ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Bosco Durai <bo...@apache.org>
Subject Re: LDAP authentication
Date Tue, 27 Dec 2016 23:03:13 GMT
Colm

The original goal for user and group sync was to help admins while creating Ranger policies.
There were few different ways the groups are synchronized. One is where the groups are directly
retrieved from the LDAP. Other is indirect, get the groups for each user and add the group
to the group set.

However, we put a dependency for portal LDAP authentication on sync’ed in user. So if the
users are not sync’ed, then that user can’t login. 

I feel, we should remove this dependency and let user login based on LDAP authentication.
We could get the groups/roles dynamically from the LDAP on authentication (or use Hadoop Commons).
We could also map LDAP roles to Ranger “admin” roles provide “admin” privileges.

All these could be done, but not sure how critical this is.

Thanks

Bosco
P.S. The role “USER” means that the user is a valid user.


On 12/16/16, 2:34 AM, "Colm O hEigeartaigh" <coheigea@apache.org> wrote:

    Thanks for the explanation Vel. I wonder then what is the point of the
    following "group" configuration tags associated with LDAP authentication?
    Namely:
    
     - ranger.ldap.group.searchbase
     - ranger.ldap.group.searchfilter
     - ranger.ldap.group.roleattribute
    
    If the users always get the "USER" role then are these configuration tags
    not redundant? My testing showed that they're used to initially retrieve
    the group information, but then the information is discarded by the call to
    userMgr.
    
    Colm.
    
    On Fri, Dec 16, 2016 at 5:05 AM, Velmurugan Periasamy <
    vperiasamy@hortonworks.com> wrote:
    
    > Colm:
    >
    > LDAP users, when synced, get USER role by default. An existing ADMIN user
    > can then change the role (via UI) to “ADMIN” for select LDAP users.  Once
    > this is done, those LDAP users can access ADMIN functions within Ranger. I
    > believe there is also REST API available for changing the role.
    >
    > Thanks,
    > Vel
    >
    > From: Colm O hEigeartaigh <coheigea@apache.org>
    > Reply-To: "dev@ranger.incubator.apache.org" <dev@ranger.incubator.apache.
    > org>, "coheigea@apache.org" <coheigea@apache.org>
    > Date: Thursday, December 15, 2016 at 6:03 AM
    > To: "dev@ranger.incubator.apache.org" <dev@ranger.incubator.apache.org>
    > Subject: LDAP authentication
    >
    > Hi all,
    >
    > I've been experimenting with LDAP authentication with the Admin web app a
    > bit. It's fairly straightforward getting authentication to work. However,
    > what I'm wondering is if there is any way to automatically assign an
    > "admin" role to such a user?
    >
    > The group/role configuration seems to be discarded by the code in
    > RangerAuthenticationProvider, which ends up setting the granted authorities
    > by calling "userMgr.getRolesByLoginId". However, as the userMgr object does
    > not know about this user (which is in LDAP) it never returns an admin role.
    >
    > IMO there is a bug in the RangerAuthenticationProvider in that it should
    > check a configuration option for a list of groups that can be assigned
    > "Admin" roles, and if the authenticated user is a member of such a group,
    > then it is granted "ADMIN_ROLE".
    >
    > WDYT or am I missing something?
    >
    > Colm.
    >
    >
    > --
    > Colm O hEigeartaigh
    >
    > Talend Community Coder
    > http://coders.talend.com
    >
    >
    
    
    -- 
    Colm O hEigeartaigh
    
    Talend Community Coder
    http://coders.talend.com
    



Mime
View raw message