Hi Lune, Answers inline… We have documentation on some of these properties available at: http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Guide/content/ranger_advanced_usersync_settings.html
Hope this helps. Thanks, Sailaja. From: Lune Silver <lunescar.ran...@gmail.com<mailto:lunescar.ran...@gmail.com>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Wednesday, April 20, 2016 at 8:39 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Informationn about properties of Ranger Hello ! I contact you because I have some questions related to the following properties. Hope you can help me. Here are my questions : 1. ranger.usersync.passwordvalidator.path The comment says that this is the path for a native prorgam to validate password. But in which situation ranger does validate password ? [Sailaja]: In cases where ranger user sync talks to ranger admin, this program is called as part of HTTP basic auth filter. These cases include Usersync getting users & groups from ranger admin during initial startup, updating Ranger admin with the sync’d users and/or group information, etc… Default value for this property is "./native/credValidator.uexe” which as you said is a native program to validate password. 2. ranger.usersync.policymanager.maxrecordsperapicall The help says that this is the maximum records returned by api call, but in which context ? Is it when a user uses the Ranger API to get the policies implemented in Ranger ? [Sailaja]: Ranger Usersync gets all the users & groups from Ranger admin (stored in Ranger DB) during initial start up. Since these records can be many, Usersync retrieves these values in paged manner. The value from this (ranger.usersync.policymanager.maxrecordsperapicall) property is sent as the query parameter along with the start index (which is the no. of records retrieved till now) as part of the GET request. 3. ranger.usersync.policymanager.mockrun If set to true, when does usersync perform mockrun ? [Sailaja]: This value is used mainly for testing to check if the users & groups are retrieved as desired for a given sync source. When this property is set to “true”, then Usersync won’t update the sync results to ranger admin. This is mainly used in test deployments to tweak the LDAP or AD config until the desired results are achieved. After setting this property, Usersync needs to be restarted in order for the changes to be effective. 4. ranger.usersync.port What is this port for exactly ? [Sailaja]: This is the port where Usersync service listens on. 5. ranger.usersync.sleeptimeinmillisbetweensynccycl What is a cycle in usersync ? Is it just a synchronization ? Or is it more precise ? [Sailaja]: This property is used for periodic sync of users & groups from the configured Sync source. 6. ranger.usersync.source.impl.class What is this class for ? [Sailaja]: This is the class that will be invoked for a given Sync source. We currently support UNIX, FILE, or LDAP as sync sources. Sync source to class file mapping is as follows: Sync source as FILE: org.apache.ranger.unixusersync.process.FileSourceUserGroupBuilder Sync source as UNIX: org.apache.ranger.unixusersync.process.UnixUserGroupBuilder Sync source as LDAP: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder 7. ranger.usersync.truststore.password Just for a confirmation, is it the password used to access the trustore file ? [Sailaja]: Yes 8. ranger.usersync.unix.minUserId Is there a similar property for ldap ? Or is it only for unix ? [Sailaja]: This is only for Unix mainly to avoid system users to be sync’d to ranger. Thank you in advance for your answers ! Best regards. Lune.
