We deployed Ranger in our HDF cluster for authorization in NiFi. We're testing user authentication and authorization with Microsoft Active Directory (AD) accounts in Ranger and NiFi.
NiFi is able to use the sAMAccountName for authentication. However, it seems to only send the CN and DN to Ranger for authorization. 
Until that issue is fixed in NiFi, we were thinking that we could have UserSync in Ranger import users from AD with the full DN (instead of the more desirable sAMAccountName) so NiFi can authorize users properly. Setting the "ranger.usersync.ldap.user.nameattribute" value to "distinguishedName" imports the users in this fashion. However, this has the unintended effect of breaking the ability to edit policies after initial creation.
This behavior can be observed by creating a user account containing a comma as you would find in a DN (e.g. CN=Nick Hughes,OU=Users,OU=Accounts,DC=example,DC=com), adding it to a resource based policy, and then attempting to edit that policy. You'll only get a "spinning wheel" in the "Permissions" section of the "Allow Conditions".
Specifically, the comma in the DN seems to be the issue. The API call only shows the DN up to the first comma:
...and returns a 400 error stating that user is not found. Manually editing the URL above to include the full DN returns the user information as expected.
Can anyone confirm this behavior?
Thank you for letting us know the issue. I tried in one of my setup and I see the same behavior. Looks like the get request is not built correct may be not urlencoding the comma character?
I see the following in the ranger admin access logs:
[18/Nov/2016:00:39:02 +0000] "GET /service/xusers/users/userName/CN=userou5 HTTP/1.1" 400 166
Where as the actual username is: CN=userou5,OU=OU1,DC=ranger,DC=com
Please enter a ticket as this is a valid issue and needs to be fixed.
Just a side note though - in general comma (,) is treated as special character and is not allowed in the username in unix as well as in AD. Hence the use case might not be valid but should be handled in the code properly.