You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Don Bosco Durai <bo...@apache.org> on 2017/03/16 23:53:01 UTC
Re: UserSync with anonymous bind
Copy’ing Ambari mailing list also. Mugdha or Gautam who worked on the Ambari stack for Ranger should be able to give more insights.
Bosco
From: Loïc Chanel <lo...@telecomnancy.net>
Reply-To: <us...@ranger.apache.org>
Date: Thursday, March 16, 2017 at 7:51 AM
To: <us...@ranger.incubator.apache.org>
Subject: UserSync with anonymous bind
Hi fellow Ranger users,
As I was working on user synchronization from a LDAP with anonymous bind to populate Ranger, I met the same issue as I did almost two years ago : even if I provide Ambari with the property "Anonymous bind", the property is ignored and either Ambari complains that I didn't provided Ranger with a password for LDAP bind, or Ranger UserSync doesn't work because of bad credentials when binding the LDAP. Even more mysterious is the fact that the property cannot be found in the XML properties files.
At the time I first needed this, I used a manual setting I described in that documentation ( https://cwiki.apache.org/confluence/display/RANGER/Configure+Ranger+UserSync+for+LDAP ) but as the configuration changed (I'm using Ranger 0.5.0 with Ambari 2.2.2.0) it doesn't work anymore.
Did someone met the same issue ? Is there a workaround/patch ?
Thanks for your help,
Loïc
Loïc CHANEL
System Big Data engineer
MS&T - WASABI - Worldline (Villeurbanne, France)
Re: UserSync with anonymous bind
Posted by Don Bosco Durai <bo...@apache.org>.
If they can create an user with the lowest privilege, then it will be great.
Thanks
Bosco
On 3/20/17, 2:37 AM, "Loïc Chanel" <lo...@telecomnancy.net.INVALID> wrote:
Bosco, Mugdha, thanks for your inputs.
I know this is not recommended, but as the LDAP is in a private network and
we just pull the username and groups associated to it, this is not much of
a security issue from our point of view.
But if Ranger does not support it anymore, I'll ask my security team if it
is possible to create a technical user whose only role will be to read into
the LDAP like an anonymous user.
Thanks,
Loïc
Loïc CHANEL
System Big Data engineer
MS&T - WASABI - Worldline (Villeurbanne, France)
2017-03-17 22:37 GMT+01:00 Don Bosco Durai <bo...@apache.org>:
> Mugdha, thanks for clarifying.
>
>
>
> Loïc, anonymous bind is generally not recommended due to security issues.
> Is it possible for you create a lookup/bind user?
>
>
>
> Thanks
>
>
>
> Bosco
>
>
>
>
>
> *From: *Mugdha Varadkar <mu...@gmail.com>
> *Reply-To: *<us...@ranger.apache.org>
> *Date: *Friday, March 17, 2017 at 5:12 AM
> *To: *<us...@ranger.apache.org>
> *Cc: *<de...@ambari.apache.org>
> *Subject: *Re: UserSync with anonymous bind
>
>
>
> Hi,
>
>
>
> Anonymous bind is just a property available on Ambari UI to toggle "Bind
> User Password" property. The property is not persisted in any xml config
> files. Ranger doesn't support LDAP sync with Anonymous bind DN. The
> property was added in Ambari-2.2.0 to recommend the same LDAP instance used
> by Ambari using Anonymous bind LDAP server.
>
> In Ambari-2.5.0 with stack 2.6, Anonymous bind property won't be
> available.
> Here is the Apache jira: https://issues.apache.org/
> jira/browse/AMBARI-19437
>
>
>
> Thanks,
> Mugdha Varadkar
>
>
>
> On Fri, Mar 17, 2017 at 5:23 AM, Don Bosco Durai <bo...@apache.org> wrote:
>
> Copy’ing Ambari mailing list also. Mugdha or Gautam who worked on the
> Ambari stack for Ranger should be able to give more insights.
>
>
>
> Bosco
>
>
>
>
>
> From: Loïc Chanel <lo...@telecomnancy.net>
> Reply-To: <us...@ranger.apache.org>
> Date: Thursday, March 16, 2017 at 7:51 AM
> To: <us...@ranger.incubator.apache.org>
> Subject: UserSync with anonymous bind
>
>
>
> Hi fellow Ranger users,
>
>
>
> As I was working on user synchronization from a LDAP with anonymous bind
> to populate Ranger, I met the same issue as I did almost two years ago :
> even if I provide Ambari with the property "Anonymous bind", the property
> is ignored and either Ambari complains that I didn't provided Ranger with a
> password for LDAP bind, or Ranger UserSync doesn't work because of bad
> credentials when binding the LDAP. Even more mysterious is the fact that
> the property cannot be found in the XML properties files.
>
>
>
> At the time I first needed this, I used a manual setting I described in
> that documentation ( https://cwiki.apache.org/confluence/display/RANGER/
> Configure+Ranger+UserSync+for+LDAP ) but as the configuration changed
> (I'm using Ranger 0.5.0 with Ambari 2.2.2.0) it doesn't work anymore.
>
>
>
> Did someone met the same issue ? Is there a workaround/patch ?
>
> Thanks for your help,
>
>
>
>
>
> Loïc
>
>
> Loïc CHANEL
> System Big Data engineer
> MS&T - WASABI - Worldline (Villeurbanne, France)
>
>
>
Re: UserSync with anonymous bind
Posted by Loïc Chanel <lo...@telecomnancy.net.INVALID>.
Bosco, Mugdha, thanks for your inputs.
I know this is not recommended, but as the LDAP is in a private network and
we just pull the username and groups associated to it, this is not much of
a security issue from our point of view.
But if Ranger does not support it anymore, I'll ask my security team if it
is possible to create a technical user whose only role will be to read into
the LDAP like an anonymous user.
Thanks,
Loïc
Loïc CHANEL
System Big Data engineer
MS&T - WASABI - Worldline (Villeurbanne, France)
2017-03-17 22:37 GMT+01:00 Don Bosco Durai <bo...@apache.org>:
> Mugdha, thanks for clarifying.
>
>
>
> Loïc, anonymous bind is generally not recommended due to security issues.
> Is it possible for you create a lookup/bind user?
>
>
>
> Thanks
>
>
>
> Bosco
>
>
>
>
>
> *From: *Mugdha Varadkar <mu...@gmail.com>
> *Reply-To: *<us...@ranger.apache.org>
> *Date: *Friday, March 17, 2017 at 5:12 AM
> *To: *<us...@ranger.apache.org>
> *Cc: *<de...@ambari.apache.org>
> *Subject: *Re: UserSync with anonymous bind
>
>
>
> Hi,
>
>
>
> Anonymous bind is just a property available on Ambari UI to toggle "Bind
> User Password" property. The property is not persisted in any xml config
> files. Ranger doesn't support LDAP sync with Anonymous bind DN. The
> property was added in Ambari-2.2.0 to recommend the same LDAP instance used
> by Ambari using Anonymous bind LDAP server.
>
> In Ambari-2.5.0 with stack 2.6, Anonymous bind property won't be
> available.
> Here is the Apache jira: https://issues.apache.org/
> jira/browse/AMBARI-19437
>
>
>
> Thanks,
> Mugdha Varadkar
>
>
>
> On Fri, Mar 17, 2017 at 5:23 AM, Don Bosco Durai <bo...@apache.org> wrote:
>
> Copy’ing Ambari mailing list also. Mugdha or Gautam who worked on the
> Ambari stack for Ranger should be able to give more insights.
>
>
>
> Bosco
>
>
>
>
>
> From: Loïc Chanel <lo...@telecomnancy.net>
> Reply-To: <us...@ranger.apache.org>
> Date: Thursday, March 16, 2017 at 7:51 AM
> To: <us...@ranger.incubator.apache.org>
> Subject: UserSync with anonymous bind
>
>
>
> Hi fellow Ranger users,
>
>
>
> As I was working on user synchronization from a LDAP with anonymous bind
> to populate Ranger, I met the same issue as I did almost two years ago :
> even if I provide Ambari with the property "Anonymous bind", the property
> is ignored and either Ambari complains that I didn't provided Ranger with a
> password for LDAP bind, or Ranger UserSync doesn't work because of bad
> credentials when binding the LDAP. Even more mysterious is the fact that
> the property cannot be found in the XML properties files.
>
>
>
> At the time I first needed this, I used a manual setting I described in
> that documentation ( https://cwiki.apache.org/confluence/display/RANGER/
> Configure+Ranger+UserSync+for+LDAP ) but as the configuration changed
> (I'm using Ranger 0.5.0 with Ambari 2.2.2.0) it doesn't work anymore.
>
>
>
> Did someone met the same issue ? Is there a workaround/patch ?
>
> Thanks for your help,
>
>
>
>
>
> Loïc
>
>
> Loïc CHANEL
> System Big Data engineer
> MS&T - WASABI - Worldline (Villeurbanne, France)
>
>
>
Re: UserSync with anonymous bind
Posted by Loïc Chanel <lo...@telecomnancy.net>.
Bosco, Mugdha, thanks for your inputs.
I know this is not recommended, but as the LDAP is in a private network and
we just pull the username and groups associated to it, this is not much of
a security issue from our point of view.
But if Ranger does not support it anymore, I'll ask my security team if it
is possible to create a technical user whose only role will be to read into
the LDAP like an anonymous user.
Thanks,
Loïc
Loïc CHANEL
System Big Data engineer
MS&T - WASABI - Worldline (Villeurbanne, France)
2017-03-17 22:37 GMT+01:00 Don Bosco Durai <bo...@apache.org>:
> Mugdha, thanks for clarifying.
>
>
>
> Loïc, anonymous bind is generally not recommended due to security issues.
> Is it possible for you create a lookup/bind user?
>
>
>
> Thanks
>
>
>
> Bosco
>
>
>
>
>
> *From: *Mugdha Varadkar <mu...@gmail.com>
> *Reply-To: *<us...@ranger.apache.org>
> *Date: *Friday, March 17, 2017 at 5:12 AM
> *To: *<us...@ranger.apache.org>
> *Cc: *<de...@ambari.apache.org>
> *Subject: *Re: UserSync with anonymous bind
>
>
>
> Hi,
>
>
>
> Anonymous bind is just a property available on Ambari UI to toggle "Bind
> User Password" property. The property is not persisted in any xml config
> files. Ranger doesn't support LDAP sync with Anonymous bind DN. The
> property was added in Ambari-2.2.0 to recommend the same LDAP instance used
> by Ambari using Anonymous bind LDAP server.
>
> In Ambari-2.5.0 with stack 2.6, Anonymous bind property won't be
> available.
> Here is the Apache jira: https://issues.apache.org/
> jira/browse/AMBARI-19437
>
>
>
> Thanks,
> Mugdha Varadkar
>
>
>
> On Fri, Mar 17, 2017 at 5:23 AM, Don Bosco Durai <bo...@apache.org> wrote:
>
> Copy’ing Ambari mailing list also. Mugdha or Gautam who worked on the
> Ambari stack for Ranger should be able to give more insights.
>
>
>
> Bosco
>
>
>
>
>
> From: Loïc Chanel <lo...@telecomnancy.net>
> Reply-To: <us...@ranger.apache.org>
> Date: Thursday, March 16, 2017 at 7:51 AM
> To: <us...@ranger.incubator.apache.org>
> Subject: UserSync with anonymous bind
>
>
>
> Hi fellow Ranger users,
>
>
>
> As I was working on user synchronization from a LDAP with anonymous bind
> to populate Ranger, I met the same issue as I did almost two years ago :
> even if I provide Ambari with the property "Anonymous bind", the property
> is ignored and either Ambari complains that I didn't provided Ranger with a
> password for LDAP bind, or Ranger UserSync doesn't work because of bad
> credentials when binding the LDAP. Even more mysterious is the fact that
> the property cannot be found in the XML properties files.
>
>
>
> At the time I first needed this, I used a manual setting I described in
> that documentation ( https://cwiki.apache.org/confluence/display/RANGER/
> Configure+Ranger+UserSync+for+LDAP ) but as the configuration changed
> (I'm using Ranger 0.5.0 with Ambari 2.2.2.0) it doesn't work anymore.
>
>
>
> Did someone met the same issue ? Is there a workaround/patch ?
>
> Thanks for your help,
>
>
>
>
>
> Loïc
>
>
> Loïc CHANEL
> System Big Data engineer
> MS&T - WASABI - Worldline (Villeurbanne, France)
>
>
>
Re: UserSync with anonymous bind
Posted by Don Bosco Durai <bo...@apache.org>.
Mugdha, thanks for clarifying.
Loïc, anonymous bind is generally not recommended due to security issues. Is it possible for you create a lookup/bind user?
Thanks
Bosco
From: Mugdha Varadkar <mu...@gmail.com>
Reply-To: <us...@ranger.apache.org>
Date: Friday, March 17, 2017 at 5:12 AM
To: <us...@ranger.apache.org>
Cc: <de...@ambari.apache.org>
Subject: Re: UserSync with anonymous bind
Hi,
Anonymous bind is just a property available on Ambari UI to toggle "Bind User Password" property. The property is not persisted in any xml config files. Ranger doesn't support LDAP sync with Anonymous bind DN. The property was added in Ambari-2.2.0 to recommend the same LDAP instance used by Ambari using Anonymous bind LDAP server.
In Ambari-2.5.0 with stack 2.6, Anonymous bind property won't be available.
Here is the Apache jira: https://issues.apache.org/jira/browse/AMBARI-19437
Thanks,
Mugdha Varadkar
On Fri, Mar 17, 2017 at 5:23 AM, Don Bosco Durai <bo...@apache.org> wrote:
Copy’ing Ambari mailing list also. Mugdha or Gautam who worked on the Ambari stack for Ranger should be able to give more insights.
Bosco
From: Loïc Chanel <lo...@telecomnancy.net>
Reply-To: <us...@ranger.apache.org>
Date: Thursday, March 16, 2017 at 7:51 AM
To: <us...@ranger.incubator.apache.org>
Subject: UserSync with anonymous bind
Hi fellow Ranger users,
As I was working on user synchronization from a LDAP with anonymous bind to populate Ranger, I met the same issue as I did almost two years ago : even if I provide Ambari with the property "Anonymous bind", the property is ignored and either Ambari complains that I didn't provided Ranger with a password for LDAP bind, or Ranger UserSync doesn't work because of bad credentials when binding the LDAP. Even more mysterious is the fact that the property cannot be found in the XML properties files.
At the time I first needed this, I used a manual setting I described in that documentation ( https://cwiki.apache.org/confluence/display/RANGER/Configure+Ranger+UserSync+for+LDAP ) but as the configuration changed (I'm using Ranger 0.5.0 with Ambari 2.2.2.0) it doesn't work anymore.
Did someone met the same issue ? Is there a workaround/patch ?
Thanks for your help,
Loïc
Loïc CHANEL
System Big Data engineer
MS&T - WASABI - Worldline (Villeurbanne, France)
Re: UserSync with anonymous bind
Posted by Don Bosco Durai <bo...@apache.org>.
Mugdha, thanks for clarifying.
Loïc, anonymous bind is generally not recommended due to security issues. Is it possible for you create a lookup/bind user?
Thanks
Bosco
From: Mugdha Varadkar <mu...@gmail.com>
Reply-To: <us...@ranger.apache.org>
Date: Friday, March 17, 2017 at 5:12 AM
To: <us...@ranger.apache.org>
Cc: <de...@ambari.apache.org>
Subject: Re: UserSync with anonymous bind
Hi,
Anonymous bind is just a property available on Ambari UI to toggle "Bind User Password" property. The property is not persisted in any xml config files. Ranger doesn't support LDAP sync with Anonymous bind DN. The property was added in Ambari-2.2.0 to recommend the same LDAP instance used by Ambari using Anonymous bind LDAP server.
In Ambari-2.5.0 with stack 2.6, Anonymous bind property won't be available.
Here is the Apache jira: https://issues.apache.org/jira/browse/AMBARI-19437
Thanks,
Mugdha Varadkar
On Fri, Mar 17, 2017 at 5:23 AM, Don Bosco Durai <bo...@apache.org> wrote:
Copy’ing Ambari mailing list also. Mugdha or Gautam who worked on the Ambari stack for Ranger should be able to give more insights.
Bosco
From: Loïc Chanel <lo...@telecomnancy.net>
Reply-To: <us...@ranger.apache.org>
Date: Thursday, March 16, 2017 at 7:51 AM
To: <us...@ranger.incubator.apache.org>
Subject: UserSync with anonymous bind
Hi fellow Ranger users,
As I was working on user synchronization from a LDAP with anonymous bind to populate Ranger, I met the same issue as I did almost two years ago : even if I provide Ambari with the property "Anonymous bind", the property is ignored and either Ambari complains that I didn't provided Ranger with a password for LDAP bind, or Ranger UserSync doesn't work because of bad credentials when binding the LDAP. Even more mysterious is the fact that the property cannot be found in the XML properties files.
At the time I first needed this, I used a manual setting I described in that documentation ( https://cwiki.apache.org/confluence/display/RANGER/Configure+Ranger+UserSync+for+LDAP ) but as the configuration changed (I'm using Ranger 0.5.0 with Ambari 2.2.2.0) it doesn't work anymore.
Did someone met the same issue ? Is there a workaround/patch ?
Thanks for your help,
Loïc
Loïc CHANEL
System Big Data engineer
MS&T - WASABI - Worldline (Villeurbanne, France)
Re: UserSync with anonymous bind
Posted by Mugdha Varadkar <mu...@gmail.com>.
Hi,
Anonymous bind is just a property available on Ambari UI to toggle "Bind
User Password" property. The property is not persisted in any xml config
files. Ranger doesn't support LDAP sync with Anonymous bind DN. The
property was added in Ambari-2.2.0 to recommend the same LDAP instance used
by Ambari using Anonymous bind LDAP server.
In Ambari-2.5.0 with stack 2.6, Anonymous bind property won't be available.
Here is the Apache jira: https://issues.apache.org/jira/browse/AMBARI-19437
Thanks,
Mugdha Varadkar
On Fri, Mar 17, 2017 at 5:23 AM, Don Bosco Durai <bo...@apache.org> wrote:
> Copy’ing Ambari mailing list also. Mugdha or Gautam who worked on the
> Ambari stack for Ranger should be able to give more insights.
>
>
>
> Bosco
>
>
>
>
>
> From: Loïc Chanel <lo...@telecomnancy.net>
> Reply-To: <us...@ranger.apache.org>
> Date: Thursday, March 16, 2017 at 7:51 AM
> To: <us...@ranger.incubator.apache.org>
> Subject: UserSync with anonymous bind
>
>
>
> Hi fellow Ranger users,
>
>
>
> As I was working on user synchronization from a LDAP with anonymous bind
> to populate Ranger, I met the same issue as I did almost two years ago :
> even if I provide Ambari with the property "Anonymous bind", the property
> is ignored and either Ambari complains that I didn't provided Ranger with a
> password for LDAP bind, or Ranger UserSync doesn't work because of bad
> credentials when binding the LDAP. Even more mysterious is the fact that
> the property cannot be found in the XML properties files.
>
>
>
> At the time I first needed this, I used a manual setting I described in
> that documentation ( https://cwiki.apache.org/confluence/display/RANGER/
> Configure+Ranger+UserSync+for+LDAP ) but as the configuration changed
> (I'm using Ranger 0.5.0 with Ambari 2.2.2.0) it doesn't work anymore.
>
>
>
> Did someone met the same issue ? Is there a workaround/patch ?
>
> Thanks for your help,
>
>
>
>
>
> Loïc
>
>
> Loïc CHANEL
> System Big Data engineer
> MS&T - WASABI - Worldline (Villeurbanne, France)
>
>
Re: UserSync with anonymous bind
Posted by Mugdha Varadkar <mu...@gmail.com>.
Hi,
Anonymous bind is just a property available on Ambari UI to toggle "Bind
User Password" property. The property is not persisted in any xml config
files. Ranger doesn't support LDAP sync with Anonymous bind DN. The
property was added in Ambari-2.2.0 to recommend the same LDAP instance used
by Ambari using Anonymous bind LDAP server.
In Ambari-2.5.0 with stack 2.6, Anonymous bind property won't be available.
Here is the Apache jira: https://issues.apache.org/jira/browse/AMBARI-19437
Thanks,
Mugdha Varadkar
On Fri, Mar 17, 2017 at 5:23 AM, Don Bosco Durai <bo...@apache.org> wrote:
> Copy’ing Ambari mailing list also. Mugdha or Gautam who worked on the
> Ambari stack for Ranger should be able to give more insights.
>
>
>
> Bosco
>
>
>
>
>
> From: Loïc Chanel <lo...@telecomnancy.net>
> Reply-To: <us...@ranger.apache.org>
> Date: Thursday, March 16, 2017 at 7:51 AM
> To: <us...@ranger.incubator.apache.org>
> Subject: UserSync with anonymous bind
>
>
>
> Hi fellow Ranger users,
>
>
>
> As I was working on user synchronization from a LDAP with anonymous bind
> to populate Ranger, I met the same issue as I did almost two years ago :
> even if I provide Ambari with the property "Anonymous bind", the property
> is ignored and either Ambari complains that I didn't provided Ranger with a
> password for LDAP bind, or Ranger UserSync doesn't work because of bad
> credentials when binding the LDAP. Even more mysterious is the fact that
> the property cannot be found in the XML properties files.
>
>
>
> At the time I first needed this, I used a manual setting I described in
> that documentation ( https://cwiki.apache.org/confluence/display/RANGER/
> Configure+Ranger+UserSync+for+LDAP ) but as the configuration changed
> (I'm using Ranger 0.5.0 with Ambari 2.2.2.0) it doesn't work anymore.
>
>
>
> Did someone met the same issue ? Is there a workaround/patch ?
>
> Thanks for your help,
>
>
>
>
>
> Loïc
>
>
> Loïc CHANEL
> System Big Data engineer
> MS&T - WASABI - Worldline (Villeurbanne, France)
>
>