Hello guys/ Selva : The service running within the usersync provides UNIX password based authentication for RANGER-ADMIN UI (using a JAAS via SSL based connection to this service from Ranger Admin UI).
Lune : So if I understand well, this port is used when a user tries to connect to Ranger UI Admin. When this occures, the following process happens : 1. Then Ranger Admin connects to usersync using this port. 2. In usersync, there is a service which will calls the password validator program. Question : Is it only for unix source or is it the same for ldap source ? If I have an ldap source, in usersync, will I have also a service in usersync which will calls the password validator program based on the records found in the LDAP ? Best regards. Lune. On Thu, Apr 21, 2016 at 12:41 AM, Dilli Dorai <dilli.do...@gmail.com> wrote: > Thanks Selva, Sailaja for the information. > Hoping the additional information helps the community. > Dilli > > On Wed, Apr 20, 2016 at 2:50 PM, Sailaja Polavarapu < > spolavar...@hortonworks.com> wrote: > >> Hi Dilli, >> You are right. I should have been more specific. This port is for >> UnixAuthenticationService which invokes the password validator program. >> >> - Sailaja. >> >> From: Dilli Dorai <dilli.do...@gmail.com> >> Reply-To: "user@ranger.incubator.apache.org" < >> user@ranger.incubator.apache.org> >> Date: Wednesday, April 20, 2016 at 2:25 PM >> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> >> Subject: Re: Informationn about properties of Ranger >> >> <quote> >> 4. ranger.usersync.port >> >> What is this port for exactly ? >> [Sailaja]: This is the port where Usersync service listens on. >> </quote> >> >> Sailaja, >> May be I am misunderstanding or forgetting something here. >> >> I thought >> usersync makes calls to other services like LDAP, AD and Ranger admin. >> Other services do not call usersync. >> >> Could you confirm which services make call to this listen port? >> Thanks >> Dilli >> >> >> On Wed, Apr 20, 2016 at 1:50 PM, Sailaja Polavarapu < >> spolavar...@hortonworks.com> wrote: >> >>> Hi Lune, >>> Answers inline… >>> We have documentation on some of these properties available at: >>> >>> http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Guide/content/ranger_advanced_usersync_settings.html >>> >>> Hope this helps. >>> >>> Thanks, >>> Sailaja. >>> >>> From: Lune Silver <lunescar.ran...@gmail.com> >>> Reply-To: "user@ranger.incubator.apache.org" < >>> user@ranger.incubator.apache.org> >>> Date: Wednesday, April 20, 2016 at 8:39 AM >>> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org >>> > >>> Subject: Informationn about properties of Ranger >>> >>> Hello ! >>> >>> I contact you because I have some questions related to the following >>> properties. >>> Hope you can help me. >>> >>> Here are my questions : >>> >>> 1. ranger.usersync.passwordvalidator.path >>> >>> The comment says that this is the path for a native prorgam to validate >>> password. But in which situation ranger does validate password ? >>> [Sailaja]: In cases where ranger user sync talks to ranger admin, this >>> program is called as part of HTTP basic auth filter. These cases include >>> Usersync getting users & groups from ranger admin during initial startup, >>> updating Ranger admin with the sync’d users and/or group information, etc… >>> Default value for this property is "./native/credValidator.uexe” which as >>> you said is a native program to validate password. >>> >>> 2. ranger.usersync.policymanager.maxrecordsperapicall >>> >>> The help says that this is the maximum records returned by api call, but >>> in which context ? Is it when a user uses the Ranger API to get the >>> policies implemented in Ranger ? >>> [Sailaja]: Ranger Usersync gets all the users & groups from Ranger admin >>> (stored in Ranger DB) during initial start up. Since these records can be >>> many, Usersync retrieves these values in paged manner. The value from this >>> (ranger.usersync.policymanager.maxrecordsperapicall) property is sent as >>> the query parameter along with the start index (which is the no. of records >>> retrieved till now) as part of the GET request. >>> >>> >>> 3. ranger.usersync.policymanager.mockrun >>> >>> If set to true, when does usersync perform mockrun ? >>> [Sailaja]: This value is used mainly for testing to check if the users & >>> groups are retrieved as desired for a given sync source. When this property >>> is set to “true”, then Usersync won’t update the sync results to ranger >>> admin. This is mainly used in test deployments to tweak the LDAP or AD >>> config until the desired results are achieved. After setting this property, >>> Usersync needs to be restarted in order for the changes to be effective. >>> >>> 4. ranger.usersync.port >>> >>> What is this port for exactly ? >>> [Sailaja]: This is the port where Usersync service listens on. >>> >>> 5. ranger.usersync.sleeptimeinmillisbetweensynccycl >>> >>> What is a cycle in usersync ? Is it just a synchronization ? Or is it >>> more precise ? >>> [Sailaja]: This property is used for periodic sync of users & groups >>> from the configured Sync source. >>> >>> 6. ranger.usersync.source.impl.class >>> >>> What is this class for ? >>> [Sailaja]: This is the class that will be invoked for a given Sync >>> source. We currently support UNIX, FILE, or LDAP as sync sources. Sync >>> source to class file mapping is as follows: >>> Sync source as >>> FILE: org.apache.ranger.unixusersync.process.FileSourceUserGroupBuilder >>> Sync source as >>> UNIX: org.apache.ranger.unixusersync.process.UnixUserGroupBuilder >>> Sync source as >>> LDAP: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>> >>> >>> 7. ranger.usersync.truststore.password >>> >>> Just for a confirmation, is it the password used to access the trustore >>> file ? >>> [Sailaja]: Yes >>> >>> 8. ranger.usersync.unix.minUserId >>> >>> Is there a similar property for ldap ? Or is it only for unix ? >>> [Sailaja]: This is only for Unix mainly to avoid system users to be >>> sync’d to ranger. >>> >>> >>> Thank you in advance for your answers ! >>> >>> Best regards. >>> >>> Lune. >>> >> >> >
