安裝Ranger UserSync for LDAP

https://cwiki.apache.org/confluence/display/RANGER/Configure+Ranger+UserSync+for+LDAP

https://community.spiceworks.com/topic/1739998-syncing-users-and-groups-from-ldap-into-apache-ranger

cd /opt/app/
tar -zxvf ranger-2.1.0-SNAPSHOT-usersync.tar.gz
cd /opt/app/ranger-2.1.0-SNAPSHOT-usersync

修改install.properties

POLICY_MGR_URL = http://10.5.xxx.xxx:6080 
SYNC_SOURCE = ldap
MIN_UNIX_USER_ID_TO_SYNC = 0
MIN_UNIX_GROUP_ID_TO_SYNC = 0
SYNC_INTERVAL = 1 #周期性同步,單位minutes
SYNC_LDAP_URL = ldap://10.5.xxx.xxx:389
SYNC_LDAP_BIND_DN = cn=Manager,dc=travelsky,dc=com
SYNC_LDAP_BIND_PASSWORD = ldapxxxxxx
SYNC_LDAP_SEARCH_BASE = dc=travel,dc=com 
SYNC_LDAP_USER_SEARCH_BASE = ou=Group,dc=travelsky,dc=com

安裝
./setup.sh

1.修改ranger-ugsync-site.xml
vim /opt/app/ranger-2.1.0-SNAPSHOT-usersync/conf/ranger-ugsync-site.xml

<property>
           <name>ranger.usersync.enabled</name>
           <value>true</value>
</property>

該參數(shù)默認(rèn)是false, 不會(huì)周期性同步LDAP中用戶信息,必須設(shè)置為true。
(ranger.usersync.cookie.enabled 默認(rèn)為true。在ranger中刪除后,不會(huì)重復(fù)導(dǎo)入。)
雖然同步周期SYNC_INTERVAL設(shè)置為1分鐘,但是實(shí)際很長(zhǎng)時(shí)間也無(wú)法同步。查看其日志, 發(fā)現(xiàn)默認(rèn)最小周期是1小時(shí),即使配置文件設(shè)置了更小的值,代碼中仍會(huì)設(shè)置為1小時(shí)。
代碼:https://github.com/apache/ranger/blob/master/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java

03 Sep 2019 15:46:44  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder created
03 Sep 2019 15:46:44  INFO UserGroupSyncConfig [UnixUserSyncThread] - Sleep Time Between Cycle can not be lower than [3600000] millisec. resetting to min value.
03 Sep 2019 15:46:44  INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilde

2.同步LDAP邏輯

根據(jù)LDAP賬號(hào)objectclass和modifyTimestamp 屬性同步數(shù)據(jù)。

第一步:
ranger-usersync 服務(wù)啟動(dòng)時(shí),modifyTimestamp條件大于1970年,會(huì)同步LDAP中所有用戶信息。
LDAP賬號(hào)中最新創(chuàng)建或修改時(shí)間戳賦值給deltaSyncUserTime。

04 Sep 2019 13:22:24  INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink 57 
04 Sep 2019 13:22:24  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder updateSink started 325 
04 Sep 2019 13:22:24  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user search first 334 
04 Sep 2019 13:22:24  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedUserSearchFilter = (&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101080000Z))) 444 
04 Sep 2019 13:22:24  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - timeStampVal = 20190813130052Zand currentDeltaSyncTime = 1565672452000 514

第二步:
周期同步進(jìn)程,判斷條件modifyTimestamp>=deltaSyncUserTime

04 Sep 2019 13:58:32 DEBUG UserGroupSync [UnixUserSyncThread] - Sleeping for [180000] milliSeconds 78 
04 Sep 2019 14:01:32  INFO UserGroupSync [UnixUserSyncThread] - Begin: update user/group from source==>sink 106 
04 Sep 2019 14:01:32  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder updateSink started 325 
04 Sep 2019 14:01:32  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user search first 334 
04 Sep 2019 14:01:32  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedUserSearchFilter = (&(objectclass=person)(|(uSNChanged>=1567544600001)(modifyTimestamp>=20190904050320Z
))) 444 
04 Sep 2019 14:01:32  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - timeStampVal = 20190904050320Zand currentDeltaSyncTime = 1567544600000 514

代碼:
LdapDeltaUserGroupBuilder.java
方法getUsers(UserGroupSink sink)

            DateFormat dateFormat = new SimpleDateFormat("yyyyMMddhhmmss");
            if (groupSearchFirstEnabled && groupUserTable.rowKeySet().size() != 0) {
                // Fix RANGER-1957: Perform full sync when group search is enabled and when there are updates to the groups
                deltaSyncUserTime = 0;
                deltaSyncUserTimeStamp = dateFormat.format(new Date(0));
            }

            extendedUserSearchFilter = "(objectclass=" + userObjectClass + ")(|(uSNChanged>=" + deltaSyncUserTime + ")(modifyTimestamp>=" + deltaSyncUserTimeStamp + "Z))";

            if (userSearchFilter != null && !userSearchFilter.trim().isEmpty()) {
                String customFilter = userSearchFilter.trim();
                if (!customFilter.startsWith("(")) {
                    customFilter = "(" + customFilter + ")";
                }

                extendedUserSearchFilter = "(&" + extendedUserSearchFilter + customFilter + ")";
            } else {
                extendedUserSearchFilter = "(&" + extendedUserSearchFilter + ")";
            }
            LOG.info("extendedUserSearchFilter = " + extendedUserSearchFilter);

啟動(dòng)
service ranger-usersync start

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容