Privacera Platform master publication

Ranger UserSync

:
 

The following table contains the list of custom properties that can be configured for Ranger UserSync.

Notice

For readability, the values with underscores in this table are often broken across lines but the property names are a single word, like this USERSYNC_AZUREAD_PASSWORD

Note

Support Chain SSL - Preview Functionality

Previously Privacera services were only using one SSL certificate of LDAP server even if a chain of certificates was available. Now as a Preview functionality, all the certificates which are available in the chain certificate are imported it into the truststore. This is added for Privacera usersync, Ranger usersync and portal SSL certificates.

Property

Description

Example Values

Default Value

USERSYNC_

ENABLE

Enable usersync module to sync users, groups, and/or roles from a directory (e.g., LDAP, AAD, SCIM) to Privacera and Ranger

true false

false

USERSYNC_

INSTALL

Instructs Privacera Manager to install Usersync components. Usually set by USERSYNC_

ENABLE

true false

{{ IS_

MASTER_

NODE if USERSYNC_

ENABLE == ‘true’ else ‘false’ }}

USERSYNC_

IMAGE_

NAME

Docker image to pull for Usersync container/pod

Set by Privacera release tag. Can be overridden by <privacera_

hub_

url> for local dockerhub

{{privacera_

hub_

url}}/ranger-usersync

USERSYNC_

IMAGE_

TAG

Tag to use for specified release. Set by <RANGER_

IMAGE_

TAG>

See above.

{{RANGER_

IMAGE_

TAG}}

USERSYNC_

PID_

DIR_

PATH

Contact Privacera Support if this needs to be changed.

Any valid PID path within the image.

/var/run/ranger

USERSYNC_

RANGER_

BASE_

DIR

Contact Privacera Support if this needs to be changed.

Base directory for UserSync install within the image

/etc/ranger

USERSYNC_

RANGER_

URL

URL for UserSync to connect to Apache Ranger APIs

Defaults to HTTP or HTTPS depending on <RANGER_

SSL_

ENABLE>

{{RANGER_

URL}}

USERSYNC_

SOURCE

Source type for user/group sync

ldap azuread unix

unix

USERSYNC_

SYNC_

LDAP_

URL

Full URL for LDAP or LDAPS connection to directory server

ldap://dir.ldap.us:389

ldaps://dir.ldap.us:636 Replace hostname and port with valid values for your directory service.

No default value.

USERSYNC_

SYNC_

LDAP_

BIND_

DN

Distinguished name (dn) for user to connect and read from directory

Example:

CN=Bind

User,

OU=example,

DC=ad,

DC=example,

DC=com

No default value.

USERSYNC_

SYNC_

LDAP_

BIND_

PASSWORD

Password for user to connect and read from directory

DoNotUseThisPassword2000

<PLEASE_

CHANGE>

USERSYNC_

SYNC_

LDAP_

SEARCH_

BASE

The base distinguished name (dn) used to search for all objects. Typically the root of the domain in the directory.

Example: DC=ad,DC=example,DC=com

No default value.

USERSYNC_

SYNC_

LDAP_

USER_

SEARCH_

BASE

The base distinguished name (dn) used to search for users. Only users from below this point in the directory will be included in the user-first search. Typically a user’s OU or similar. Multiple search bases may be separated with a semicolon.

Single example: OU=example_services,

OU=example,

DC=ad,

DC=example,

DC=com

Multiple example: ou=ou1,

dc=com,

dc=example,

dc=ad;ou=ou2,

dc=com,

dc=example,

dc=ad

No default value.

USERSYNC_

SYNC_

LDAP_

DELTASYNC

Turn on the “delta” sync, which uses the updated date in the directory to sync only changed or new objects to Privacera and Apache Ranger.

true false

true

USERSYNC_

SYNC_

LDAP_

USER_

SEARCH_

SCOPE

Sets the level to search within the directory. Base only, one level, or full subtree.

sub one base

sub

USERSYNC_

SYNC_

LDAP_

OBJECT_

CLASS

User object class within the directory. Varies by directory. Typically person or organizationalPerson for Active Directory, inetOrgPerson for FreeIPA.

Examples: top person inetOrgPerson organizationalPerson user posixAccount

user

USERSYNC_

SYNC_

LDAP_

USER_

SEARCH_

FILTER

Valid LDAP search filter to limit the users returned and synced. Can be used to filter for group memberships or other attributes.

Return all users: cn=*

Return members of Administrators and DBA groups:

(|(memberof=CN=Analysts,

OU=groups,

DC=example,

DC=com)(memberof=CN=DBA,

OU=groups,

DC=example,

DC=com))

No default value.

USERSYNC_

SYNC_

LDAP_

USER_

NAME_

ATTRIBUTE

LDAP attribute to map to Privacera user name.

samAccountName for Active Directory uid cn

cn

USERSYNC_

SYNC_

LDAP_

USER_

EMAIL_

ADDRESS_

ATTRIBUTE

LDAP attribute to map to Email address in Privacera

mail UPN

mail

USERSYNC_

SYNC_

LDAP_

USER_

GROUP_

NAME_

ATTRIBUTE

Attribute used to identify groups to which a user belongs

memberof ismemberof gidNumber primaryGroupID

memberof,ismemberof

USERSYNC_

SYNC_

LDAP_

USER_

OTHER_

ATTRIBUTES

LDAP user attributes that needs to be mapped to Ranger user entity (user attributes that are mapped by default). It can then used for access control in Ranger. In this property, you can assign those additional attributes. To assign multiple attributes, use comma-separated values.

cn badPasswordTime logonCount

cn,badPasswordTime,logonCount

USERSYNC_

SYNC_

GROUP_

OTHER_

ATTRIBUTES:

LDAP group attributes that needs to be mapped to Ranger group entity (group attributes that are mapped by default). It can then used for access control in Ranger. In this property, you can assign those additional attributes. To assign multiple attributes, use comma-separated values.

cn groupType

cn,groupType

USERSYNC_

SYNC_

LDAP_

GROUP_

HIERARCHY_

LEVELS

Property to determine the depth of how many groups to be considered in a nested group structure (a group within a group) for syncing users in Ranger. By default, Ranger syncs all the users belonging to its immediate group, and does not sync them to any other group in a nested group structure. Use this property if you want to sync/to add users of a group to its parent group or any sub-group. Consider the following LDAP nested group structure, where user 1 is a member of sub-group 2.

  • Group A

  • Sub-group 1

  • Sub-group 2

  • user 1

If 0 is set as the value, it applies the default behaviour. If 2 is set as the value, then user 1 becomes a member of its current group (Sub-group 2), and the groups above (Sub-group 1 and Group A) Be aware that there is a performance impact with deep hierarchies (greater than 2)

A valid integer 0 or greater

0

USERSYNC_

SYNC_

LDAP_

SSL_

ENABLED

true false

FALSE

USERSYNC_

SYNC_

LDAP_

SSL_

PM_

GEN_

TS

Set this to true if you want PM to take care of generating truststore for your ldaps server

true false

FALSE

USERSYNC_

SYNC_

LDAP_

SSL_

TRUSTSTORE_

FILE

Name of UserSync SSL truststore file.

client_

usersync_

ldaps_

truststore.jks

USERSYNC_

SYNC_

LDAP_

SSL_

TRUSTSTORE_

TYPE

UserSync SSL truststore type.

cer, jks, p12

jks

USERSYNC_

SYNC_

LDAP_

SSL_

TRUSTSTORE_

PASSWORD

Password for UserSync SSL trust store.

dwNdzqXsLEX83

USERSYNC_

SYNC_

LDAP_

SSL_

AUTO_

GEN_

TRUSTSTORE_

FILE

Privacera Manager can create a certificate automatically with a certain name and type. In this property, give a name for the certificate.

client_

usersync_

ldaps_

truststore.cer OR client_

usersync_

ldaps_

truststore.jks OR client_

usersync_

ldaps_

truststore.p12

client_

usersync_

ldaps_

truststore.cer

USERSYNC_

SYNC_

LDAP_

SSL_

AUTO_

GEN_

TRUSTSTORE_

TYPE

Privacera Manager can create a certificate automatically of a specific type. In this property, give a type for the certificate.

cer, jks, p12

cer

USERSYNC_

GROUP_

BASED_

ROLE_

ASSIGNMENT_

RULES

USERSYNC_

SYNC_

LDAP_

USERNAME_

CASE_

CONVERSION

Property to change the LDAP username case. If value is set to lower, then any username with uppercase would be changed to lowercase.

lower upper

lower

USERSYNC_

SYNC_

LDAP_

GROUPNAME_

CASE_

CONVERSION

Property to change the LDAP group name case. If value is set to lower, then any group name with uppercase would be changed to lowercase.

lower upper

lower

USERSYNC_

SYNC_

GROUP_

SEARCH_

ENABLED

Perform ldap search to find groups instead of relying on user entry attributes.

FALSE

USERSYNC_

SYNC_

GROUP_

SEARCH_

FIRST_

ENABLED

Enable group search first before user search.

FALSE

USERSYNC_

SYNC_

GROUP_

USER_

MAP_

SYNC_

ENABLED

Perform ldap search to find groups instead of relying on user entry attributes and sync memberships of those groups.

TRUE

USERSYNC_

SYNC_

GROUP_

SEARCH_

BASE

The base distinguished name (dn) used to search for groups. Only groups from below this point in the directory will be included in the group-first search. Typically a group’s OU or similar. Multiple search bases mey be separated with a semicolon.

Single example: OU=example_services,

OU=example,

DC=ad,

DC=example,

DC=com Multiple example: ou=ou1,

dc=com,

dc=example,

dc=ad;ou=ou2,

dc=com,

dc=example,

dc=ad

USERSYNC_

SYNC_

GROUP_

SEARCH_

SCOPE

Sets the search scope level for the group search within the directory.

base one sub

sub

USERSYNC_

SYNC_

GROUP_

OBJECT_

CLASS

Object class to identify group entries.

user

USERSYNC_

SYNC_

LDAP_

GROUP_

SEARCH_

FILTER

Optional additional filter constraining the users selected for syncing

USERSYNC_

SYNC_

PAGED_

RESULTS_

ENABLED

Enable flag for paged search results.

TRUE

USERSYNC_

SYNC_

GROUP_

NAME_

ATTRIBUTE

Attribute used to identify groups to which a user belongs

USERSYNC_

SYNC_

PAGED_

RESULTS_

SIZE

Page size of paged search results.

500

USERSYNC_

SYNC_

GROUPUSERS_

PAGED_

SIZE

By default, Ranger UserSync will sync a maximum of 1500 users from each group (depending on the LDAP version). If you want to sync LDAP users above this maximum, set a page size limit. Ranger UserSync will sync the users from the LDAP server based on the page size limit.

500

USERSYNC_

SYNC_

INTERVAL

Sync interval in minutes. (Minimum of 60)

60

USERSYNC_

UNIX_

USER

User for Unix UserSync process.

ranger

USERSYNC_

UNIX_

GROUP

Group for Unix UserSync process.

ranger

USERSYNC_

RANGERUSERSYNC_

PASSWORD

Password for rangerusersync user in Ranger.

welcome1

USERSYNC_

KERBEROS_

PRINCIPAL

Kerberos Principal for use in kerberos environment.

USERSYNC_

KERBEROS_

KEYTAB

Kerberos keytab for use in kerberos environment.

USERSYNC_

HADOOP_

CONF

Hadoop conf location or use in kerberos environment.

/etc/hadoop/conf

USERSYNC_

CRED_

KEYSTORE_

FILENAME

Keystore file where all credential is kept in cryptic format

/etc/ranger/usersync/

conf/rangerusersync.jceks

USERSYNC_

AUTH_

SSL_

ENABLED

Enable SSL

{{ENABLE_

SSL}}

USERSYNC_

AUTH_

SSL_

KEYSTORE_

FILE

SSL keystore path.

/etc/ranger/usersync/

conf/cert/unixauthservice.jks

USERSYNC_

AUTH_

SSL_

KEYSTORE_

PASSWORD

SSL keystore password.

UnIx529p

USERSYNC_

AUTH_

SSL_

TRUSTSTORE_

FILE

SSL truststore path.

/etc/ranger/usersync/

conf/{{PRIVACERA_

GLOBAL_

TRUSTSTORE_

FILENAME}}

USERSYNC_

AUTH_

SSL_

TRUSTSTORE_

PASSWORD

SSL truststore password.

{{PRIVACERA_

GLOBAL_

TRUSTSTORE_

PASSWORD}}

USERSYNC_

AZUREAD_

TENANT_

ID

Azure Active Directory Id (Tenant ID)

USERSYNC_

AZUREAD_

CLIENT_

ID

Azure Active Directory Application Credentials for accessing Microsoft Graph API

USERSYNC_

AZUREAD_

CLIENT_

SECRET

Azure Active Directory Application Credentials for accessing Microsoft Graph API

USERSYNC_

AZUREAD_

USERNAME

Azure Account Username for getting access token used on behalf of Azure AD application

USERSYNC_

AZUREAD_

PASSWORD

Azure Account Password for getting access token used on behalf of Azure AD application

USERSYNC_

AZUREAD_

SCOPE

USERSYNC_

AZUREAD_

DOMAINS

Comma Separated list of domain names of which users need to be synced.

For eg. example1.com,example2.com

USERSYNC_

AZUREAD_

USE_

GROUP_

LOOKUP_

FIRST

Set this flag to true if want to do group lookup first instead of users

USERSYNC_

AZUREAD_

GROUPS

Comma Separated list of group names of which users need to be synced. Set SYNC_

AZUREAD_

USE_

GROUP_

LOOKUP_

FIRST=true to use this property

USERSYNC_

SYNC_

AZUREAD_

USERNAME_

RETRIVAL_

FROM

Azure AD attribute to use as user’s username.

userPrincipalName

USERSYNC_

SYNC_

AZUREAD_

EMAIL_

RETRIVAL_

FROM

Azure AD attribute to use as user’s email address.

userPrincipalName

USERSYNC_

SYNC_

AZUREAD_

GROUP_

RETRIVAL_

FROM

Azure AD attribute to use as group name.

displayName

SYNC_

AZUREAD_

USER_

SERVICE_

PRINCIPAL_

ENABLED

Azure AD enable sync of service principals as users.

FALSE

SYNC_

AZUREAD_

USER_

SERVICE_

PRINCIPAL_

USERNAME_

RETRIVAL_

FROM

Azure AD attribute to use as service principal username.

appId

USERSYNC_

RANGER_

USERSYNC_

COOKIE

Enable flag for Ranger usersync cookie.

FALSE

USERSYNC_

LOGDIR

Directory to write Usersync logs.

logs

USERSYNC_

ENCRYPT_

SECRETS

Enable flag for encrypting Usersync secrets.

{{GLOBAL_

ENCRYPT_

SECRETS}}

USERSYNC_

SECRETS_

FILE

Keystore file to store encrypted secrets.

/etc/ranger/usersync/

conf/ranger-usersync{{GLOBAL_

SECRETS_

FILE_

SUFFIX}}

USERSYNC_

SECRETS_

KEYSTORE_

PASSWORD

Password of secrets keystore file.

{{GLOBAL_

DEFAULT_

SECRETS_

KEYSTORE_

PASSWORD}}

USERSYNC_

ENCRYPT_

PROPS_

LIST

List of PM variables to encrypt values of when encrypt secrets is enabled.

USERSYNC_

AUTH_

ADD_

ETCHOST

FALSE

USERSYNC_

AUTH_

IP

USERSYNC_

AUTH_

HOST

USERSYNC_

HEAP_

MIN_

MEMORY_

MB

Minimum Java Heap memory in MB used by Ranger Usersync. For example, USERSYNC_

HEAP_

MIN_

MEMORY_

MB: “1024”

USERSYNC_

HEAP_

MIN_

MEMORY

Minimum Java Heap memory used by Ranger Usersync. Setting this value will override USERSYNC_

HEAP_

MIN_

MEMORY_

MB. For example, USERSYNC_

HEAP_

MIN_

MEMORY: “1g”

USERSYNC_

HEAP_

MAX_

MEMORY_

MB

Maximum Java Heap memory in MB used by Ranger Usersync. For example, USERSYNC_

HEAP_

MAX_

MEMORY_

MB: “1024”

USERSYNC_

HEAP_

MAX_

MEMORY

Maximum Java Heap memory used by Ranger Usersync. Setting this value will override USERSYNC_

HEAP_

MAX_

MEMORY_

MB. For example, USERSYNC_

HEAP_

MAX_

MEMORY: “1g”

USERSYNC_

K8S_

MEM_

REQUESTS_

MB

Minimum amount of Kubernetes memory in MB to be requested by Ranger Usersync. For example, USERSYNC_

K8S_

MEM_

REQUESTS_

MB: “1024”

USERSYNC_

K8S_

MEM_

REQUESTS

Minimum amount of Kubernetes memory to be used by Ranger Usersync. Setting this value will override USERSYNC_

K8S_

MEM_

REQUESTS_

MB. For example, USERSYNC_

K8S_

MEM_

REQUESTS: “1G”

USERSYNC_

K8S_

MEM_

LIMITS_

MB

Maximum amount of Kubernetes memory in MB to be requested by Ranger Usersync. For example, USERSYNC_

K8S_

MEM_

LIMITS_

MB: “1024”

USERSYNC_

K8S_

MEM_

LIMITS

Maximum amount of Kubernetes memory to be used by Ranger Usersync. Setting this value will override USERSYNC_

K8S_

MEM_

LIMITS_

MB. For example, USERSYNC_

K8S_

MEM_

LIMITS: “1G”

USERSYNC_

CPU_

MIN

Minimum amount of Kubernetes CPU to be requested by Ranger Usersync. For example, USERSYNC_

CPU_

MIN: “0.5”

USERSYNC_

CPU_

MAX

Maximum amount of Kubernetes CPU to be used by Ranger Usersync. For example, USERSYNC_

CPU_

MAX: “0.5”

USERSYNC_

K8S_

CPU_

REQUESTS

Requested number of CPUs for UserSync pod.

{{ USERSYNC_

CPU_

MIN }}

USERSYNC_

K8S_

CPU_

LIMITS

Maximum number of CPUs for UserSync pod.

{{ USERSYNC_

CPU_

MAX }}

USERSYNC_

HELM_

CHART_

VERSION

Helm chart version

{{PRIVACERA_

HELM_

CHART_

VERSION}}

USERSYNC_

PASSWORDS_

LIST