Lune – unix auth service running as part of usersync is applicable only if unix authentication method is chosen in ranger admin. For LDAP/AD authentication methods, ranger admin will authenticate the user directly against LDAP/AD.
From: Lune Silver <lunescar.ran...@gmail.com<mailto:lunescar.ran...@gmail.com>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Thursday, April 21, 2016 at 5:09 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Informationn about properties of Ranger Hello guys/ Selva : The service running within the usersync provides UNIX password based authentication for RANGER-ADMIN UI (using a JAAS via SSL based connection to this service from Ranger Admin UI). Lune : So if I understand well, this port is used when a user tries to connect to Ranger UI Admin. When this occures, the following process happens : 1. Then Ranger Admin connects to usersync using this port. 2. In usersync, there is a service which will calls the password validator program. Question : Is it only for unix source or is it the same for ldap source ? If I have an ldap source, in usersync, will I have also a service in usersync which will calls the password validator program based on the records found in the LDAP ? Best regards. Lune. On Thu, Apr 21, 2016 at 12:41 AM, Dilli Dorai <dilli.do...@gmail.com<mailto:dilli.do...@gmail.com>> wrote: Thanks Selva, Sailaja for the information. Hoping the additional information helps the community. Dilli On Wed, Apr 20, 2016 at 2:50 PM, Sailaja Polavarapu <spolavar...@hortonworks.com<mailto:spolavar...@hortonworks.com>> wrote: Hi Dilli, You are right. I should have been more specific. This port is for UnixAuthenticationService which invokes the password validator program. - Sailaja. From: Dilli Dorai <dilli.do...@gmail.com<mailto:dilli.do...@gmail.com>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Wednesday, April 20, 2016 at 2:25 PM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Informationn about properties of Ranger <quote> 4. ranger.usersync.port What is this port for exactly ? [Sailaja]: This is the port where Usersync service listens on. </quote> Sailaja, May be I am misunderstanding or forgetting something here. I thought usersync makes calls to other services like LDAP, AD and Ranger admin. Other services do not call usersync. Could you confirm which services make call to this listen port? Thanks Dilli On Wed, Apr 20, 2016 at 1:50 PM, Sailaja Polavarapu <spolavar...@hortonworks.com<mailto:spolavar...@hortonworks.com>> wrote: Hi Lune, Answers inline… We have documentation on some of these properties available at: http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Guide/content/ranger_advanced_usersync_settings.html Hope this helps. Thanks, Sailaja. From: Lune Silver <lunescar.ran...@gmail.com<mailto:lunescar.ran...@gmail.com>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Wednesday, April 20, 2016 at 8:39 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Informationn about properties of Ranger Hello ! I contact you because I have some questions related to the following properties. Hope you can help me. Here are my questions : 1. ranger.usersync.passwordvalidator.path The comment says that this is the path for a native prorgam to validate password. But in which situation ranger does validate password ? [Sailaja]: In cases where ranger user sync talks to ranger admin, this program is called as part of HTTP basic auth filter. These cases include Usersync getting users & groups from ranger admin during initial startup, updating Ranger admin with the sync’d users and/or group information, etc… Default value for this property is "./native/credValidator.uexe” which as you said is a native program to validate password. 2. ranger.usersync.policymanager.maxrecordsperapicall The help says that this is the maximum records returned by api call, but in which context ? Is it when a user uses the Ranger API to get the policies implemented in Ranger ? [Sailaja]: Ranger Usersync gets all the users & groups from Ranger admin (stored in Ranger DB) during initial start up. Since these records can be many, Usersync retrieves these values in paged manner. The value from this (ranger.usersync.policymanager.maxrecordsperapicall) property is sent as the query parameter along with the start index (which is the no. of records retrieved till now) as part of the GET request. 3. ranger.usersync.policymanager.mockrun If set to true, when does usersync perform mockrun ? [Sailaja]: This value is used mainly for testing to check if the users & groups are retrieved as desired for a given sync source. When this property is set to “true”, then Usersync won’t update the sync results to ranger admin. This is mainly used in test deployments to tweak the LDAP or AD config until the desired results are achieved. After setting this property, Usersync needs to be restarted in order for the changes to be effective. 4. ranger.usersync.port What is this port for exactly ? [Sailaja]: This is the port where Usersync service listens on. 5. ranger.usersync.sleeptimeinmillisbetweensynccycl What is a cycle in usersync ? Is it just a synchronization ? Or is it more precise ? [Sailaja]: This property is used for periodic sync of users & groups from the configured Sync source. 6. ranger.usersync.source.impl.class What is this class for ? [Sailaja]: This is the class that will be invoked for a given Sync source. We currently support UNIX, FILE, or LDAP as sync sources. Sync source to class file mapping is as follows: Sync source as FILE: org.apache.ranger.unixusersync.process.FileSourceUserGroupBuilder Sync source as UNIX: org.apache.ranger.unixusersync.process.UnixUserGroupBuilder Sync source as LDAP: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder 7. ranger.usersync.truststore.password Just for a confirmation, is it the password used to access the trustore file ? [Sailaja]: Yes 8. ranger.usersync.unix.minUserId Is there a similar property for ldap ? Or is it only for unix ? [Sailaja]: This is only for Unix mainly to avoid system users to be sync’d to ranger. Thank you in advance for your answers ! Best regards. Lune.
