Syncing Keycloak Users, Groups and Roles with Ranger

Describes how to sync the Keycloak Users, Groups, and Roles so that the Ranger admin authorizes the users and groups to manage the policies and users.

Configuring SSO authentication for Ranger Admin happens by default similar to the way it happens for other EEP components. However, this is only authentication, and not authorization. Users logged in via SSO by default won't be able to manage policies and users.

You can solve this problem by syncing Users, Groups, and Roles from Keycloak to Ranger Admin.

To Sync Users, Groups, and Roles from Keycloak to Ranger, do the following:
  1. Create a dedicated user (for example, usersync) in your Keycloak realm with view-users role, from built-in realm-management client. See Keycloak Documentation for details.
  2. To sync the users, groups, and roles from Keycloak to the Ranger admin, set the following properties in /opt/mapr/ranger/ranger-<version>/ranger-usersync/install.properties:
    SYNC_SOURCE=keycloak
    SYNC_KEYCLOAK_USERNAME=<username>
    SYNC_KEYCLOAK_PASSWORD=<password>
    Here username and password are credentials of the dedicated user created earlier in Keycloak.
    NOTE
    Keycloak users with fabric-manager role will get the administrator privileges in Ranger Admin.
  3. Run the Ranger Admin setup.sh script to configure the new options:
    sudo /opt/mapr/ranger/ranger-<version>/ranger-usersync/setup.sh
  4. Run the configuration script:
    sudo /opt/mapr/server/configure.sh -R