ranger-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lune Silver <lunescar.ran...@gmail.com>
Subject Re: Informationn about properties of Ranger
Date Fri, 22 Apr 2016 07:13:40 GMT
Hello everyone.

Thank all of you for your answer o/

BR.

Lune

On Thu, Apr 21, 2016 at 7:44 PM, Don Bosco Durai <bosco@apache.org> wrote:

> Also, if I am not wrong, they have different set of properties.
>
> Thanks
>
> Bosco
>
>
> From: Velmurugan Periasamy <vperiasamy@hortonworks.com>
> Reply-To: <user@ranger.incubator.apache.org>
> Date: Thursday, April 21, 2016 at 9:25 AM
>
> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
> Subject: Re: Informationn about properties of Ranger
>
> Lune – unix auth service running as part of usersync is applicable only if
> unix authentication method is chosen in ranger admin. For LDAP/AD
> authentication methods, ranger admin will authenticate the user directly
> against LDAP/AD.
>
> From: Lune Silver <lunescar.ranger@gmail.com>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Thursday, April 21, 2016 at 5:09 AM
> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
> Subject: Re: Informationn about properties of Ranger
>
> Hello guys/
>
> Selva : The service running within the usersync provides UNIX password
> based authentication for RANGER-ADMIN UI (using a JAAS  via SSL based
> connection to this service from Ranger Admin UI).
>
> Lune :
> So if I understand well, this port is used when a user tries to connect to
> Ranger UI Admin. When this occures, the following process happens :
> 1. Then Ranger Admin connects to usersync using this port.
> 2. In usersync, there is a service which will calls the password validator
> program.
> Question :
> Is it only for unix source or is it the same for ldap source ? If I have
> an ldap source, in usersync, will I have also a service in usersync which
> will calls the password validator program based on the records found in the
> LDAP ?
>
> Best regards.
>
> Lune.
>
>
> On Thu, Apr 21, 2016 at 12:41 AM, Dilli Dorai <dilli.dorai@gmail.com>
> wrote:
>
>> Thanks Selva, Sailaja for the information.
>> Hoping the additional information helps the community.
>> Dilli
>>
>> On Wed, Apr 20, 2016 at 2:50 PM, Sailaja Polavarapu <
>> spolavarapu@hortonworks.com> wrote:
>>
>>> Hi Dilli,
>>>  You are right. I should have been more specific. This port is for
>>> UnixAuthenticationService which invokes the password validator program.
>>>
>>> - Sailaja.
>>>
>>> From: Dilli Dorai <dilli.dorai@gmail.com>
>>> Reply-To: "user@ranger.incubator.apache.org" <
>>> user@ranger.incubator.apache.org>
>>> Date: Wednesday, April 20, 2016 at 2:25 PM
>>> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org
>>> >
>>> Subject: Re: Informationn about properties of Ranger
>>>
>>> <quote>
>>> 4. ranger.usersync.port
>>>
>>> What is this port for exactly ?
>>> [Sailaja]: This is the port where Usersync service listens on.
>>> </quote>
>>>
>>> Sailaja,
>>> May be I am misunderstanding or forgetting something here.
>>>
>>> I thought
>>> usersync makes calls to other services like LDAP, AD and Ranger admin.
>>> Other services do not call usersync.
>>>
>>> Could you confirm which services make call to this listen port?
>>> Thanks
>>> Dilli
>>>
>>>
>>> On Wed, Apr 20, 2016 at 1:50 PM, Sailaja Polavarapu <
>>> spolavarapu@hortonworks.com> wrote:
>>>
>>>> Hi Lune,
>>>>  Answers inline…
>>>> We have documentation on some of these properties available at:
>>>>
>>>> http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Guide/content/ranger_advanced_usersync_settings.html
>>>>
>>>> Hope this helps.
>>>>
>>>> Thanks,
>>>> Sailaja.
>>>>
>>>> From: Lune Silver <lunescar.ranger@gmail.com>
>>>> Reply-To: "user@ranger.incubator.apache.org" <
>>>> user@ranger.incubator.apache.org>
>>>> Date: Wednesday, April 20, 2016 at 8:39 AM
>>>> To: "user@ranger.incubator.apache.org" <
>>>> user@ranger.incubator.apache.org>
>>>> Subject: Informationn about properties of Ranger
>>>>
>>>> Hello !
>>>>
>>>> I contact you because I have some questions related to the following
>>>> properties.
>>>> Hope you can help me.
>>>>
>>>> Here are my questions :
>>>>
>>>> 1. ranger.usersync.passwordvalidator.path
>>>>
>>>> The comment says that this is the path for a native prorgam to validate
>>>> password. But in which situation ranger does validate password ?
>>>> [Sailaja]: In cases where ranger user sync talks to ranger admin, this
>>>> program is called as part of HTTP basic auth filter. These cases include
>>>> Usersync getting users & groups from ranger admin during initial startup,
>>>> updating Ranger admin with the sync’d users and/or group information, etc…
>>>> Default value for this property is "./native/credValidator.uexe” which
as
>>>> you said is a native program to validate password.
>>>>
>>>> 2. ranger.usersync.policymanager.maxrecordsperapicall
>>>>
>>>> The help says that this is the maximum records returned by api call,
>>>> but in which context ? Is it when a user uses the Ranger API to get the
>>>> policies implemented in Ranger ?
>>>> [Sailaja]: Ranger Usersync gets all the users & groups from Ranger
>>>> admin (stored in Ranger DB) during initial start up. Since these records
>>>> can be many, Usersync retrieves these values in paged manner.  The value
>>>> from this (ranger.usersync.policymanager.maxrecordsperapicall) property is
>>>> sent as the query parameter along with the start index (which is the no.
of
>>>> records retrieved till now) as part of the GET request.
>>>>
>>>>
>>>> 3. ranger.usersync.policymanager.mockrun
>>>>
>>>> If set to true, when does usersync perform mockrun ?
>>>> [Sailaja]: This value is used mainly for testing to check if the users
>>>> & groups are retrieved as desired for a given sync source. When this
>>>> property is set to “true”, then Usersync won’t update the sync results
to
>>>> ranger admin. This is mainly used in test deployments to tweak the LDAP or
>>>> AD config until the desired results are achieved. After setting this
>>>> property, Usersync needs to be restarted in order for the changes to be
>>>> effective.
>>>>
>>>> 4. ranger.usersync.port
>>>>
>>>> What is this port for exactly ?
>>>> [Sailaja]: This is the port where Usersync service listens on.
>>>>
>>>> 5. ranger.usersync.sleeptimeinmillisbetweensynccycl
>>>>
>>>> What is a cycle in usersync ? Is it just a synchronization ? Or is it
>>>> more precise ?
>>>> [Sailaja]: This property is used for periodic sync of users & groups
>>>> from the configured Sync source.
>>>>
>>>> 6. ranger.usersync.source.impl.class
>>>>
>>>> What is this class for ?
>>>> [Sailaja]: This is the class that will be invoked for a given Sync
>>>> source. We currently support UNIX, FILE, or LDAP as sync sources. Sync
>>>> source to class file mapping is as follows:
>>>> Sync source as
>>>> FILE: org.apache.ranger.unixusersync.process.FileSourceUserGroupBuilder
>>>> Sync source as
>>>> UNIX: org.apache.ranger.unixusersync.process.UnixUserGroupBuilder
>>>> Sync source as
>>>> LDAP: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>>>>
>>>>
>>>> 7. ranger.usersync.truststore.password
>>>>
>>>> Just for a confirmation, is it the password used to access the trustore
>>>> file ?
>>>> [Sailaja]: Yes
>>>>
>>>> 8. ranger.usersync.unix.minUserId
>>>>
>>>> Is there a similar property for ldap ? Or is it only for unix ?
>>>> [Sailaja]: This is only for Unix mainly to avoid system users to be
>>>> sync’d to ranger.
>>>>
>>>>
>>>> Thank you in advance for your answers !
>>>>
>>>> Best regards.
>>>>
>>>> Lune.
>>>>
>>>
>>>
>>
>

Mime
View raw message