Version 3.0.0

Security — Ranger

The tdp-ranger chart supports authentication via LDAP / Active Directory, allowing the use of corporate directories for logging into Ranger Admin.

Activation is done through the values-tdp-ldap.yaml overlay, keeping the main values.yaml with LDAP disabled by default.

Prerequisites

Before enabling LDAP, create the required Kubernetes Secrets in the same namespace as Ranger.

Required Secret — bind password

Terminal input
kubectl create secret generic tdp-ranger-ldap-secret \
  --from-literal=bind-password='<BIND_PASSWORD>' \
  -n <namespace>

Optional Secret — LDAPS truststore

Required only when tls.enabled=true (LDAPS connection with a custom certificate):

Terminal input
kubectl create secret generic tdp-ranger-ldap-certs \
  --from-file=truststore.jks=<path-to-truststore> \
  -n <namespace>

How to enable

1. Keep LDAP disabled in the main `values.yaml`

tdp-ranger:
  ldap:
    enabled: false

2. Apply the overlay during install/upgrade

Terminal input
helm upgrade --install <release> \
  oci://registry.tecnisys.com.br/tdp/charts/tdp-ranger \
  -f values.yaml \
  -f values-tdp-ldap.yaml \
  -n <namespace>

The values-tdp-ldap.yaml file exposes all the parameters you need: connection URL, bind DN, search filters, role mapping, and TLS. Replace the placeholder values with the DNs, attributes, and certificates from your directory.

Main LDAP overlay parameters

Parameter	Description	Example
`connection.url`	LDAP server URL	`ldap://<host>:389` or `ldaps://<host>:636`
`bind.dn`	Bind user DN	`uid=ranger-bind,cn=users,cn=accounts,dc=example,dc=com`
`baseDn`	Base DN of the directory tree	`dc=example,dc=com`
`user.searchBase`	User search base	`cn=users,cn=accounts,dc=example,dc=com`
`group.searchBase`	Group search base	`cn=groups,cn=accounts,dc=example,dc=com`
`tls.enabled`	Enable LDAPS	`false`

UserSync — user and group synchronization

The overlay enables a dedicated UserSync Deployment that synchronizes LDAP users and groups with Ranger Admin.

Includes an initContainer that waits for Ranger Admin to be available before starting synchronization.
Resources are configurable via tdp-ranger.usersync.resources.
LDAP connection parameters are configurable via tdp-ranger.usersync.ldap.

Automatic role assignment

Use tdp-ranger.usersync.roleAssignment.rules to automatically map LDAP users or groups to Ranger roles during synchronization:

tdp-ranger:
  usersync:
    roleAssignment:
      enabled: true
      rules:
        - role: "ROLE_SYS_ADMIN"
          users: ["admin"]
          groups:
            - "cn=ranger_admins,ou=groups,dc=<example>,dc=com"
        - role: "ROLE_ADMIN_AUDITOR"
          users: []
          groups:
            - "cn=ranger_auditors,ou=groups,dc=<example>,dc=com"

Available roles: ROLE_SYS_ADMIN, ROLE_KEY_ADMIN, ROLE_ADMIN_AUDITOR, ROLE_KEY_ADMIN_AUDITOR, ROLE_USER.

Prerequisites​

Required Secret — bind password​

Optional Secret — LDAPS truststore​

How to enable​

1. Keep LDAP disabled in the main values.yaml​

2. Apply the overlay during install/upgrade​

Main LDAP overlay parameters​

UserSync — user and group synchronization​

Automatic role assignment​