| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| # The base path for the usersync process |
| ranger_base_dir = /etc/ranger |
| |
| # |
| # The following URL should be the base URL for connecting to the policy manager web application |
| # For example: |
| # |
| # POLICY_MGR_URL = http://policymanager.xasecure.net:6080 |
| # |
| POLICY_MGR_URL = |
| |
| # sync source, only unix and ldap are supported at present |
| # defaults to unix |
| SYNC_SOURCE = unix |
| |
| # |
| # Minimum Unix User-id to start SYNC. |
| # This should avoid creating UNIX system-level users in the Policy Manager |
| # |
| MIN_UNIX_USER_ID_TO_SYNC = 500 |
| |
| # Minimum Unix Group-id to start SYNC. |
| # This should avoid creating UNIX system-level users in the Policy Manager |
| # |
| MIN_UNIX_GROUP_ID_TO_SYNC = 500 |
| |
| # sync interval in minutes |
| # user, groups would be synced again at the end of each sync interval |
| # defaults to 5 if SYNC_SOURCE is unix |
| # defaults to 360 if SYNC_SOURCE is ldap |
| SYNC_INTERVAL = |
| |
| #User and group for the usersync process |
| unix_user=ranger |
| unix_group=ranger |
| |
| #change password of rangerusersync user. Please note that this password should be as per rangerusersync user in ranger |
| rangerUsersync_password= |
| |
| #Set to run in kerberos environment |
| usersync_principal= |
| usersync_keytab= |
| hadoop_conf=/etc/hadoop/conf |
| # |
| # The file where all credential is kept in cryptic format |
| # |
| CRED_KEYSTORE_FILENAME=/etc/ranger/usersync/conf/rangerusersync.jceks |
| |
| # SSL Authentication |
| AUTH_SSL_ENABLED=false |
| AUTH_SSL_KEYSTORE_FILE=/etc/ranger/usersync/conf/cert/unixauthservice.jks |
| AUTH_SSL_KEYSTORE_PASSWORD=UnIx529p |
| AUTH_SSL_TRUSTSTORE_FILE= |
| AUTH_SSL_TRUSTSTORE_PASSWORD= |
| |
| # --------------------------------------------------------------- |
| # The following properties are relevant only if SYNC_SOURCE = ldap |
| # --------------------------------------------------------------- |
| |
| # The below properties ROLE_ASSIGNMENT_LIST_DELIMITER, USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER, USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER, |
| #and GROUP_BASED_ROLE_ASSIGNMENT_RULES can be used to assign role to LDAP synced users and groups |
| #NOTE all the delimiters should have different values and the delimiters should not contain characters that are allowed in userName or GroupName |
| |
| # default value ROLE_ASSIGNMENT_LIST_DELIMITER = & |
| ROLE_ASSIGNMENT_LIST_DELIMITER = & |
| |
| #default value USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = : |
| USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = : |
| |
| #default value USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = , |
| USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = , |
| |
| # with above mentioned delimiters a sample value would be ROLE_SYS_ADMIN:u:userName1,userName2&ROLE_SYS_ADMIN:g:groupName1,groupName2&ROLE_KEY_ADMIN:u:userName&ROLE_KEY_ADMIN:g:groupName&ROLE_USER:u:userName3,userName4&ROLE_USER:g:groupName3 |
| #&ROLE_ADMIN_AUDITOR:u:userName&ROLE_KEY_ADMIN_AUDITOR:u:userName&ROLE_KEY_ADMIN_AUDITOR:g:groupName&ROLE_ADMIN_AUDITOR:g:groupName |
| GROUP_BASED_ROLE_ASSIGNMENT_RULES = |
| |
| # URL of source ldap |
| # a sample value would be: ldap://ldap.example.com:389 |
| # Must specify a value if SYNC_SOURCE is ldap |
| SYNC_LDAP_URL = |
| |
| # ldap bind dn used to connect to ldap and query for users and groups |
| # a sample value would be cn=admin,ou=users,dc=hadoop,dc=apache,dc=org |
| # Must specify a value if SYNC_SOURCE is ldap |
| SYNC_LDAP_BIND_DN = |
| |
| # ldap bind password for the bind dn specified above |
| # please ensure read access to this file is limited to root, to protect the password |
| # Must specify a value if SYNC_SOURCE is ldap |
| # unless anonymous search is allowed by the directory on users and group |
| SYNC_LDAP_BIND_PASSWORD = |
| |
| # ldap delta sync flag used to periodically sync users and groups based on the updates in the server |
| # please customize the value to suit your deployment |
| # default value is set to true when is SYNC_SOURCE is ldap |
| SYNC_LDAP_DELTASYNC = |
| |
| # search base for users and groups |
| # sample value would be dc=hadoop,dc=apache,dc=org |
| SYNC_LDAP_SEARCH_BASE = |
| |
| # search base for users |
| # sample value would be ou=users,dc=hadoop,dc=apache,dc=org |
| # overrides value specified in SYNC_LDAP_SEARCH_BASE |
| SYNC_LDAP_USER_SEARCH_BASE = |
| |
| # search scope for the users, only base, one and sub are supported values |
| # please customize the value to suit your deployment |
| # default value: sub |
| SYNC_LDAP_USER_SEARCH_SCOPE = sub |
| |
| # objectclass to identify user entries |
| # please customize the value to suit your deployment |
| # default value: person |
| SYNC_LDAP_USER_OBJECT_CLASS = person |
| |
| # optional additional filter constraining the users selected for syncing |
| # a sample value would be (dept=eng) |
| # please customize the value to suit your deployment |
| # default value is empty |
| SYNC_LDAP_USER_SEARCH_FILTER = |
| |
| # attribute from user entry that would be treated as user name |
| # please customize the value to suit your deployment |
| # default value: cn |
| SYNC_LDAP_USER_NAME_ATTRIBUTE = cn |
| |
| # attribute from user entry whose values would be treated as |
| # group values to be pushed into Policy Manager database |
| # You could provide multiple attribute names separated by comma |
| # default value: memberof, ismemberof |
| SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = memberof,ismemberof |
| # |
| # UserSync - Case Conversion Flags |
| # possible values: none, lower, upper |
| SYNC_LDAP_USERNAME_CASE_CONVERSION=lower |
| SYNC_LDAP_GROUPNAME_CASE_CONVERSION=lower |
| |
| #user sync log path |
| logdir=logs |
| #/var/log/ranger/usersync |
| |
| # PID DIR PATH |
| USERSYNC_PID_DIR_PATH=/var/run/ranger |
| |
| # do we want to do ldapsearch to find groups instead of relying on user entry attributes |
| # valid values: true, false |
| # any value other than true would be treated as false |
| # default value: false |
| SYNC_GROUP_SEARCH_ENABLED= |
| |
| # do we want to do ldapsearch to find groups instead of relying on user entry attributes and |
| # sync memberships of those groups |
| # valid values: true, false |
| # any value other than true would be treated as false |
| # default value: false |
| SYNC_GROUP_USER_MAP_SYNC_ENABLED= |
| |
| # search base for groups |
| # sample value would be ou=groups,dc=hadoop,dc=apache,dc=org |
| # overrides value specified in SYNC_LDAP_SEARCH_BASE, SYNC_LDAP_USER_SEARCH_BASE |
| # if a value is not specified, takes the value of SYNC_LDAP_SEARCH_BASE |
| # if SYNC_LDAP_SEARCH_BASE is also not specified, takes the value of SYNC_LDAP_USER_SEARCH_BASE |
| SYNC_GROUP_SEARCH_BASE= |
| |
| # search scope for the groups, only base, one and sub are supported values |
| # please customize the value to suit your deployment |
| # default value: sub |
| SYNC_GROUP_SEARCH_SCOPE= |
| |
| # objectclass to identify group entries |
| # please customize the value to suit your deployment |
| # default value: groupofnames |
| SYNC_GROUP_OBJECT_CLASS= |
| |
| # optional additional filter constraining the groups selected for syncing |
| # a sample value would be (dept=eng) |
| # please customize the value to suit your deployment |
| # default value is empty |
| SYNC_LDAP_GROUP_SEARCH_FILTER= |
| |
| # attribute from group entry that would be treated as group name |
| # please customize the value to suit your deployment |
| # default value: cn |
| SYNC_GROUP_NAME_ATTRIBUTE= |
| |
| # attribute from group entry that is list of members |
| # please customize the value to suit your deployment |
| # default value: member |
| SYNC_GROUP_MEMBER_ATTRIBUTE_NAME= |
| |
| # do we want to use paged results control during ldapsearch for user entries |
| # valid values: true, false |
| # any value other than true would be treated as false |
| # default value: true |
| # if the value is false, typical AD would not return more than 1000 entries |
| SYNC_PAGED_RESULTS_ENABLED= |
| |
| # page size for paged results control |
| # search results would be returned page by page with the specified number of entries per page |
| # default value: 500 |
| SYNC_PAGED_RESULTS_SIZE= |
| #LDAP context referral could be ignore or follow |
| SYNC_LDAP_REFERRAL =ignore |
| |
| # if you want to enable or disable jvm metrics for usersync process |
| # valid values: true, false |
| # any value other than true would be treated as false |
| # default value: false |
| # if the value is false, jvm metrics is not created |
| JVM_METRICS_ENABLED= |
| |
| # filename of jvm metrics created for usersync process |
| # default value: ranger_usersync_metric.json |
| JVM_METRICS_FILENAME= |
| |
| #file directory for jvm metrics |
| # default value : logdir |
| JVM_METRICS_FILEPATH= |
| |
| #frequency for jvm metrics to be updated |
| # default value : 10000 milliseconds |
| JVM_METRICS_FREQUENCY_TIME_IN_MILLIS= |