Hello everyone. Thank all of you for your answer o/
BR. Lune On Thu, Apr 21, 2016 at 7:44 PM, Don Bosco Durai <[email protected]> wrote: > Also, if I am not wrong, they have different set of properties. > > Thanks > > Bosco > > > From: Velmurugan Periasamy <[email protected]> > Reply-To: <[email protected]> > Date: Thursday, April 21, 2016 at 9:25 AM > > To: "[email protected]" <[email protected]> > Subject: Re: Informationn about properties of Ranger > > Lune – unix auth service running as part of usersync is applicable only if > unix authentication method is chosen in ranger admin. For LDAP/AD > authentication methods, ranger admin will authenticate the user directly > against LDAP/AD. > > From: Lune Silver <[email protected]> > Reply-To: "[email protected]" < > [email protected]> > Date: Thursday, April 21, 2016 at 5:09 AM > To: "[email protected]" <[email protected]> > Subject: Re: Informationn about properties of Ranger > > Hello guys/ > > Selva : The service running within the usersync provides UNIX password > based authentication for RANGER-ADMIN UI (using a JAAS via SSL based > connection to this service from Ranger Admin UI). > > Lune : > So if I understand well, this port is used when a user tries to connect to > Ranger UI Admin. When this occures, the following process happens : > 1. Then Ranger Admin connects to usersync using this port. > 2. In usersync, there is a service which will calls the password validator > program. > Question : > Is it only for unix source or is it the same for ldap source ? If I have > an ldap source, in usersync, will I have also a service in usersync which > will calls the password validator program based on the records found in the > LDAP ? > > Best regards. > > Lune. > > > On Thu, Apr 21, 2016 at 12:41 AM, Dilli Dorai <[email protected]> > wrote: > >> Thanks Selva, Sailaja for the information. >> Hoping the additional information helps the community. >> Dilli >> >> On Wed, Apr 20, 2016 at 2:50 PM, Sailaja Polavarapu < >> [email protected]> wrote: >> >>> Hi Dilli, >>> You are right. I should have been more specific. This port is for >>> UnixAuthenticationService which invokes the password validator program. >>> >>> - Sailaja. >>> >>> From: Dilli Dorai <[email protected]> >>> Reply-To: "[email protected]" < >>> [email protected]> >>> Date: Wednesday, April 20, 2016 at 2:25 PM >>> To: "[email protected]" <[email protected] >>> > >>> Subject: Re: Informationn about properties of Ranger >>> >>> <quote> >>> 4. ranger.usersync.port >>> >>> What is this port for exactly ? >>> [Sailaja]: This is the port where Usersync service listens on. >>> </quote> >>> >>> Sailaja, >>> May be I am misunderstanding or forgetting something here. >>> >>> I thought >>> usersync makes calls to other services like LDAP, AD and Ranger admin. >>> Other services do not call usersync. >>> >>> Could you confirm which services make call to this listen port? >>> Thanks >>> Dilli >>> >>> >>> On Wed, Apr 20, 2016 at 1:50 PM, Sailaja Polavarapu < >>> [email protected]> wrote: >>> >>>> Hi Lune, >>>> Answers inline… >>>> We have documentation on some of these properties available at: >>>> >>>> http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Guide/content/ranger_advanced_usersync_settings.html >>>> >>>> Hope this helps. >>>> >>>> Thanks, >>>> Sailaja. >>>> >>>> From: Lune Silver <[email protected]> >>>> Reply-To: "[email protected]" < >>>> [email protected]> >>>> Date: Wednesday, April 20, 2016 at 8:39 AM >>>> To: "[email protected]" < >>>> [email protected]> >>>> Subject: Informationn about properties of Ranger >>>> >>>> Hello ! >>>> >>>> I contact you because I have some questions related to the following >>>> properties. >>>> Hope you can help me. >>>> >>>> Here are my questions : >>>> >>>> 1. ranger.usersync.passwordvalidator.path >>>> >>>> The comment says that this is the path for a native prorgam to validate >>>> password. But in which situation ranger does validate password ? >>>> [Sailaja]: In cases where ranger user sync talks to ranger admin, this >>>> program is called as part of HTTP basic auth filter. These cases include >>>> Usersync getting users & groups from ranger admin during initial startup, >>>> updating Ranger admin with the sync’d users and/or group information, etc… >>>> Default value for this property is "./native/credValidator.uexe” which as >>>> you said is a native program to validate password. >>>> >>>> 2. ranger.usersync.policymanager.maxrecordsperapicall >>>> >>>> The help says that this is the maximum records returned by api call, >>>> but in which context ? Is it when a user uses the Ranger API to get the >>>> policies implemented in Ranger ? >>>> [Sailaja]: Ranger Usersync gets all the users & groups from Ranger >>>> admin (stored in Ranger DB) during initial start up. Since these records >>>> can be many, Usersync retrieves these values in paged manner. The value >>>> from this (ranger.usersync.policymanager.maxrecordsperapicall) property is >>>> sent as the query parameter along with the start index (which is the no. of >>>> records retrieved till now) as part of the GET request. >>>> >>>> >>>> 3. ranger.usersync.policymanager.mockrun >>>> >>>> If set to true, when does usersync perform mockrun ? >>>> [Sailaja]: This value is used mainly for testing to check if the users >>>> & groups are retrieved as desired for a given sync source. When this >>>> property is set to “true”, then Usersync won’t update the sync results to >>>> ranger admin. This is mainly used in test deployments to tweak the LDAP or >>>> AD config until the desired results are achieved. After setting this >>>> property, Usersync needs to be restarted in order for the changes to be >>>> effective. >>>> >>>> 4. ranger.usersync.port >>>> >>>> What is this port for exactly ? >>>> [Sailaja]: This is the port where Usersync service listens on. >>>> >>>> 5. ranger.usersync.sleeptimeinmillisbetweensynccycl >>>> >>>> What is a cycle in usersync ? Is it just a synchronization ? Or is it >>>> more precise ? >>>> [Sailaja]: This property is used for periodic sync of users & groups >>>> from the configured Sync source. >>>> >>>> 6. ranger.usersync.source.impl.class >>>> >>>> What is this class for ? >>>> [Sailaja]: This is the class that will be invoked for a given Sync >>>> source. We currently support UNIX, FILE, or LDAP as sync sources. Sync >>>> source to class file mapping is as follows: >>>> Sync source as >>>> FILE: org.apache.ranger.unixusersync.process.FileSourceUserGroupBuilder >>>> Sync source as >>>> UNIX: org.apache.ranger.unixusersync.process.UnixUserGroupBuilder >>>> Sync source as >>>> LDAP: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>>> >>>> >>>> 7. ranger.usersync.truststore.password >>>> >>>> Just for a confirmation, is it the password used to access the trustore >>>> file ? >>>> [Sailaja]: Yes >>>> >>>> 8. ranger.usersync.unix.minUserId >>>> >>>> Is there a similar property for ldap ? Or is it only for unix ? >>>> [Sailaja]: This is only for Unix mainly to avoid system users to be >>>> sync’d to ranger. >>>> >>>> >>>> Thank you in advance for your answers ! >>>> >>>> Best regards. >>>> >>>> Lune. >>>> >>> >>> >> >
