEN      522        1325846    84375/java          off (0.00/0/0)

[root@sandbox ~]# ldapsearch -x -h `hostname -f`:33389 -D 'uid=admin,ou=people,dc=hadoop,dc=apache,dc=org' -w admin-password -s sub '(uid=admin)'
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (uid=admin)
# requesting: ALL
#

# admin, people, hadoop.apache.org
dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
sn: Admin
cn: Admin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
userpassword:: YWRtaW4tcGFzc3dvcmQ=
uid: admin

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Ambari UIで、UserSyncを設定する

http://sandbox.hortonworks.com:8080/api/v1/clusters/Sandbox/configurations/service_config_versions?service_name=RANGER&is_current=true

...

"type" : "ranger-ugsync-site",
...
"properties" : {
    "ranger.usersync.credstore.filename" : "/usr/hdp/current/ranger-usersync/conf/ugsync.jceks",
    "ranger.usersync.enabled" : "true",
    ...
    "ranger.usersync.group.searchenabled" : "false",

    ...

    "ranger.usersync.group.usermapsyncenabled" : "false",
    ...
    "ranger.usersync.ldap.bindalias" : "testldapalias",
    "ranger.usersync.ldap.binddn" : "uid=admin,ou=people,dc=hadoop,dc=apache,dc=org",
    "ranger.usersync.ldap.bindkeystore" : "",
    "ranger.usersync.ldap.deltasync" : "true",
    "ranger.usersync.ldap.groupname.caseconversion" : "none",
    "ranger.usersync.ldap.ldapbindpassword" : "SECRET:ranger-ugsync-site:4:ranger.usersync.ldap.ldapbindpassword",
    "ranger.usersync.ldap.referral" : "ignore",
    "ranger.usersync.ldap.searchBase" : "dc=hadoop,dc=apache,dc=org",
    "ranger.usersync.ldap.url" : "ldap://sandbox.hortonworks.com:33389",
    "ranger.usersync.ldap.user.groupnameattribute" : "memberof, ismemberof",
    "ranger.usersync.ldap.user.nameattribute" : "uid",
    "ranger.usersync.ldap.user.objectclass" : "person",
    "ranger.usersync.ldap.user.searchbase" : "dc=hadoop,dc=apache,dc=org",
    "ranger.usersync.ldap.user.searchfilter" : "(objectclass=person)",
    "ranger.usersync.ldap.user.searchscope" : "sub",
    "ranger.usersync.ldap.username.caseconversion" : "none",
    ...
    "ranger.usersync.user.searchenabled" : "false"
},

確認

sudo -u ranger java -cp "/usr/hdp/current/ranger-admin/cred/lib/*" org.apache.ranger.credentialapi.buildks list -provider /usr/hdp/current/ranger-usersync/conf/ugsync.jceks