在CDP-DC中Ranger集成FreeIPA的LDAP用户

大数据杂货铺 2020-06-17

745

文档编写目的

Cloudera从CM6.3版本开始，引入了Red Hat IdM来做整个集群的认证，Red Hat IdM对应的软件为FreeIPA，在本文中描述如何使用FreeIPA来做CDP-DC集群的认证。关于FreeIPA服务器搭建参考<使用FreeIPA对Linux用户权限统一管理>。之前的文章包括<使用FreeIPA为CDP DC7.1集群部署安全>,<CDP-DC中为CM集成FreeIPA提供的LDAP认证>。

本篇文章主要介绍如何为CDP-DC平台上的Ranger集成FreeIPA提供的LDAP用户。

内容概述

1) 测试环境描述

2) FreeIPA的LDAP介绍

3) Ranger集成LDAP

4) Ranger集成验证

5) 总结

测试环境

1) RedHat7.7

2) CM和Cloudera Runtime版本为7.1.1

3) FreeIPA版本为4.6.6

前置条件

1) FreeIPA已安装且正常使用

2) CDP-DC集群已搭建完毕且正常使用，已经启用FreeIPA提供的Kerberos认证。

测试环境描述

FreeIPA集群已安装完毕。

查看配置文件

从IPA 3.0开始，我们已经为/etc/openldap/ldap.conf配置了一些默认值：

[ec2-user@ip-10-0-0-170 ~]$ cat etc/openldap/ldap.conf

# File modified by ipa-client-install


# We do not want to break your existing configuration, hence:
#   URI, BASE, TLS_CACERT and SASL_MECH
#   have been added if they were not set.
#   In case any of them were set, a comment has been inserted and
#   "# CONF_NAME modified by IPA" added to the line above.
# To use IPA server with openLDAP tools, please comment out your
# existing configuration for these options and uncomment the
# corresponding lines generated by IPA.




#
# LDAP Defaults
#


# See ldap.conf(5) for details
# This file should be world readable but not world writable.


#BASE  dc=example,dc=com
#URI  ldap://ldap.example.com ldap://ldap-master.example.com:666


#SIZELIMIT  12
#TIMELIMIT  15
#DEREF    never


TLS_CACERTDIR  /etc/openldap/certs


# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON  on
URI ldaps://ip-10-0-0-170.ap-southeast-1.compute.internal
BASE dc=ap-southeast-1,dc=compute,dc=internal
TLS_CACERT /etc/ipa/ca.crt
SASL_MECH GSSAPI
[ec2-user@ip-10-0-0-170 ~]$

[ec2-user@ip-10-0-0-170 ~]$

设置这些默认值意味着您无需将太多选项传递给ldapsearch之类的工具。搜索更加容易：

$ ldapsearch -x uid=admin

而不是:

$ ldapsearch -x -h ipa.example.com  -b dc=example,dc=com uid=admin

[ec2-user@ip-10-0-0-170 ~]$ ldapsearch -x uid=admin
# extended LDIF
#
# LDAPv3
# base <dc=ap-southeast-1,dc=compute,dc=internal> (default) with scope subtree
# filter: uid=admin
# requesting: ALL
#


# admin, users, compat, ap-southeast-1.compute.internal
dn: uid=admin,cn=users,cn=compat,dc=ap-southeast-1,dc=compute,dc=internal
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: Administrator
cn: Administrator
uidNumber: 1376400000
gidNumber: 1376400000
loginShell: /bin/bash
homeDirectory: /home/admin
ipaAnchorUUID:: OklQQTphcC1zb3V0aGVhc3QtMS5jb21wdXRlLmludGVybmFsOmJmYTI4NGI4LW
 E5MzktMTFlYS1iZmEzLTA2YTdiNzk2MzQwYQ==
uid: admin


# admin, users, accounts, ap-southeast-1.compute.internal
dn: uid=admin,cn=users,cn=accounts,dc=ap-southeast-1,dc=compute,dc=internal
objectClass: top
objectClass: person
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: inetuser
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
uid: admin
cn: Administrator
sn: Administrator
uidNumber: 1376400000
gidNumber: 1376400000
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator


# search result
search: 2
result: 0 Success


# numResponses: 3
# numEntries: 2
[ec2-user@ip-10-0-0-170 ~]$

Ranger与LDAP集成

使用管理员用户登录Cloudera Manager，进入“群集”->Ranger ->“配置”界面

2.通过配置下方的搜索器搜索LDAP，可以看到涉及到Ranger Admin和Ranger Usersync两部分

3.配置外部身份验证，具体配置参数如下：

参数名	值	描述
ranger.ldap.url	ldaps://ip-10-0-0-170.ap-southeast-1.compute.internal:636	配置FreeIPA的LDAP URL
ranger.ldap.bind.dn	uid=admin,cn=users,cn=accounts,dc=ap-southeast-1,dc=compute,dc=internal	配置用于搜索LDAP的管理员账号
ranger.ldap.bind.password	cloudera	管理员账号的密码
ranger.ldap.user.dnpattern	uid={0},cn=users,cn=accounts,dc=ap-southeast-1,dc=compute,dc=internal
ranger.ldap.user.searchfilter	uid={0}	LDAP用户搜索过滤器。仅在身份验证方法为LDAP时使用。
ranger.ldap.group.searchbase	cn= groups,cn=accounts,dc=ap-southeast-1,dc=compute,dc=internal
ranger.ldap.group.searchfilter	member={0}
ranger.ldap.group.roleattribute	cn
ranger.ldap.base.dn	cn=accounts,dc=ap-southeast-1,dc=compute,dc=internal
ranger.ldap.referral	follow	如果将多个LDAP服务器配置为返回结果的连续引用，则设置为遵循。如果不应该引用，则设置为忽略（默认）。当将此参数设置为throw时，在抛出ReferralException之前，所有常规条目都首先在枚举中返回。
ranger.usersync.source.impl.class	org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder	分别对应Unix用户同步，文件系统同步，和LDAP用户同步。这些选择LDAP
ranger.usersync.ldap.url	ldaps://ip-10-0-0-170.ap-southeast-1.compute.internal:636
ranger.usersync.ldap.binddn	uid=admin,cn=users,cn=accounts,dc=ap-southeast-1,dc=compute,dc=internal
ranger.usersync.ldap.ldapbindpassword	cloudera
ranger.usersync.ldap.deltasync	Ranger Usersync Default Group	复选
ranger.usersync.ldap.searchBase	cn=accounts,dc=ap-southeast-1,dc=compute,dc=internal
ranger.usersync.ldap.user.searchbase	cn=users,cn=accounts,dc=ap-southeast-1,dc=compute,dc=internal
ranger.usersync.ldap.user.searchscope	sub	用户的搜索范围。值“ base”表示仅应考虑在ranger.usersync.ldap.user.searchbase中指定为搜索基础的条目。“one”表示仅应考虑在ranger.usersync.ldap.user.searchbase中指定为搜索基础的条目的直接子级。“ Sub”表示应该考虑在ranger.usersync.ldap.user.searchbase中指定为搜索基础的条目及其所有子级的任何深度。
ranger.usersync.ldap.user.searchfilter	(\|(memberOf=cn=ipausers,cn= groups,cn=accounts,dc=ap-southeast-1,dc=compute,dc=internal))
ranger.usersync.ldap.user.nameattribute	uid
ranger.usersync.ldap.user.nameattribute	ignore
ranger.usersync.group.usermapsyncenabled	Ranger Usersync Default Group	复选
ranger.usersync.user.searchenabled	Ranger Usersync Default Group	复选
ranger.usersync.group.searchenabled	Ranger Usersync Default Group	复选
ranger.authentication.method	LDAP	登录到Ranger Admin的身份验证方法。