Skip to content

Ranger UserSync

The following table contains the list of custom properties that can be configured for Ranger UserSync.

Note

For readability, the values with underscores in this table are often broken across lines but the property names are a single word, like this USERSYNC_AZUREAD_PASSWORD.

Property Description Example Values Default Value
USERSYNC_
ENABLE
Enable usersync module to sync users, groups, and/or roles from a directory (e.g., LDAP, AAD, SCIM) to Privacera and Ranger true false false
USERSYNC_
INSTALL
Instructs Privacera Manager to install Usersync components. Usually set by USERSYNC_
ENABLE
true false {{ IS_
MASTER_
NODE if USERSYNC_
ENABLE == ‘true’ else ‘false’ }}
USERSYNC_
IMAGE_
NAME
Docker image to pull for Usersync container/pod Set by Privacera release tag. Can be overridden by <privacera_
hub_
url> for local dockerhub
{{privacera_
hub_
url}}/ranger-usersync
USERSYNC_
IMAGE_
TAG
Tag to use for specified release. Set by <RANGER_
IMAGE_
TAG>
See above. {{RANGER_
IMAGE_
TAG}}
USERSYNC_
PID_
DIR_
PATH
Contact Privacera Support if this needs to be changed. Any valid PID path within the image. /var/run/ranger
USERSYNC_
RANGER_
BASE_
DIR
Contact Privacera Support if this needs to be changed. Base directory for UserSync install within the image /etc/ranger
USERSYNC_
RANGER_
URL
URL for UserSync to connect to Apache Ranger APIs Defaults to HTTP or HTTPS depending on <RANGER_
SSL_
ENABLE>
{{RANGER_
URL}}
USERSYNC_
SOURCE
Source type for user/group sync ldap azuread unix unix
USERSYNC_
SYNC_
LDAP_
URL
Full URL for LDAP or LDAPS connection to directory server ldap://dir.ldap.us:389
ldaps://dir.ldap.us:636 Replace hostname and port with valid values for your directory service.
No default value.
USERSYNC_
SYNC_
LDAP_
BIND_
DN
Distinguished name (dn) for user to connect and read from directory Example:
CN=Bind
User,
OU=example,
DC=ad,
DC=example,
DC=com
No default value.
USERSYNC_
SYNC_
LDAP_
BIND_
PASSWORD
Password for user to connect and read from directory DoNotUseThisPassword2000 <PLEASE_
CHANGE>
USERSYNC_
SYNC_
LDAP_
SEARCH_
BASE
The base distinguished name (dn) used to search for all objects. Typically the root of the domain in the directory. Example: DC=ad,DC=example,DC=com No default value.
USERSYNC_
SYNC_
LDAP_
USER_
SEARCH_
BASE

The base distinguished name (dn) used to search for users. Only users from below this point in the directory will be included in the user-first search. Typically a user’s OU or similar. Multiple search bases may be separated with a semicolon.

Single example: OU=example_services,
OU=example,
DC=ad,
DC=example,
DC=com


Multiple example: ou=ou1,
dc=com,
dc=example,
dc=ad;ou=ou2,
dc=com,
dc=example,
dc=ad
No default value.
USERSYNC_
SYNC_
LDAP_
DELTASYNC

Turn on the “delta” sync, which uses the updated date in the directory to sync only changed or new objects to Privacera and Apache Ranger.

true false true
USERSYNC_
SYNC_
LDAP_
USER_
SEARCH_
SCOPE
Sets the level to search within the directory. Base only, one level, or full subtree. sub one base sub
USERSYNC_
SYNC_
LDAP_
OBJECT_
CLASS

User object class within the directory. Varies by directory. Typically person or organizationalPerson for Active Directory, inetOrgPerson for FreeIPA.

Examples: top person inetOrgPerson organizationalPerson user posixAccount user
USERSYNC_
SYNC_
LDAP_
USER_
SEARCH_
FILTER
Valid LDAP search filter to limit the users returned and synced. Can be used to filter for group memberships or other attributes. Return all users: cn=*
Return members of Administrators and DBA groups:

(|(memberof=CN=Analysts,
OU=groups,
DC=example,
DC=com)(memberof=CN=DBA,
OU=groups,
DC=example,
DC=com))
No default value.
USERSYNC_
SYNC_
LDAP_
USER_
NAME_
ATTRIBUTE
LDAP attribute to map to Privacera user name. samAccountName for Active Directory uid cn cn
USERSYNC_
SYNC_
LDAP_
USER_
EMAIL_
ADDRESS_
ATTRIBUTE
LDAP attribute to map to Email address in Privacera mail UPN mail
USERSYNC_
SYNC_
LDAP_
USER_
GROUP_
NAME_
ATTRIBUTE
Attribute used to identify groups to which a user belongs memberof ismemberof gidNumber primaryGroupID memberof,ismemberof
USERSYNC_
SYNC_
LDAP_
USER_
OTHER_
ATTRIBUTES
LDAP user attributes that needs to be mapped to Ranger user entity (user attributes that are mapped by default). It can then used for access control in Ranger. In this property, you can assign those additional attributes. To assign multiple attributes, use comma-separated values. cn badPasswordTime logonCount cn,badPasswordTime,logonCount
USERSYNC_
SYNC_
GROUP_
OTHER_
ATTRIBUTES:
LDAP group attributes that needs to be mapped to Ranger group entity (group attributes that are mapped by default). It can then used for access control in Ranger. In this property, you can assign those additional attributes. To assign multiple attributes, use comma-separated values. cn groupType cn,groupType
USERSYNC_
SYNC_
LDAP_
GROUP_
HIERARCHY_
LEVELS
Property to determine the depth of how many groups to be considered in a nested group structure (a group within a group) for syncing users in Ranger. By default, Ranger syncs all the users belonging to its immediate group, and does not sync them to any other group in a nested group structure. Use this property if you want to sync/to add users of a group to its parent group or any sub-group. Consider the following LDAP nested group structure, where user 1 is a member of sub-group 2.
  • Group A
  • Sub-group 1
  • Sub-group 2
  • user 1
If 0 is set as the value, it applies the default behaviour. If 2 is set as the value, then user 1 becomes a member of its current group (Sub-group 2), and the groups above (Sub-group 1 and Group A) Be aware that there is a performance impact with deep hierarchies (greater than 2)
A valid integer 0 or greater 0
USERSYNC_
SYNC_
LDAP_
SSL_
ENABLED
  true false  FALSE
USERSYNC_
SYNC_
LDAP_
SSL_
PM_
GEN_
TS
Set this to true if you want PM to take care of generating truststore for your ldaps server true false FALSE
USERSYNC_
SYNC_
LDAP_
SSL_
TRUSTSTORE_
FILE
Name of UserSync SSL truststore file.   client_
usersync_
ldaps_
truststore.jks
USERSYNC_
SYNC_
LDAP_
SSL_
TRUSTSTORE_
TYPE
UserSync SSL truststore type.  cer, jks, p12 jks
USERSYNC_
SYNC_
LDAP_
SSL_
TRUSTSTORE_
PASSWORD
Password for UserSync SSL trust store.   dwNdzqXsLEX83
USERSYNC_
SYNC_
LDAP_
SSL_
AUTO_
GEN_
TRUSTSTORE_
FILE
Privacera Manager can create a certificate automatically with a certain name and type. In this property, give a name for the certificate. client_
usersync_
ldaps_
truststore.cer OR client_
usersync_
ldaps_
truststore.jks OR client_
usersync_
ldaps_
truststore.p12
client_
usersync_
ldaps_
truststore.cer
USERSYNC_
SYNC_
LDAP_
SSL_
AUTO_
GEN_
TRUSTSTORE_
TYPE
Privacera Manager can create a certificate automatically of a specific type. In this property, give a type for the certificate. cer, jks, p12 cer
USERSYNC_
GROUP_
BASED_
ROLE_
ASSIGNMENT_
RULES
     
USERSYNC_
SYNC_
LDAP_
USERNAME_
CASE_
CONVERSION
Property to change the LDAP username case. If value is set to lower, then any username with uppercase would be changed to lowercase. lower upper lower
USERSYNC_
SYNC_
LDAP_
GROUPNAME_
CASE_
CONVERSION
Property to change the LDAP group name case. If value is set to lower, then any group name with uppercase would be changed to lowercase. lower upper lower
USERSYNC_
SYNC_
GROUP_
SEARCH_
ENABLED
Perform ldap search to find groups instead of relying on user entry attributes.   FALSE
USERSYNC_
SYNC_
GROUP_
SEARCH_
FIRST_
ENABLED
 Enable group search first before user search.   FALSE
USERSYNC_
SYNC_
GROUP_
USER_
MAP_
SYNC_
ENABLED
Perform ldap search to find groups instead of relying on user entry attributes and sync memberships of those groups.   TRUE
USERSYNC_
SYNC_
GROUP_
SEARCH_
BASE
The base distinguished name (dn) used to search for groups. Only groups from below this point in the directory will be included in the group-first search. Typically a group’s OU or similar. Multiple search bases mey be separated with a semicolon. Single example: OU=example_services,
OU=example,
DC=ad,
DC=example,
DC=com Multiple example: ou=ou1,
dc=com,
dc=example,
dc=ad;ou=ou2,
dc=com,
dc=example,
dc=ad
 
USERSYNC_
SYNC_
GROUP_
SEARCH_
SCOPE
Sets the search scope  level for the group search within the directory. base one sub  sub
USERSYNC_
SYNC_
GROUP_
OBJECT_
CLASS
Object class to identify user entries.   user
USERSYNC_
SYNC_
LDAP_
GROUP_
SEARCH_
FILTER
Optional additional filter constraining the users selected for syncing    
USERSYNC_
SYNC_
PAGED_
RESULTS_
ENABLED
 Enable flag for paged search results.   TRUE
USERSYNC_
SYNC_
PAGED_
RESULTS_
SIZE
 Page size of paged search results.   500
USERSYNC_
SYNC_
GROUPUSERS_
PAGED_
SIZE
By default, Ranger UserSync will sync a maximum of 1500 users from each group (depending on the LDAP version). If you want to sync LDAP users above this maximum, set a page size limit. Ranger UserSync will sync the users from the LDAP server based on the page size limit.   500
USERSYNC_
SYNC_
INTERVAL
Sync interval in minutes. (Minimum of 60)    60
USERSYNC_
UNIX_
USER
User for Unix UserSync process.   ranger
USERSYNC_
UNIX_
GROUP
Group for Unix UserSync process.   ranger
USERSYNC_
RANGERUSERSYNC_
PASSWORD
Password for rangerusersync user in Ranger.   welcome1
USERSYNC_
KERBEROS_
PRINCIPAL
 Kerberos Principal for use in kerberos environment.    
USERSYNC_
KERBEROS_
KEYTAB
 Kerberos keytab for use in kerberos environment.    
USERSYNC_
HADOOP_
CONF
 Hadoop conf location or use in kerberos environment.   /etc/hadoop/conf
USERSYNC_
CRED_
KEYSTORE_
FILENAME
Keystore file where all credential is kept in cryptic format   /etc/ranger/usersync/
conf/rangerusersync.jceks
USERSYNC_
AUTH_
SSL_
ENABLED
 Enable SSL   {{ENABLE_
SSL}}
USERSYNC_
AUTH_
SSL_
KEYSTORE_
FILE
 SSL keystore path.   /etc/ranger/usersync/
conf/cert/unixauthservice.jks
USERSYNC_
AUTH_
SSL_
KEYSTORE_
PASSWORD
 SSL keystore password.   UnIx529p
USERSYNC_
AUTH_
SSL_
TRUSTSTORE_
FILE
 SSL truststore path.   /etc/ranger/usersync/
conf/{{PRIVACERA_
GLOBAL_
TRUSTSTORE_
FILENAME}}
USERSYNC_
AUTH_
SSL_
TRUSTSTORE_
PASSWORD
  SSL truststore password.   {{PRIVACERA_
GLOBAL_
TRUSTSTORE_
PASSWORD}}
USERSYNC_
AZUREAD_
TENANT_
ID
 Azure Active Directory Id (Tenant ID)    
USERSYNC_
AZUREAD_
CLIENT_
ID
 Azure Active Directory Application Credentials for accessing Microsoft Graph API    
USERSYNC_
AZUREAD_
CLIENT_
SECRET
 Azure Active Directory Application Credentials for accessing Microsoft Graph API    
USERSYNC_
AZUREAD_
USERNAME
Azure Account Username for getting access token used on behalf of Azure AD application    
USERSYNC_
AZUREAD_
PASSWORD
Azure Account Password for getting access token used on behalf of Azure AD application    
USERSYNC_
AZUREAD_
SCOPE
   
USERSYNC_
AZUREAD_
DOMAINS
 Comma Separated list of domain names of which users need to be synced.  For eg. example1.com,example2.com  
USERSYNC_
AZUREAD_
USE_
GROUP_
LOOKUP_
FIRST
 Set this flag to true if want to do group lookup first instead of users    
USERSYNC_
AZUREAD_
GROUPS
 Comma Separated list of group names of which users need to be synced. Set SYNC_
AZUREAD_
USE_
GROUP_
LOOKUP_
FIRST=true to use this property
   
USERSYNC_
SYNC_
AZUREAD_
USERNAME_
RETRIVAL_
FROM
 Azure AD attribute to use as user’s username.   userPrincipalName
USERSYNC_
SYNC_
AZUREAD_
EMAIL_
RETRIVAL_
FROM
 Azure AD attribute to use as user’s email address.   userPrincipalName
USERSYNC_
SYNC_
AZUREAD_
GROUP_
RETRIVAL_
FROM
 Azure AD attribute to use as group name.   displayName
SYNC_
AZUREAD_
USER_
SERVICE_
PRINCIPAL_
ENABLED
 Azure AD enable sync of service principals as users.   FALSE
SYNC_
AZUREAD_
USER_
SERVICE_
PRINCIPAL_
USERNAME_
RETRIVAL_
FROM
 Azure AD attribute to use as service principal username.   appId
USERSYNC_
RANGER_
USERSYNC_
COOKIE
 Enable flag for Ranger usersync cookie.   FALSE
USERSYNC_
LOGDIR
 Directory to write Usersync logs.    logs
USERSYNC_
ENCRYPT_
SECRETS
 Enable flag for encrypting Usersync secrets.   {{GLOBAL_
ENCRYPT_
SECRETS}}
USERSYNC_
SECRETS_
FILE
 Keystore file to store encrypted secrets.   /etc/ranger/usersync/
conf/ranger-usersync{{GLOBAL_
SECRETS_
FILE_
SUFFIX}}
USERSYNC_
SECRETS_
KEYSTORE_
PASSWORD
 Password of secrets keystore file.   {{GLOBAL_
DEFAULT_
SECRETS_
KEYSTORE_
PASSWORD}}
USERSYNC_
ENCRYPT_
PROPS_
LIST
 List of PM variables to encrypt values of when encrypt secrets is enabled.    
USERSYNC_
AUTH_
ADD_
ETCHOST
    FALSE
USERSYNC_
AUTH_
IP
     
USERSYNC_
AUTH_
HOST
     
USERSYNC_
HEAP_
MIN_
MEMORY_
MB
Minimum Java Heap memory in MB used by Ranger Usersync. For example, USERSYNC_
HEAP_
MIN_
MEMORY_
MB: “1024”
 
USERSYNC_
HEAP_
MIN_
MEMORY
Minimum Java Heap memory used by Ranger Usersync. Setting this value will override USERSYNC_
HEAP_
MIN_
MEMORY_
MB. For example, USERSYNC_
HEAP_
MIN_
MEMORY: “1g”
 
USERSYNC_
HEAP_
MAX_
MEMORY_
MB
Maximum Java Heap memory in MB used by Ranger Usersync. For example, USERSYNC_
HEAP_
MAX_
MEMORY_
MB: “1024”
 
USERSYNC_
HEAP_
MAX_
MEMORY
Maximum Java Heap memory used by Ranger Usersync. Setting this value will override USERSYNC_
HEAP_
MAX_
MEMORY_
MB.  For example, USERSYNC_
HEAP_
MAX_
MEMORY: “1g”
 
USERSYNC_
K8S_
MEM_
REQUESTS_
MB
Minimum amount of Kubernetes memory in MB to be requested by Ranger Usersync. For example, USERSYNC_
K8S_
MEM_
REQUESTS_
MB: “1024”
 
USERSYNC_
K8S_
MEM_
REQUESTS
Minimum amount of Kubernetes memory to be used by Ranger Usersync. Setting this value will override USERSYNC_
K8S_
MEM_
REQUESTS_
MB.   For example, USERSYNC_
K8S_
MEM_
REQUESTS: “1G”
 
USERSYNC_
K8S_
MEM_
LIMITS_
MB
Maximum amount of Kubernetes memory in MB to be requested by Ranger Usersync. For example, USERSYNC_
K8S_
MEM_
LIMITS_
MB: “1024”
 
USERSYNC_
K8S_
MEM_
LIMITS
Maximum amount of Kubernetes memory to be used by Ranger Usersync. Setting this value will override USERSYNC_
K8S_
MEM_
LIMITS_
MB.  For example, USERSYNC_
K8S_
MEM_
LIMITS: “1G”
 
USERSYNC_
CPU_
MIN
Minimum amount of Kubernetes CPU to be requested by Ranger Usersync.  For example, USERSYNC_
CPU_
MIN: “0.5”
 
USERSYNC_
CPU_
MAX
Maximum amount of Kubernetes CPU to be used by Ranger Usersync.  For example, USERSYNC_
CPU_
MAX: “0.5”
 
USERSYNC_
K8S_
CPU_
REQUESTS
 Requested number of CPUs for UserSync pod.   {{ USERSYNC_
CPU_
MIN }}
USERSYNC_
K8S_
CPU_
LIMITS
 Maximum number of CPUs for UserSync pod.   {{ USERSYNC_
CPU_
MAX }}
USERSYNC_
HELM_
CHART_
VERSION
 Helm chart version   {{PRIVACERA_
HELM_
CHART_
VERSION}}
USERSYNC_
PASSWORDS_
LIST