| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| |
| authServicePort = 5151 |
| |
| useSSL = true |
| |
| # |
| # SSL Parameters |
| # |
| |
| keyStore = ./conf/cert/unixauthservice.jks |
| keyStorePassword = UnIx529p |
| #trustStore = ./conf/cert/mytruststore.jks |
| #trustStorePassword = changeit |
| passwordValidatorPath = ./native/credValidator.uexe |
| |
| # |
| # Admin Groups |
| # |
| #admin.users = |
| |
| # |
| # Admin ROLE to be added |
| # |
| #admin.roleNames = ROLE_ADMIN |
| |
| # |
| # User Group Synchronization |
| # |
| usergroupSync.enabled = true |
| |
| usergroupSync.source.impl.class=org.apache.ranger.unixusersync.process.UnixUserGroupBuilder |
| |
| usergroupSync.sink.impl.class=org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder |
| |
| |
| # |
| # UserGroupSink: policy manager |
| # |
| usergroupSync.policymanager.baseURL = |
| |
| usergroupSync.policymanager.MaxRecordsPerAPICall = 1000 |
| |
| usergroupSync.policymanager.mockRun = false |
| |
| # |
| # Relevant only if sync source is unix |
| usergroupSync.unix.minUserId = 500 |
| |
| # sync interval in milli seconds |
| # user, groups would be synced again at the end of each sync interval |
| # |
| # default value is 300000(5min) |
| # if value of usergroupSync.source.impl.class is |
| # org.apache.ranger.unixusersync.process.UnixUserGroupBuilder |
| # |
| # default value is 21600000(360min) |
| # if value of usergroupSync.source.impl.class is |
| # org.apache.ranger.unixusersync.process.LdapUserGroupBuilder |
| usergroupSync.sleepTimeInMillisBetweenSyncCycle = |
| |
| # sync source class |
| # we provide 3 classes out of box |
| # org.apache.ranger.unixusersync.process.UnixUserGroupBuilder |
| # org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder |
| # org.apache.ranger.unixusersync.process.FileSourceUserGroupBuilder |
| # default value: org.apache.ranger.unixusersync.process.UnixUserGroupBuilder |
| usergroupSync.source.impl.class = |
| |
| # --------------------------------------------------------------- |
| # The following properties are relevant |
| # only if value of usergroupSync.source.impl.class is |
| # org.apache.ranger.unixusersync.process.FileSourceUserGroupBuilder |
| # usergroupSync.filesource.file property holds the path of the UserGroup Map file to be submmited. |
| # e.g usergroupSync.filesource.file = /tmp/usergroup.json or /tmp/usergroup.csv or /tmp/usergroup.txt |
| # JSON File Format: |
| # { |
| # {"user1":["group0","group18","group6","group7","group26","group24","group19","group3","group5"]}, |
| # {"user2":["group0","group18","group6","]}, |
| # {"user3":[]}, |
| # {"user4":["group0","group18"]} |
| # } |
| # Text File Format:(.txt,.csv).Delimiter for the text file can be anything like tab, comma or any desired delimiter. |
| # default delimiter value : , |
| # File Format: |
| # "user1","group0","group18","group6","group7","group26","group24","group19","group3","group5" |
| # "user2","group0","group18","group6" |
| # "user3", |
| # "user4","group0","group18" |
| # usergroupSync.filesource.text.delimiter property should have the right delimiter if the file delimiter is other than , |
| # e.g To input a tab delimited file use usergroupSync.filesource.text.delimiter = \t |
| # if the file is .json JSONParser will be used instead of delimiter. |
| # --------------------------------------------------------------- |
| usergroupSync.filesource.file = |
| usergroupSync.filesource.text.delimiter = , |
| |
| # --------------------------------------------------------------- |
| # The following properties are relevant |
| # only if value of usergroupSync.source.impl.class is |
| # org.apache.ranger.unixusersync.process.LdapUserGroupBuilder |
| # --------------------------------------------------------------- |
| |
| # URL of source ldap |
| # a sample value would be: ldap://ldap.example.com:389 |
| # Must specify a value if value of usergroupSync.source.impl.class is |
| # org.apache.ranger.unixusersync.process.LdapUserGroupBuilder |
| ldapGroupSync.ldapUrl = |
| |
| # ldap bind dn used to connect to ldap and query for users and groups |
| # a sample value would be cn=admin,ou=users,dc=hadoop,dc=apache,dc-org |
| # must specify a value if value of usergroupSync.source.impl.class is |
| # org.apache.ranger.unixusersync.process.LdapUserGroupBuilder |
| # Must specify a value if value of usergroupSync.source.impl.class is |
| # org.apache.ranger.unixusersync.process.LdapUserGroupBuilder |
| ldapGroupSync.ldapBindDn = |
| |
| # ldap bind password for the bind dn specified above |
| # please ensure read access to this file is limited to root, to protect the password |
| # Must specify a value if value of usergroupSync.source.impl.class is |
| # org.apache.ranger.unixusersync.process.LdapUserGroupBuilder |
| # unless anonymous search is allowed by the directory on users and groups |
| ldapGroupSync.ldapBindPassword = |
| ldapGroupSync.ldapBindAlias = |
| ldapGroupSync.ldapBindKeystore = |
| |
| # search base for users and groups |
| # sample value would be dc=hadoop,dc=apache,dc=org |
| ldapGroupSync.searchBase= |
| |
| # search base for users |
| # sample value would be ou=users,dc=hadoop,dc=apache,dc=org |
| # overrides value specified in ldapGroupSync.searchBase |
| # if a value is not specified, takes the value of ldapGroupSync.searchBase |
| # Must specify a value if value of usergroupSync.source.impl.class is |
| # org.apache.ranger.unixusersync.process.LdapUserGroupBuilder |
| # and value is not specified for ldapGroupSync.searchBase |
| ldapGroupSync.userSearchBase = |
| |
| # search scope for the users, only base, one and sub are supported values |
| # please customize the value to suit your deployment |
| # default value: sub |
| ldapGroupSync.userSearchScope = |
| |
| # objectclass to identify user entries |
| # please customize the value to suit your deployment |
| # default value: person |
| ldapGroupSync.userObjectClass = person |
| |
| # optional additional filter constraining the users selected for syncing |
| # a sample value would be (dept=eng) |
| # please customize the value to suit your deployment |
| # default value is empty |
| ldapGroupSync.userSearchFilter = |
| |
| # attribute from user entry that would be treated as user name |
| # please customize the value to suit your deployment |
| # default value: cn |
| ldapGroupSync.userNameAttribute = cn |
| |
| # attribute from user entry whose values would be treated as |
| # group values to be pushed into Policy Manager database |
| # You could provide multiple attribute names separated by comma |
| # default value: memberof, ismemberof |
| ldapGroupSync.userGroupNameAttribute = memberof, ismemberof |
| |
| # |
| # UserSync - Case Conversion Flags |
| # possible values: none, lower, upper |
| ldapGroupSync.username.caseConversion=lower |
| ldapGroupSync.groupname.caseConversion=lower |
| #user sync log path |
| logdir=/var/log/ranger/usersync |
| |
| # do we want to do ldapsearch to find groups instead of relying on user entry attributes |
| # valid values: true, false |
| # any value other than true would be treated as false |
| # default value: false |
| ldapGroupSync.groupSearchEnabled= |
| |
| # do we want to do ldapsearch to find groups instead of relying on user entry attributes and |
| # sync memberships of those groups |
| # valid values: true, false |
| # any value other than true would be treated as false |
| # default value: false |
| ldapGroupSync.groupUserMapSyncEnabled= |
| |
| # search base for groups |
| # sample value would be ou=groups,dc=hadoop,dc=apache,dc=org |
| # overrides value specified in ldapGroupSync.searchBase, ldapGroupSync.userSearchBase |
| # if a value is not specified, takes the value of ldapGroupSync.searchBase |
| # if ldapGroupSync.searchBase is also not specified, takes the value of ldapGroupSync.userSearchBase |
| ldapGroupSync.groupSearchBase= |
| |
| # search scope for the groups, only base, one and sub are supported values |
| # please customize the value to suit your deployment |
| # default value: sub |
| ldapGroupSync.groupSearchScope= |
| |
| # objectclass to identify group entries |
| # please customize the value to suit your deployment |
| # default value: groupofnames |
| ldapGroupSync.groupObjectClass= |
| |
| # optional additional filter constraining the groups selected for syncing |
| # a sample value would be (dept=eng) |
| # please customize the value to suit your deployment |
| # default value is empty |
| ldapGroupSync.groupSearchFilter= |
| |
| # attribute from group entry that would be treated as group name |
| # please customize the value to suit your deployment |
| # default value: cn |
| ldapGroupSync.groupNameAttribute= |
| |
| # attribute from group entry that is list of members |
| # please customize the value to suit your deployment |
| # default value: member |
| ldapGroupSync.groupMemberAttributeName= |
| |
| # do we want to use paged results control during ldapsearch for user entries |
| # valid values: true, false |
| # any value other than true would be treated as false |
| # default value: true |
| # if the value is false, typical AD would return would not returm more than 1000 entries |
| ldapGroupSync.pagedResultsEnabled= |
| |
| # page size for paged results control |
| # search results would be returned page by page with the specified number of entries per page |
| # default value: 500 |
| ldapGroupSync.pagedResultsSize= |
