安装Ranger UserSync for LDAP

作者: alaya_c09d | 来源:发表于2019-09-29 17:31 被阅读0次

安装Ranger UserSync for LDAP
Ranger-Usersync安装
阿里云EMR:Apache Ranger配置记录
LDAP 安装
Flink on Yarn Kerberos的配置
Ranger-AdminServer安装(开启Kerberos)
Ranger-AdminServer安装
Ranger-AdminServer安装Version2.0.0
Ranger-Kylin插件安装
2019-05-07

https://cwiki.apache.org/confluence/display/RANGER/Configure+Ranger+UserSync+for+LDAP

https://community.spiceworks.com/topic/1739998-syncing-users-and-groups-from-ldap-into-apache-ranger

cd /opt/app/
tar -zxvf ranger-2.1.0-SNAPSHOT-usersync.tar.gz
cd /opt/app/ranger-2.1.0-SNAPSHOT-usersync

修改install.properties

POLICY_MGR_URL = http://10.5.xxx.xxx:6080 
SYNC_SOURCE = ldap
MIN_UNIX_USER_ID_TO_SYNC = 0
MIN_UNIX_GROUP_ID_TO_SYNC = 0
SYNC_INTERVAL = 1 #周期性同步，单位minutes
SYNC_LDAP_URL = ldap://10.5.xxx.xxx:389
SYNC_LDAP_BIND_DN = cn=Manager,dc=travelsky,dc=com
SYNC_LDAP_BIND_PASSWORD = ldapxxxxxx
SYNC_LDAP_SEARCH_BASE = dc=travel,dc=com 
SYNC_LDAP_USER_SEARCH_BASE = ou=Group,dc=travelsky,dc=com

安装
./setup.sh

1.修改ranger-ugsync-site.xml
vim /opt/app/ranger-2.1.0-SNAPSHOT-usersync/conf/ranger-ugsync-site.xml

<property>
           <name>ranger.usersync.enabled</name>
           <value>true</value>
</property>

该参数默认是false, 不会周期性同步LDAP中用户信息，必须设置为true。
(ranger.usersync.cookie.enabled 默认为true。在ranger中删除后，不会重复导入。)
虽然同步周期SYNC_INTERVAL设置为1分钟，但是实际很长时间也无法同步。查看其日志, 发现默认最小周期是1小时，即使配置文件设置了更小的值，代码中仍会设置为1小时。
代码：https://github.com/apache/ranger/blob/master/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java

03 Sep 2019 15:46:44  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder created
03 Sep 2019 15:46:44  INFO UserGroupSyncConfig [UnixUserSyncThread] - Sleep Time Between Cycle can not be lower than [3600000] millisec. resetting to min value.
03 Sep 2019 15:46:44  INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilde

2.同步LDAP逻辑

根据LDAP账号objectclass和modifyTimestamp 属性同步数据。

第一步：
ranger-usersync 服务启动时，modifyTimestamp条件大于1970年，会同步LDAP中所有用户信息。
LDAP账号中最新创建或修改时间戳赋值给deltaSyncUserTime。

04 Sep 2019 13:22:24  INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink 57 
04 Sep 2019 13:22:24  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder updateSink started 325 
04 Sep 2019 13:22:24  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user search first 334 
04 Sep 2019 13:22:24  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedUserSearchFilter = (&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101080000Z))) 444 
04 Sep 2019 13:22:24  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - timeStampVal = 20190813130052Zand currentDeltaSyncTime = 1565672452000 514

第二步：
周期同步进程，判断条件modifyTimestamp>=deltaSyncUserTime

04 Sep 2019 13:58:32 DEBUG UserGroupSync [UnixUserSyncThread] - Sleeping for [180000] milliSeconds 78 
04 Sep 2019 14:01:32  INFO UserGroupSync [UnixUserSyncThread] - Begin: update user/group from source==>sink 106 
04 Sep 2019 14:01:32  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder updateSink started 325 
04 Sep 2019 14:01:32  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user search first 334 
04 Sep 2019 14:01:32  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedUserSearchFilter = (&(objectclass=person)(|(uSNChanged>=1567544600001)(modifyTimestamp>=20190904050320Z
))) 444 
04 Sep 2019 14:01:32  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - timeStampVal = 20190904050320Zand currentDeltaSyncTime = 1567544600000 514

代码：
LdapDeltaUserGroupBuilder.java
方法getUsers(UserGroupSink sink)

            DateFormat dateFormat = new SimpleDateFormat("yyyyMMddhhmmss");
            if (groupSearchFirstEnabled && groupUserTable.rowKeySet().size() != 0) {
                // Fix RANGER-1957: Perform full sync when group search is enabled and when there are updates to the groups
                deltaSyncUserTime = 0;
                deltaSyncUserTimeStamp = dateFormat.format(new Date(0));
            }

            extendedUserSearchFilter = "(objectclass=" + userObjectClass + ")(|(uSNChanged>=" + deltaSyncUserTime + ")(modifyTimestamp>=" + deltaSyncUserTimeStamp + "Z))";

            if (userSearchFilter != null && !userSearchFilter.trim().isEmpty()) {
                String customFilter = userSearchFilter.trim();
                if (!customFilter.startsWith("(")) {
                    customFilter = "(" + customFilter + ")";
                }

                extendedUserSearchFilter = "(&" + extendedUserSearchFilter + customFilter + ")";
            } else {
                extendedUserSearchFilter = "(&" + extendedUserSearchFilter + ")";
            }
            LOG.info("extendedUserSearchFilter = " + extendedUserSearchFilter);

启动
service ranger-usersync start

网友评论

本文标题：安装Ranger UserSync for LDAP

本文链接：https://www.haomeiwen.com/subject/ycuwectx.html

延伸阅读

深度阅读

您也可以注册成为美文阅读网的作者，发表您的原创作品、分享您的心情！

安装Ranger UserSync for LDAP

相关文章