To install Ranger UserSync and start the service, do the following:
- Find the Ranger UserSync software: - yum search usersync- or - yum list | grep usersync
- Install Ranger UserSync: - yum install ranger_2_2_0_0_<version>-usersync.x86_64
- At the Ranger UserSync installation directory, update the following properties in the install.properties file: - Table 13.2. Properties to Update in the install.properties File - Configuration Property Name - Default/Example Value - Required? - Policy Admin Tool - POLICY_MGR-URL URL for policy admin - http://policymanager.xasecure.net:6080 - Y - User Group Source Information - SYNC_SOURCE Specifies where the user/group information is extracted to be put into ranger database. unix - get user information from /etc/passwd file and gets group information from /etc/group file ldap - gets user information from LDAP service (see below for more information) - unix - N - SYNC_INTERVAL Specifies the interval (in minutes) between synchronization cycle. Note, the 2nd sync cycle will NOT start until the first sync cycle is COMPLETE. - 5 - N - UNIX user/group Synchronization - MIN_UNIX_USER_ID_TO_SYNC UserId below this parameter values will not be synchronized to Ranger user database - 300 (Unix default), 1000 (LDAP default) - Mandatory if SYNC_SOURCE is selected as unix - LDAP user/group synchronization - SYNC_LDAP_URL URL of source ldap - ldap://ldap.example.com:389 - Mandatory if SYNC_SOURCE is selected as ldap - SYNC_LDAP_BIND_DN ldap bind dn used to connect to ldap and query for users and groups - cn=admin,ou=users,dc=hadoop, dc=apache,dc-org - Mandatory if SYNC_SOURCE is selected as ldap - SYNC_LDAP_BIND_PASSWORD ldap bind password for the bind dn specified above - LdapAdminPassW0Rd - Mandatory if SYNC_SOURCE is selected as ldap - CRED_KEYSTORE_FILENAME Location of the file where crypted password is kept - /usr/lib/xausersync/.jceks/xausersync.jceks (default) /etc/ranger/usersync/.jceks/xausersync.jceks - Mandatory if SYNC_SOURCE is selected as ldap - SYNC_LDAP_USER_SEARCH_BASE search base for users - ou=users,dc=hadoop,dc=apache, dc=org - Mandatory if SYNC_SOURCE is selected as ldap - SYNC_LDAP_USER_SEARCH_SCOPE search scope for the users, only base, one and sub are supported values - sub (default) - N - SYNC_LDAP_USER_OBJECT_CLASS objectclass to identify user entries - person (default) - N (defaults to person) - SYNC_LDAP_USER_SEARCH_FILTER optional additional filter constraining the users selected for syncing - (dept=eng) - N (defaults to an empty string) - SYNC_LDAP_USER_NAME _ATTRIBUTE attribute from user entry that would be treated as user name - cn (default) - N (defaults to cn) - SYNC_LDAP_USER_GROUP_NAME _ATTRIBUTE attribute from user entry whose values would be treated as group values to be pushed into Policy Manager database. You could provide multiple attribute names separated by comma - memberof,ismemberof (default) - N (defaults to memberof, ismemberof) - User Synchronization - unix_user Unix User who runs the ranger-usersync process - ranger (default) - Y - unix_group Unix group associated with Unix user who runs the ranger-usersync process - ranger (default) - Y - SYNC_LDAP_USERNAME_CASE _CONVERSION Convert all username to lower/upper case none - no conversation will be done. Kept as it is in the SYNC_SOURCE lower - convert it to lower case when saving it to ranger db upper - convert it to upper case when saving it to ranger db - lower (default) - N (defaults to lower) - SYNC_LDAP_GROUPNAME_CASE _CONVERSION Convert all username to lower/upper case none - no conversation will be done. Kept as it is in the SYNC_SOURCE lower - convert it to lower case when saving it to ranger db upper - convert it to upper case when saving it to ranger db - lower (default) - N (defaults to lower) - logdir Location of the log directory were the usersync logs are stored - logs (default) - Y 
- Set the Policy Manager URL to http://<ranger-admin-host>:6080 
- Check the JAVA_HOME environment variable. If JAVA_HOME has not yet been set, enter: - export JAVA_HOME=<path of installed jdk version folder>
- Install the Ranger UserSync service: - cd /usr/hdp/<version>/ranger-usersync- ./setup.sh
- Start the Ranger UserSync service: - service ranger-usersync start
- To verify that the service was successfully started, wait 6 hours for LDAP and AD to synchronize, then do the following: - Go to http://<ranger-admin-host>:6080 
- Click the Users/Group tab. See if users and groups are synchronized. 
- Add a UNIX/LDAP/AD user, then check for the presence of that user in the Ranger Admin tab. 
 


