Repository: incubator-ranger Updated Branches: refs/heads/master 6781cc9c4 -> df0fcd4c3
RANGER-221: enhance usersync setup.sh to support new config properties introduced by RANGER-212 Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/df0fcd4c Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/df0fcd4c Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/df0fcd4c Branch: refs/heads/master Commit: df0fcd4c342d0ddb0fbce5f6f9ea07c0cb4179ce Parents: 6781cc9 Author: Dilli Dorai Arumugam <[email protected]> Authored: Fri Jan 23 16:21:28 2015 -0800 Committer: Dilli Dorai Arumugam <[email protected]> Committed: Wed Jan 28 14:26:12 2015 -0800 ---------------------------------------------------------------------- .../config/UserGroupSyncConfig.java | 3 - .../conf.dist/unixauthservice.properties | 63 +++++++++++++++++++ unixauthservice/scripts/install.properties | 64 ++++++++++++++++++++ unixauthservice/scripts/setup.sh | 34 ++++++++++- 4 files changed, 158 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/df0fcd4c/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java index 4dd8724..6ef27fe 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java @@ -122,15 +122,12 @@ public class UserGroupSyncConfig { private static final String LGSYNC_PAGED_RESULTS_SIZE = "ldapGroupSync.pagedResultsSize"; private static final int DEFAULT_LGSYNC_PAGED_RESULTS_SIZE = 500; - // get groups only private static final String LGSYNC_GROUP_SEARCH_ENABLED = "ldapGroupSync.groupSearchEnabled"; private static final boolean DEFAULT_LGSYNC_GROUP_SEARCH_ENABLED = false; - // get group -> user link, bosco private static final String LGSYNC_GROUP_USER_MAP_SYNC_ENABLED = "ldapGroupSync.groupUserMapSyncEnabled"; private static final boolean DEFAULT_LGSYNC_GROUP_USER_MAP_SYNC_ENABLED = false; - // defaults to value of searchBase if searchBase is not null, else defaults to userSearchBase, bosco private static final String LGSYNC_GROUP_SEARCH_BASE = "ldapGroupSync.groupSearchBase"; private static final String LGSYNC_GROUP_SEARCH_SCOPE = "ldapGroupSync.groupSearchScope"; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/df0fcd4c/unixauthservice/conf.dist/unixauthservice.properties ---------------------------------------------------------------------- diff --git a/unixauthservice/conf.dist/unixauthservice.properties b/unixauthservice/conf.dist/unixauthservice.properties index b45a426..19526c3 100644 --- a/unixauthservice/conf.dist/unixauthservice.properties +++ b/unixauthservice/conf.dist/unixauthservice.properties @@ -136,6 +136,11 @@ ldapGroupSync.ldapBindDn = ldapGroupSync.ldapBindPassword = ldapGroupSync.ldapBindAlias = ldapGroupSync.ldapBindKeystore = + +# search base for users and groups +# sample value would be dc=hadoop,dc=apache,dc=org +ldapGroupSync.searchBase= + # search base for users # sample value would be ou=users,dc=hadoop,dc=apache,dc=org # Must specify a value if value of usergroupSync.source.impl.class is @@ -176,3 +181,61 @@ ldapGroupSync.username.caseConversion=lower ldapGroupSync.groupname.caseConversion=lower #user sync log path logdir=/var/log/ranger/usersync + +# do we want to do ldapsearch to find groups instead of relying on user entry attributes +# valid values: true, false +# any value other than true would be treated as false +# default value: false +ldapGroupSync.groupSearchEnabled= + +# do we want to do ldapsearch to find groups instead of relying on user entry attributes and +# sync memberships of those groups +# valid values: true, false +# any value other than true would be treated as false +# default value: false +ldapGroupSync.groupUserMapSyncEnabled= + +# search base for groups +# sample value would be ou=groups,dc=hadoop,dc=apache,dc=org +# overrides value specified in SYNC_LDAP_SEARCH_BASE, SYNC_LDAP_USER_SEARCH_BASE +# if a value is not specified, takes the value of SYNC_LDAP_SEARCH_BASE +# if SYNC_LDAP_SEARCH_BASE is also not specified, takes the value of SYNC_LDAP_USER_SEARCH_BASE +ldapGroupSync.groupSearchBase= + +# search scope for the groups, only base, one and sub are supported values +# please customize the value to suit your deployment +# default value: sub +ldapGroupSync.groupSearchScope= + +# objectclass to identify group entries +# please customize the value to suit your deployment +# default value: groupofnames +ldapGroupSync.groupObjectClass= + +# optional additional filter constraining the groups selected for syncing +# a sample value would be (dept=eng) +# please customize the value to suit your deployment +# default value is empty +ldapGroupSync.groupSearchFilter= + +# attribute from group entry that would be treated as group name +# please customize the value to suit your deployment +# default value: cn +ldapGroupSync.groupNameAttribute= + +# attribute from group entry that is list of members +# please customize the value to suit your deployment +# default value: member +ldapGroupSync.groupMemberAttributeName= + +# do we want to use paged results control during ldapsearch for user entries +# valid values: true, false +# any value other than true would be treated as false +# default value: true +# if the value is false, typical AD would return would not returm more than 1000 entries +ldapGroupSync.pagedResultsEnabled= + +# page size for paged results control +# search results would be returned page by page with the specified number of entries per page +# default value: 500 +ldapGroupSync.pagedResultsSize= http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/df0fcd4c/unixauthservice/scripts/install.properties ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/install.properties b/unixauthservice/scripts/install.properties index 63e4ffe..1f8512c 100644 --- a/unixauthservice/scripts/install.properties +++ b/unixauthservice/scripts/install.properties @@ -63,8 +63,14 @@ SYNC_LDAP_BIND_DN = # unless anonymous search is allowed by the directory on users and group SYNC_LDAP_BIND_PASSWORD = CRED_KEYSTORE_FILENAME=/usr/lib/xausersync/.jceks/xausersync.jceks + +# search base for users and groups +# sample value would be dc=hadoop,dc=apache,dc=org +SYNC_LDAP_SEARCH_BASE = + # search base for users # sample value would be ou=users,dc=hadoop,dc=apache,dc=org +# overrides value specified in SYNC_LDAP_SEARCH_BASE SYNC_LDAP_USER_SEARCH_BASE = # search scope for the users, only base, one and sub are supported values @@ -102,3 +108,61 @@ SYNC_LDAP_GROUPNAME_CASE_CONVERSION=lower #user sync log path logdir=logs #/var/log/ranger/usersync + +# do we want to do ldapsearch to find groups instead of relying on user entry attributes +# valid values: true, false +# any value other than true would be treated as false +# default value: false +SYNC_GROUP_SEARCH_ENABLED= + +# do we want to do ldapsearch to find groups instead of relying on user entry attributes and +# sync memberships of those groups +# valid values: true, false +# any value other than true would be treated as false +# default value: false +SYNC_GROUP_USER_MAP_SYNC_ENABLED= + +# search base for groups +# sample value would be ou=groups,dc=hadoop,dc=apache,dc=org +# overrides value specified in SYNC_LDAP_SEARCH_BASE, SYNC_LDAP_USER_SEARCH_BASE +# if a value is not specified, takes the value of SYNC_LDAP_SEARCH_BASE +# if SYNC_LDAP_SEARCH_BASE is also not specified, takes the value of SYNC_LDAP_USER_SEARCH_BASE +SYNC_GROUP_SEARCH_BASE= + +# search scope for the groups, only base, one and sub are supported values +# please customize the value to suit your deployment +# default value: sub +SYNC_GROUP_SEARCH_SCOPE= + +# objectclass to identify group entries +# please customize the value to suit your deployment +# default value: groupofnames +SYNC_GROUP_OBJECT_CLASS= + +# optional additional filter constraining the groups selected for syncing +# a sample value would be (dept=eng) +# please customize the value to suit your deployment +# default value is empty +SYNC_LDAP_GROUP_SEARCH_FILTER= + +# attribute from group entry that would be treated as group name +# please customize the value to suit your deployment +# default value: cn +SYNC_GROUP_NAME_ATTRIBUTE= + +# attribute from group entry that is list of members +# please customize the value to suit your deployment +# default value: member +SYNC_GROUP_MEMBER_ATTRIBUTE_NAME= + +# do we want to use paged results control during ldapsearch for user entries +# valid values: true, false +# any value other than true would be treated as false +# default value: true +# if the value is false, typical AD would return would not returm more than 1000 entries +SYNC_PAGED_RESULTS_ENABLED= + +# page size for paged results control +# search results would be returned page by page with the specified number of entries per page +# default value: 500 +SYNC_PAGED_RESULTS_SIZE= http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/df0fcd4c/unixauthservice/scripts/setup.sh ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/setup.sh b/unixauthservice/scripts/setup.sh index bc9fd35..5afb199 100755 --- a/unixauthservice/scripts/setup.sh +++ b/unixauthservice/scripts/setup.sh @@ -106,6 +106,9 @@ SYNC_LDAP_BIND_DN=`grep '^[ \t]*SYNC_LDAP_BIND_DN[ \t]*=' ${cdir}/install.proper SYNC_LDAP_BIND_PASSWORD=`grep '^[ \t]*SYNC_LDAP_BIND_PASSWORD[ \t]*=' ${cdir}/install.properties | sed -e 's:^[ \t]*SYNC_LDAP_BIND_PASSWORD[ \t]*=[ \t]*::'` +SYNC_LDAP_SEARCH_BASE=`grep '^[ \t]*SYNC_LDAP_SEARCH_BASE[ \t]*=' ${cdir}/install.properties | sed -e 's:^[ \t]*SYNC_LDAP_SEARCH_BASE[ \t]*=[ \t]*::'` +echo "$SYNC_LDAP_SEARCH_BASE" + SYNC_LDAP_USER_SEARCH_BASE=`grep '^[ \t]*SYNC_LDAP_USER_SEARCH_BASE[ \t]*=' ${cdir}/install.properties | sed -e 's:^[ \t]*SYNC_LDAP_USER_SEARCH_BASE[ \t]*=[ \t]*::'` SYNC_LDAP_USER_SEARCH_SCOPE=`grep '^[ \t]*SYNC_LDAP_USER_SEARCH_SCOPE[ \t]*=' ${cdir}/install.properties | awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'` @@ -122,6 +125,21 @@ SYNC_LDAP_USERNAME_CASE_CONVERSION=`grep '^[ \t]*SYNC_LDAP_USERNAME_CASE_CONVERS SYNC_LDAP_GROUPNAME_CASE_CONVERSION=`grep '^[ \t]*SYNC_LDAP_GROUPNAME_CASE_CONVERSION[ \t]*=' ${cdir}/install.properties | awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'` +SYNC_PAGED_RESULTS_ENABLED=`grep '^[ \t]*SYNC_PAGED_RESULTS_ENABLED[ \t]*=' ${cdir}/install.properties | awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'` +SYNC_PAGED_RESULTS_SIZE=`grep '^[ \t]*SYNC_PAGED_RESULTS_SIZE[ \t]*=' ${cdir}/install.properties | awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'` + + +SYNC_GROUP_SEARCH_ENABLED=`grep '^[ \t]*SYNC_GROUP_SEARCH_ENABLED[ \t]*=' ${cdir}/install.properties | awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'` +SYNC_GROUP_USER_MAP_SYNC_ENABLED=`grep '^[ \t]*SYNC_GROUP_USER_MAP_SYNC_ENABLED[ \t]*=' ${cdir}/install.properties | awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'` + +SYNC_GROUP_SEARCH_BASE=`grep '^[ \t]*SYNC_GROUP_SEARCH_BASE[ \t]*=' ${cdir}/install.properties | awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'` +SYNC_GROUP_SEARCH_SCOPE=`grep '^[ \t]*SYNC_GROUP_SEARCH_SCOPE[ \t]*=' ${cdir}/install.properties | awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'` +SYNC_GROUP_OBJECT_CLASS=`grep '^[ \t]*SYNC_GROUP_OBJECT_CLASS[ \t]*=' ${cdir}/install.properties | awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'` +SYNC_LDAP_GROUP_SEARCH_FILTER=`grep '^[ \t]*SYNC_LDAP_GROUP_SEARCH_FILTER[ \t]*=' ${cdir}/install.properties | sed -e 's:^[ \t]*SYNC_LDAP_GROUP_SEARCH_FILTER[ \t]*=[ \t]*::'` +SYNC_GROUP_NAME_ATTRIBUTE=`grep '^[ \t]*SYNC_GROUP_NAME_ATTRIBUTE[ \t]*=' ${cdir}/install.properties | awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'` +SYNC_GROUP_MEMBER_ATTRIBUTE_NAME=`grep '^[ \t]*SYNC_GROUP_MEMBER_ATTRIBUTE_NAME[ \t]*=' ${cdir}/install.properties | awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'` + + if [ "${SYNC_LDAP_USERNAME_CASE_CONVERSION}" == "" ] then SYNC_LDAP_USERNAME_CASE_CONVERSION="none" @@ -178,9 +196,9 @@ then exit 5 fi - if [ "${SYNC_LDAP_USER_SEARCH_BASE}" == "" ] + if [ "${SYNC_LDAP_USER_SEARCH_BASE}" == "" ] && [ "${SYNC_LDAP_SEARCH_BASE}" == "" ] then - echo "SYNC_LDAP_USER_SEARCH_BASE must be specified when SYNC_SOURCE is ldap" + echo "SYNC_LDAP_USER_SEARCH_BASE or SYNC_LDAP_SEARCH_BASE must be specified when SYNC_SOURCE is ldap" exit 6 fi @@ -274,7 +292,7 @@ then -e "s|^\( *ldapGroupSync.ldapBindPassword *=\).*|\1 ${SYNC_LDAP_BIND_PASSWORD}|" \ -e "s|^\( *ldapGroupSync.ldapBindKeystore *=\).*|\1 ${SYNC_LDAP_BIND_KEYSTOREPATH}|" \ -e "s|^\( *ldapGroupSync.ldapBindAlias *=\).*|\1 ${SYNC_LDAP_BIND_ALIAS}|" \ - -e "s|^\( *ldapGroupSync.userSearchBase *=\).*|\1 ${SYNC_LDAP_USER_SEARCH_BASE}|" \ + -e "s|^\( *ldapGroupSync.searchBase *=\).*|\1 ${SYNC_LDAP_SEARCH_BASE}|" \ -e "s|^\( *ldapGroupSync.userSearchScope *=\).*|\1 ${SYNC_LDAP_USER_SEARCH_SCOPE}|" \ -e "s|^\( *ldapGroupSync.userObjectClass *=\).*|\1 ${SYNC_LDAP_USER_OBJECT_CLASS}|" \ -e "s%^\( *ldapGroupSync.userSearchFilter *=\).*%\1 ${SYNC_LDAP_USER_SEARCH_FILTER}%" \ @@ -283,6 +301,16 @@ then -e "s|^\( *ldapGroupSync.username.caseConversion *=\).*|\1 ${SYNC_LDAP_USERNAME_CASE_CONVERSION}|" \ -e "s|^\( *ldapGroupSync.groupname.caseConversion *=\).*|\1 ${SYNC_LDAP_GROUPNAME_CASE_CONVERSION}|" \ -e "s|^\( *logdir *=\).*|\1 ${logdir}|" \ + -e "s|^\( *ldapGroupSync.pagedResultsEnabled *=\).*|\1 ${SYNC_PAGED_RESULTS_ENABLED}|" \ + -e "s|^\( *ldapGroupSync.pagedResultsSize *=\).*|\1 ${SYNC_PAGED_RESULTS_SIZE}|" \ + -e "s|^\( *ldapGroupSync.groupSearchEnabled *=\).*|\1 ${SYNC_GROUP_SEARCH_ENABLED}|" \ + -e "s|^\( *ldapGroupSync.groupUserMapSyncEnabled *=\).*|\1 ${SYNC_GROUP_USER_MAP_SYNC_ENABLED}|" \ + -e "s|^\( *ldapGroupSync.groupSearchBase *=\).*|\1 ${SYNC_GROUP_SEARCH_BASE}|" \ + -e "s|^\( *ldapGroupSync.groupSearchScope *=\).*|\1 ${SYNC_GROUP_SEARCH_SCOPE}|" \ + -e "s|^\( *ldapGroupSync.groupObjectClass *=\).*|\1 ${SYNC_GROUP_OBJECT_CLASS}|" \ + -e "s|^\( *ldapGroupSync.groupSearchFilter *=\).*|\1 ${SYNC_GROUP_SEARCH_FILTER}|" \ + -e "s|^\( *ldapGroupSync.groupNameAttribute *=\).*|\1 ${SYNC_GROUP_NAME_ATTRIBUTE}|" \ + -e "s|^\( *ldapGroupSync.groupMemberAttributeName *=\).*|\1 ${SYNC_GROUP_MEMBER_ATTRIBUTE_NAME}|" \ ${CFG_FILE} > ${NEW_CFG_FILE} echo "<${logdir}> ${CFG_FILE} > ${NEW_CFG_FILE}"
