Return-Path: X-Original-To: apmail-ranger-user-archive@www.apache.org Delivered-To: apmail-ranger-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 848A4189BB for ; Fri, 22 Apr 2016 07:13:52 +0000 (UTC) Received: (qmail 55918 invoked by uid 500); 22 Apr 2016 07:13:52 -0000 Delivered-To: apmail-ranger-user-archive@ranger.apache.org Received: (qmail 55875 invoked by uid 500); 22 Apr 2016 07:13:52 -0000 Mailing-List: contact user-help@ranger.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@ranger.incubator.apache.org Delivered-To: mailing list user@ranger.incubator.apache.org Received: (qmail 55865 invoked by uid 99); 22 Apr 2016 07:13:52 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Apr 2016 07:13:52 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id F1932C0D7F for ; Fri, 22 Apr 2016 07:13:51 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.18 X-Spam-Level: * X-Spam-Status: No, score=1.18 tagged_above=-999 required=6.31 tests=[AC_DIV_BONANZA=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id 2cOw0mSIAsNm for ; Fri, 22 Apr 2016 07:13:48 +0000 (UTC) Received: from mail-vk0-f45.google.com (mail-vk0-f45.google.com [209.85.213.45]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 0D5025F39B for ; Fri, 22 Apr 2016 07:13:48 +0000 (UTC) Received: by mail-vk0-f45.google.com with SMTP id e185so125635058vkb.1 for ; Fri, 22 Apr 2016 00:13:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=jsQzvxACFrHjGu40bYeipDnw16AnjNcneerggPrrucM=; b=qx0LqM6nprm7QSUDP0z/nEB+qYIM2gwSLyHiD6YOKUfcXboM8223mShOrY4kG9iBj5 UlDwtmsxY1e6uHtL5jr5qAneLi+2zgZN0eghpS60/DNaqD31SJwXLQqK3W91xDFkoqfy CFvmyuXLhg7dnBg6jzscQyy1kMZi8Yxtr3oWU+UMRBOkQmfgVrrln0lrIpckMk5Cdo7g c2SX3KUL5JdaX300ADdcZvIeuYRD2tdJlkGukVoDhAp+MaKQj2YALQWSEXcoLbJXrIfV X+3Oyy64F6ImlxVbsTPvUVQynH1yZJdSFv6uDN7wIm+d7fPE3MzwZm12DN1DyPkKWPzL sEQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=jsQzvxACFrHjGu40bYeipDnw16AnjNcneerggPrrucM=; b=KUg2wONYwmQ2RgNbJvm9FCAY2VJWUUXCExRBOPt0AMh6mmjrz25nDAh7LaeA1IRCge dsaut/qiN+DcVH5LB0wTghLK7q/nHSuhIp/IlisDs2hmsmNo4cTREbl7rU5zGefutGNV MuafLM2c6gDA6v8ZEybivR5wnJFYhC1fpFtQ02sy669ruKvTz7u5E5d03F8hEG5mUC5+ HSajOwifb7J4VqziZKBsvWN4nzfX92djFYr6oGOUZmy/FZZxHVipdqT8RS+trSCnMYdt ZOc37tWDgmSVBpbzCLPHCNEug4VOzyqIwnDscVerme5iKHMXJPJMEcct+wpuV9BDOkxB 7bZA== X-Gm-Message-State: AOPr4FV7Hu2TDF7VooosdTOs21rqm2902PgvdpPSXpySAWgkCc4cxd56SF+Cg1siWJBuwn30t/Ylop59CVH+wQ== MIME-Version: 1.0 X-Received: by 10.31.178.146 with SMTP id b140mr9747383vkf.108.1461309220984; Fri, 22 Apr 2016 00:13:40 -0700 (PDT) Received: by 10.31.205.133 with HTTP; Fri, 22 Apr 2016 00:13:40 -0700 (PDT) In-Reply-To: References: <3525B3C4-077B-4E67-8E74-CB788AD77981@hortonworks.com> <11419BAA-07EE-4276-96AE-8F34F5EED2C9@hortonworks.com> Date: Fri, 22 Apr 2016 09:13:40 +0200 Message-ID: Subject: Re: Informationn about properties of Ranger From: Lune Silver To: user@ranger.incubator.apache.org Content-Type: multipart/alternative; boundary=001a1144034c0621b105310d915f --001a1144034c0621b105310d915f Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello everyone. Thank all of you for your answer o/ BR. Lune On Thu, Apr 21, 2016 at 7:44 PM, Don Bosco Durai wrote: > Also, if I am not wrong, they have different set of properties. > > Thanks > > Bosco > > > From: Velmurugan Periasamy > Reply-To: > Date: Thursday, April 21, 2016 at 9:25 AM > > To: "user@ranger.incubator.apache.org" > Subject: Re: Informationn about properties of Ranger > > Lune =E2=80=93 unix auth service running as part of usersync is applicabl= e only if > unix authentication method is chosen in ranger admin. For LDAP/AD > authentication methods, ranger admin will authenticate the user directly > against LDAP/AD. > > From: Lune Silver > Reply-To: "user@ranger.incubator.apache.org" < > user@ranger.incubator.apache.org> > Date: Thursday, April 21, 2016 at 5:09 AM > To: "user@ranger.incubator.apache.org" > Subject: Re: Informationn about properties of Ranger > > Hello guys/ > > Selva : The service running within the usersync provides UNIX password > based authentication for RANGER-ADMIN UI (using a JAAS via SSL based > connection to this service from Ranger Admin UI). > > Lune : > So if I understand well, this port is used when a user tries to connect t= o > Ranger UI Admin. When this occures, the following process happens : > 1. Then Ranger Admin connects to usersync using this port. > 2. In usersync, there is a service which will calls the password validato= r > program. > Question : > Is it only for unix source or is it the same for ldap source ? If I have > an ldap source, in usersync, will I have also a service in usersync which > will calls the password validator program based on the records found in t= he > LDAP ? > > Best regards. > > Lune. > > > On Thu, Apr 21, 2016 at 12:41 AM, Dilli Dorai > wrote: > >> Thanks Selva, Sailaja for the information. >> Hoping the additional information helps the community. >> Dilli >> >> On Wed, Apr 20, 2016 at 2:50 PM, Sailaja Polavarapu < >> spolavarapu@hortonworks.com> wrote: >> >>> Hi Dilli, >>> You are right. I should have been more specific. This port is for >>> UnixAuthenticationService which invokes the password validator program. >>> >>> - Sailaja. >>> >>> From: Dilli Dorai >>> Reply-To: "user@ranger.incubator.apache.org" < >>> user@ranger.incubator.apache.org> >>> Date: Wednesday, April 20, 2016 at 2:25 PM >>> To: "user@ranger.incubator.apache.org" >> > >>> Subject: Re: Informationn about properties of Ranger >>> >>> >>> 4. ranger.usersync.port >>> >>> What is this port for exactly ? >>> [Sailaja]: This is the port where Usersync service listens on. >>> >>> >>> Sailaja, >>> May be I am misunderstanding or forgetting something here. >>> >>> I thought >>> usersync makes calls to other services like LDAP, AD and Ranger admin. >>> Other services do not call usersync. >>> >>> Could you confirm which services make call to this listen port? >>> Thanks >>> Dilli >>> >>> >>> On Wed, Apr 20, 2016 at 1:50 PM, Sailaja Polavarapu < >>> spolavarapu@hortonworks.com> wrote: >>> >>>> Hi Lune, >>>> Answers inline=E2=80=A6 >>>> We have documentation on some of these properties available at: >>>> >>>> http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Gu= ide/content/ranger_advanced_usersync_settings.html >>>> >>>> Hope this helps. >>>> >>>> Thanks, >>>> Sailaja. >>>> >>>> From: Lune Silver >>>> Reply-To: "user@ranger.incubator.apache.org" < >>>> user@ranger.incubator.apache.org> >>>> Date: Wednesday, April 20, 2016 at 8:39 AM >>>> To: "user@ranger.incubator.apache.org" < >>>> user@ranger.incubator.apache.org> >>>> Subject: Informationn about properties of Ranger >>>> >>>> Hello ! >>>> >>>> I contact you because I have some questions related to the following >>>> properties. >>>> Hope you can help me. >>>> >>>> Here are my questions : >>>> >>>> 1. ranger.usersync.passwordvalidator.path >>>> >>>> The comment says that this is the path for a native prorgam to validat= e >>>> password. But in which situation ranger does validate password ? >>>> [Sailaja]: In cases where ranger user sync talks to ranger admin, this >>>> program is called as part of HTTP basic auth filter. These cases inclu= de >>>> Usersync getting users & groups from ranger admin during initial start= up, >>>> updating Ranger admin with the sync=E2=80=99d users and/or group infor= mation, etc=E2=80=A6 >>>> Default value for this property is "./native/credValidator.uexe=E2=80= =9D which as >>>> you said is a native program to validate password. >>>> >>>> 2. ranger.usersync.policymanager.maxrecordsperapicall >>>> >>>> The help says that this is the maximum records returned by api call, >>>> but in which context ? Is it when a user uses the Ranger API to get th= e >>>> policies implemented in Ranger ? >>>> [Sailaja]: Ranger Usersync gets all the users & groups from Ranger >>>> admin (stored in Ranger DB) during initial start up. Since these recor= ds >>>> can be many, Usersync retrieves these values in paged manner. The val= ue >>>> from this (ranger.usersync.policymanager.maxrecordsperapicall) propert= y is >>>> sent as the query parameter along with the start index (which is the n= o. of >>>> records retrieved till now) as part of the GET request. >>>> >>>> >>>> 3. ranger.usersync.policymanager.mockrun >>>> >>>> If set to true, when does usersync perform mockrun ? >>>> [Sailaja]: This value is used mainly for testing to check if the users >>>> & groups are retrieved as desired for a given sync source. When this >>>> property is set to =E2=80=9Ctrue=E2=80=9D, then Usersync won=E2=80=99t= update the sync results to >>>> ranger admin. This is mainly used in test deployments to tweak the LDA= P or >>>> AD config until the desired results are achieved. After setting this >>>> property, Usersync needs to be restarted in order for the changes to b= e >>>> effective. >>>> >>>> 4. ranger.usersync.port >>>> >>>> What is this port for exactly ? >>>> [Sailaja]: This is the port where Usersync service listens on. >>>> >>>> 5. ranger.usersync.sleeptimeinmillisbetweensynccycl >>>> >>>> What is a cycle in usersync ? Is it just a synchronization ? Or is it >>>> more precise ? >>>> [Sailaja]: This property is used for periodic sync of users & groups >>>> from the configured Sync source. >>>> >>>> 6. ranger.usersync.source.impl.class >>>> >>>> What is this class for ? >>>> [Sailaja]: This is the class that will be invoked for a given Sync >>>> source. We currently support UNIX, FILE, or LDAP as sync sources. Sync >>>> source to class file mapping is as follows: >>>> Sync source as >>>> FILE: org.apache.ranger.unixusersync.process.FileSourceUserGroupBuilde= r >>>> Sync source as >>>> UNIX: org.apache.ranger.unixusersync.process.UnixUserGroupBuilder >>>> Sync source as >>>> LDAP: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>>> >>>> >>>> 7. ranger.usersync.truststore.password >>>> >>>> Just for a confirmation, is it the password used to access the trustor= e >>>> file ? >>>> [Sailaja]: Yes >>>> >>>> 8. ranger.usersync.unix.minUserId >>>> >>>> Is there a similar property for ldap ? Or is it only for unix ? >>>> [Sailaja]: This is only for Unix mainly to avoid system users to be >>>> sync=E2=80=99d to ranger. >>>> >>>> >>>> Thank you in advance for your answers ! >>>> >>>> Best regards. >>>> >>>> Lune. >>>> >>> >>> >> > --001a1144034c0621b105310d915f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hello everyone.

Thank all of y= ou for your answer o/

BR.

Lune

On Thu, Apr 21, 2016 at 7:= 44 PM, Don Bosco Durai <bosco@apache.org> wrote:
Also, if I am = not wrong, they have different set of properties.

= Thanks

Bosco

<= /div>

From: Velmurugan Periasamy <vperiasamy@hortonworks.c= om>
Reply-To: <user@ranger= .incubator.apache.org>
Date: Thursday, April 21, 2016 at 9:25 AM

To: "user@ranger.incubator.apache.org&= quot; <user@ranger.incubator.apache.org>
Subject: Re: Informationn about properties of Ranger

Lune =E2=80=93 unix auth service running as part of user= sync is applicable only if unix authentication method is chosen in ranger a= dmin. For LDAP/AD authentication methods, ranger admin will authenticate th= e user directly against LDAP/AD.

From: Lune Silver <lunescar.range= r@gmail.com>
Reply-To: &q= uot;u= ser@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
Date: Thursday, April 21,= 2016 at 5:09 AM
To: "user@range= r.incubator.apache.org" <user@ranger.incubator.apache.org>Subject: Re: Informationn about pr= operties of Ranger

=
Hello guys/

Selva : The service running within the usersync provides UNIX password base= d authentication for RANGER-ADMIN UI (using a JAAS =C2=A0via SSL based conn= ection to this service from Ranger Admin UI).

Lune :
So if I understand well, this port is used when a user tries to connect to = Ranger UI Admin. When this occures, the following process happens :
1. Then Ranger Admin connects to usersync using this port.
2. In usersync, there is a service which will calls the password validator = program.
Question :
Is it only for unix source or is it the same for ldap source ? If I have an= ldap source, in usersync, will I have also a service in usersync which wil= l calls the password validator program based on the records found in the LD= AP ?

Best regards.

Lune.

=

On Th= u, Apr 21, 2016 at 12:41 AM, Dilli Dorai <dilli.dorai@= gmail.com> wrote:
Thanks Selva, Sailaja for the information.
Hoping the additional information helps the community.
Dilli

On Wed, Apr 20, 2016 at 2:= 50 PM, Sailaja Polavarapu <spolav= arapu@hortonworks.com> wrote:
Hi Dilli,
=C2=A0You are= right. I should have been more specific. This port is for UnixAuthenticati= onService which invokes the password validator program. =C2=A0
- Sailaja.

From: = Dilli Dorai <dilli.dorai@gmail.com>
Re= ply-To: "user@ranger.incubator.apache.org" <user@ranger.incub= ator.apache.org>
Date: We= dnesday, April 20, 2016 at 2:25 PM
To: = "user@ranger.incubator.apache.org" <user@ranger.incubator.apa= che.org>
Subject: Re: Inf= ormationn about properties of Ranger

<quote>
4.=C2=A0ranger.usersync.port

What is this port for exactly ?=C2=A0
[Sailaja]: This is the port where Usersync service listens on.
</quote>

Sailaja,
=
May be I am misunderstanding or forgetting something here.=

I thought=C2=A0
usersync makes calls= to other services like LDAP, AD and Ranger admin.
= Other services do not call usersync.

Could you confirm which = services make call to this listen port?
Thanks
Dilli
<= span style=3D"color:rgb(0,0,0);font-family:Calibri,sans-serif;font-size:14p= x">

On Wed, Apr 20, 2016 at 1:50 PM, Sailaja Polavarapu= <spolav= arapu@hortonworks.com> wrote:
Hi Lune,
=C2= =A0Answers inline=E2=80=A6=C2=A0
= We have documentation on some of these properties available at:

Hope t= his helps.

Thanks,
Sailaja.

=
From: Lune Silver <lunescar.ranger@gmail.com>
Reply-To: "user@ranger.incubator.apache.org" <user@ranger.= incubator.apache.org>
Date: Wednesday, April 20, 2016 at 8:39 AM
To: "user@ranger.incubator.apache.org" <user@ranger.incubato= r.apache.org>
Subject: In= formationn about properties of Ranger

=
Hello !

I contact you because I have some questions related to the following proper= ties.
Hope you can help me.

Here are my que= stions :

1. ranger.usersync.passwordvalidator.path

=
The comment says that this is the path for = a native prorgam to validate password. But in which situation ranger does v= alidate password ?
[Sailaja]: In cases = where ranger user sync talks to ranger admin, this program is called as par= t of HTTP basic auth filter. These cases include Usersync getting users &am= p; groups from ranger admin during initial startup, updating Ranger admin with the sync=E2=80=99d users and/or group information, etc= =E2=80=A6 Default value for this property is "./native/credValidator.u= exe=E2=80=9D which as you said is a native program to validate password.
2. ranger.usersync.policymanager.maxrecordsperapi= call

The help says that this is the maximum records r= eturned by api call, but in which context ? Is it when a user uses the Rang= er API to get the policies implemented in Ranger ?
<= /span>
[Sailaja]: Ranger Usersync gets all the users & groups from Ra= nger admin (stored in Ranger DB) during initial start up. Since these recor= ds can be many, Usersync retrieves these values in paged manner.=C2=A0 The value from this (ranger.usersync.policymanager.= maxrecordsperapicall) property is sent as the query parameter along with th= e start index (which is the no. of records retrieved till now) as part of t= he GET request.


3. ranger.usersync.policymanager.mockrun

<= /span>
If set to true, when does usersync per= form mockrun ?
[Sailaja]: This value is used mainly for testing t= o check if the users & groups are retrieved as desired for a given sync= source. When this property is set to =E2=80=9Ctrue=E2=80=9D, then Usersync= won=E2=80=99t update the sync results to ranger admin. This is mainly used= in test deployments to tweak the LDAP or AD config until the desired results = are achieved. After setting this property, Usersync needs to be restarted i= n order for the changes to be effective.=C2=A0

4. ranger.usersync.port

What is this port for exactly ?
[Sailaja]: This is the port where Usersync service listens on.
5. ranger.usersync.sleeptimeinmillisbetween= synccycl

What is a cycle in us= ersync ? Is it just a synchronization ? Or is it more precise ?
[S= ailaja]: This property is used for periodic sync of users & groups from= the configured Sync source.=C2=A0

6. ranger.usersync.source.impl.cl= ass

What is th= is class for ?
[Sailaja]: This is the class that will be invoked = for a given Sync source. We currently support UNIX, FILE, or LDAP as sync s= ources.=C2=A0Sync source to class file mapping is as follows:=
Sync source as FILE:=C2=A0org.apac= he.ranger.unixusersync.process.FileSourceUserGroupBuilder
Sync source as UNIX:=C2=A0org.apache.ranger.unixus= ersync.process.UnixUserGroupBuilder
Sync source as LDAP:=C2=A0org.apache.ranger.ldapusersync.process.LdapUserG= roupBuilder

<= div>

7. ranger.usersync.truststore.password

Just for a confirmation, is it the passw= ord used to access the trustore file ?
[Sailaja]: Yes

8. ranger.usersync.unix.minUserId=

Is there a si= milar property for ldap ? Or is it only for unix ?
[Sailaja]: This is only for Uni= x mainly to avoid system users to be sync=E2=80=99d to ranger.
<= span style=3D"color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-seri= f">

Thank you in advance = for your answers !

B= est regards.

Lune.




--001a1144034c0621b105310d915f--