You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2022/01/13 21:51:16 UTC
[ranger] branch ranger-2.3 updated: RANGER-3585: Docker setup to run usersync and tagsync
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.3 by this push:
new 9cbf1bb RANGER-3585: Docker setup to run usersync and tagsync
9cbf1bb is described below
commit 9cbf1bbf1cf2ceb42c7c641366d12f261c045aca
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Wed Jan 12 13:49:00 2022 -0800
RANGER-3585: Docker setup to run usersync and tagsync
(cherry picked from commit 20046b242a197b8b0cd9427c51a5ba073907788f)
---
dev-support/ranger-docker/.dockerignore | 2 +
.../ranger-docker/Dockerfile.ranger-tagsync | 39 ++++
.../ranger-docker/Dockerfile.ranger-usersync | 36 ++++
dev-support/ranger-docker/README.md | 6 +-
.../ranger-docker/docker-compose.ranger-kafka.yml | 2 +
...kafka.yml => docker-compose.ranger-tagsync.yml} | 14 +-
...afka.yml => docker-compose.ranger-usersync.yml} | 14 +-
.../scripts/ranger-tagsync-install.properties | 130 +++++++++++
.../ranger-docker/scripts/ranger-tagsync-tags.json | 50 +++++
.../ranger-docker/scripts/ranger-tagsync.sh | 39 ++++
.../scripts/ranger-usersync-install.properties | 237 +++++++++++++++++++++
.../ranger-docker/scripts/ranger-usersync.sh | 39 ++++
12 files changed, 589 insertions(+), 19 deletions(-)
diff --git a/dev-support/ranger-docker/.dockerignore b/dev-support/ranger-docker/.dockerignore
index ff26d47..282c456 100644
--- a/dev-support/ranger-docker/.dockerignore
+++ b/dev-support/ranger-docker/.dockerignore
@@ -2,6 +2,8 @@
!config
!dist/version
!dist/ranger-*-admin.tar.gz
+!dist/ranger-*-usersync.tar.gz
+!dist/ranger-*-tagsync.tar.gz
!dist/ranger-*-hdfs-plugin.tar.gz
!dist/ranger-*-yarn-plugin.tar.gz
!dist/ranger-*-hive-plugin.tar.gz
diff --git a/dev-support/ranger-docker/Dockerfile.ranger-tagsync b/dev-support/ranger-docker/Dockerfile.ranger-tagsync
new file mode 100644
index 0000000..31f8446
--- /dev/null
+++ b/dev-support/ranger-docker/Dockerfile.ranger-tagsync
@@ -0,0 +1,39 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ranger-base:latest
+
+ARG RANGER_VERSION
+
+COPY ./dist/version /home/ranger/dist/
+COPY ./dist/ranger-${RANGER_VERSION}-tagsync.tar.gz /home/ranger/dist/
+
+COPY ./scripts/ranger-tagsync.sh ${RANGER_SCRIPTS}/
+COPY ./scripts/ranger-tagsync-install.properties ${RANGER_SCRIPTS}/
+COPY ./scripts/ranger-tagsync-tags.json ${RANGER_SCRIPTS}/
+
+RUN tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-tagsync.tar.gz --directory=${RANGER_HOME} && \
+ ln -s ${RANGER_HOME}/ranger-${RANGER_VERSION}-tagsync ${RANGER_HOME}/tagsync && \
+ rm -f /home/ranger/dist/ranger-${RANGER_VERSION}-tagsync.tar.gz && \
+ mkdir -p /opt/ranger/tagsync/data && \
+ cp -f ${RANGER_SCRIPTS}/ranger-tagsync-install.properties ${RANGER_HOME}/tagsync/install.properties && \
+ cp -f ${RANGER_SCRIPTS}/ranger-tagsync-tags.json ${RANGER_HOME}/tagsync/data/tags.json && \
+ mkdir -p /var/run/ranger && \
+ mkdir -p /var/log/ranger/tagsync && \
+ ln -s /usr/bin/python3 /usr/bin/python && \
+ chown -R ranger:ranger ${RANGER_HOME}/tagsync/ /var/run/ranger/ /var/log/ranger/
+
+ENTRYPOINT [ "/home/ranger/scripts/ranger-tagsync.sh" ]
diff --git a/dev-support/ranger-docker/Dockerfile.ranger-usersync b/dev-support/ranger-docker/Dockerfile.ranger-usersync
new file mode 100644
index 0000000..b1738f8
--- /dev/null
+++ b/dev-support/ranger-docker/Dockerfile.ranger-usersync
@@ -0,0 +1,36 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ranger-base:latest
+
+ARG RANGER_VERSION
+
+COPY ./dist/version /home/ranger/dist/
+COPY ./dist/ranger-${RANGER_VERSION}-usersync.tar.gz /home/ranger/dist/
+
+COPY ./scripts/ranger-usersync.sh ${RANGER_SCRIPTS}/
+COPY ./scripts/ranger-usersync-install.properties ${RANGER_SCRIPTS}/
+
+RUN tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-usersync.tar.gz --directory=${RANGER_HOME} && \
+ ln -s ${RANGER_HOME}/ranger-${RANGER_VERSION}-usersync ${RANGER_HOME}/usersync && \
+ rm -f /home/ranger/dist/ranger-${RANGER_VERSION}-usersync.tar.gz && \
+ cp -f ${RANGER_SCRIPTS}/ranger-usersync-install.properties ${RANGER_HOME}/usersync/install.properties && \
+ mkdir -p /var/run/ranger && \
+ mkdir -p /var/log/ranger/usersync && \
+ ln -s /usr/bin/python3 /usr/bin/python && \
+ chown -R ranger:ranger ${RANGER_HOME}/usersync/ /var/run/ranger/ /var/log/ranger/
+
+ENTRYPOINT [ "/home/ranger/scripts/ranger-usersync.sh" ]
diff --git a/dev-support/ranger-docker/README.md b/dev-support/ranger-docker/README.md
index 77ae0ac..02a5643 100644
--- a/dev-support/ranger-docker/README.md
+++ b/dev-support/ranger-docker/README.md
@@ -43,6 +43,10 @@ Docker files in this folder create docker images and run them to build Apache Ra
5.2. Execute following command to start Ranger, Ranger enabled HDFS/YARN/HBase/Hive/Kafka/Knox and dependent services (Solr, DB) in containers:
- docker-compose -f docker-compose.ranger-base.yml -f docker-compose.ranger.yml -f docker-compose.ranger-hadoop.yml -f docker-compose.ranger-hbase.yml -f docker-compose.ranger-kafka.yml -f docker-compose.ranger-hive.yml -f docker-compose.ranger-knox.yml up -d
+ docker-compose -f docker-compose.ranger-base.yml -f docker-compose.ranger.yml -f docker-compose.ranger-usersync.yml -f docker-compose.ranger-tagsync.yml -f docker-compose.ranger-hadoop.yml -f docker-compose.ranger-hbase.yml -f docker-compose.ranger-kafka.yml -f docker-compose.ranger-hive.yml -f docker-compose.ranger-knox.yml up -d
+
+ 5.3. To rebuild specific images and start containers with the new image, use following command:
+
+ docker-compose -f docker-compose.ranger-base.yml -f docker-compose.ranger.yml -f docker-compose.ranger-usersync.yml -f docker-compose.ranger-tagsync.yml -f docker-compose.ranger-hadoop.yml -f docker-compose.ranger-hbase.yml -f docker-compose.ranger-kafka.yml -f docker-compose.ranger-hive.yml -f docker-compose.ranger-knox.yml up -d --no-deps --force-recreate --build <service-1> <service-2>
6. Ranger Admin can be accessed at http://localhost:6080 (admin/rangerR0cks!)
diff --git a/dev-support/ranger-docker/docker-compose.ranger-kafka.yml b/dev-support/ranger-docker/docker-compose.ranger-kafka.yml
index 6622b86..d863fd4 100644
--- a/dev-support/ranger-docker/docker-compose.ranger-kafka.yml
+++ b/dev-support/ranger-docker/docker-compose.ranger-kafka.yml
@@ -14,6 +14,8 @@ services:
tty: true
networks:
- ranger
+ ports:
+ - "6667:6667"
depends_on:
ranger:
condition: service_started
diff --git a/dev-support/ranger-docker/docker-compose.ranger-kafka.yml b/dev-support/ranger-docker/docker-compose.ranger-tagsync.yml
similarity index 52%
copy from dev-support/ranger-docker/docker-compose.ranger-kafka.yml
copy to dev-support/ranger-docker/docker-compose.ranger-tagsync.yml
index 6622b86..84424bf 100644
--- a/dev-support/ranger-docker/docker-compose.ranger-kafka.yml
+++ b/dev-support/ranger-docker/docker-compose.ranger-tagsync.yml
@@ -1,15 +1,14 @@
version: '3'
services:
- ranger-kafka:
+ ranger-tagsync:
build:
context: .
- dockerfile: Dockerfile.ranger-kafka
+ dockerfile: Dockerfile.ranger-tagsync
args:
- - KAFKA_VERSION=${KAFKA_VERSION}
- RANGER_VERSION=${RANGER_VERSION}
- image: ranger-kafka
- container_name: ranger-kafka
- hostname: ranger-kafka.example.com
+ image: ranger-tagsync
+ container_name: ranger-tagsync
+ hostname: ranger-tagsync.example.com
stdin_open: true
tty: true
networks:
@@ -17,10 +16,7 @@ services:
depends_on:
ranger:
condition: service_started
- ranger-zk:
- condition: service_started
environment:
- - KAFKA_VERSION
- RANGER_VERSION
networks:
diff --git a/dev-support/ranger-docker/docker-compose.ranger-kafka.yml b/dev-support/ranger-docker/docker-compose.ranger-usersync.yml
similarity index 52%
copy from dev-support/ranger-docker/docker-compose.ranger-kafka.yml
copy to dev-support/ranger-docker/docker-compose.ranger-usersync.yml
index 6622b86..7770a03 100644
--- a/dev-support/ranger-docker/docker-compose.ranger-kafka.yml
+++ b/dev-support/ranger-docker/docker-compose.ranger-usersync.yml
@@ -1,15 +1,14 @@
version: '3'
services:
- ranger-kafka:
+ ranger-usersync:
build:
context: .
- dockerfile: Dockerfile.ranger-kafka
+ dockerfile: Dockerfile.ranger-usersync
args:
- - KAFKA_VERSION=${KAFKA_VERSION}
- RANGER_VERSION=${RANGER_VERSION}
- image: ranger-kafka
- container_name: ranger-kafka
- hostname: ranger-kafka.example.com
+ image: ranger-usersync
+ container_name: ranger-usersync
+ hostname: ranger-usersync.example.com
stdin_open: true
tty: true
networks:
@@ -17,10 +16,7 @@ services:
depends_on:
ranger:
condition: service_started
- ranger-zk:
- condition: service_started
environment:
- - KAFKA_VERSION
- RANGER_VERSION
networks:
diff --git a/dev-support/ranger-docker/scripts/ranger-tagsync-install.properties b/dev-support/ranger-docker/scripts/ranger-tagsync-install.properties
new file mode 100644
index 0000000..7a3291c
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/ranger-tagsync-install.properties
@@ -0,0 +1,130 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+# This file provides a list of the deployment variables for the Ranger Tagsync service
+#
+#
+#
+#
+# URL for tag destination - Ranger
+TAG_DEST_RANGER_ENDPOINT = http://ranger:6080
+
+# SSL config file name for HTTPS messages to tag destination - Ranger
+TAG_DEST_RANGER_SSL_CONFIG_FILENAME =
+
+TAG_SOURCE_ATLAS_ENABLED = false
+
+# Endpoint specifications needed by Atlas
+TAG_SOURCE_ATLAS_KAFKA_BOOTSTRAP_SERVERS = ranger-kafka.example.com:6667
+TAG_SOURCE_ATLAS_KAFKA_ZOOKEEPER_CONNECT = ranger-zk.example.com:2181
+TAG_SOURCE_ATLAS_KAFKA_ENTITIES_GROUP_ID = ranger_entities_consumer
+
+TAG_SOURCE_ATLAS_KAFKA_SERVICE_NAME = kafka
+TAG_SOURCE_ATLAS_KAFKA_SECURITY_PROTOCOL = PLAINTEXTSASL
+
+TAG_SOURCE_ATLAS_KERBEROS_PRINCIPAL =
+TAG_SOURCE_ATLAS_KERBEROS_KEYTAB =
+
+TAG_SOURCE_ATLASREST_ENABLED = false
+
+TAG_SOURCE_ATLASREST_ENDPOINT = http://localhost:21000
+TAG_SOURCE_ATLASREST_DOWNLOAD_INTERVAL_IN_MILLIS = 900000
+
+TAG_SOURCE_ATLASREST_USERNAME =
+TAG_SOURCE_ATLASREST_PASSWORD =
+
+TAG_SOURCE_FILE_ENABLED = true
+
+TAG_SOURCE_FILE_FILENAME = /opt/ranger/tagsync/data/tags.json
+TAG_SOURCE_FILE_CHECK_INTERVAL_IN_MILLIS = 60000
+
+# Mapping from Atlas hive cluster-name to Ranger service-name
+# this needs to be in format clusterName,componentType,serviceName;clusterName2,componentType2,serviceName2
+# Note that there are no blanks anywhere in the value-string
+#
+# For Hive, the notifications from Atlas include the name of the entities in the following format:
+# dbName@clusterName
+# dbName.tblName@clusterName
+# dbName.tblName.colName@clusterName
+#
+# Ranger-tagsync needs to derive the name of the Hive service (in Ranger) from the above entity names.
+# By default, Ranger computes Hive service name as: clusterName + “_hive".
+# If the name of the Hive service (in Ranger) is different in your environment, please use
+# following property to enable Ranger-tagsync to derive the correct Hive service name.
+#
+# TAGSYNC_ATLAS_TO_RANGER_SERVICE_MAPPING = clusterName,hive,rangerServiceName
+#
+
+TAGSYNC_ATLAS_TO_RANGER_SERVICE_MAPPING=
+
+# A comma separated list of custom mapper class names which convert Atlas entities to
+# RangerServiceResource structures are specified here. If there are no custom mappers,
+# then it can be left blank
+
+TAGSYNC_ATLAS_CUSTOM_RESOURCE_MAPPERS=
+
+#
+# The file where all credential is kept in cryptic format
+#
+TAGSYNC_KEYSTORE_FILENAME = /etc/ranger/tagsync/conf/rangertagsync.jceks
+
+# File where Atlas credentials is kept in cryptic format
+
+TAG_SOURCE_ATLASREST_KEYSTORE_FILENAME = /etc/ranger/tagsync/conf/atlasuser.jceks
+
+# SSL config file name for HTTPS messages to tag source - Atlas-REST
+TAG_SOURCE_ATLASREST_SSL_CONFIG_FILENAME =
+
+#User and group for the tagsync process
+unix_user=ranger
+unix_group=ranger
+
+#change password of rangerTagsync user. Please note that this password should be as per rangerTagsync user in ranger
+rangerTagsync_password=rangerR0cks!
+
+# Logs are stored in logdir
+logdir = /var/log/ranger/tagsync
+
+#PID file path
+TAGSYNC_PID_DIR_PATH=/var/run/ranger
+
+#Set to run in kerberos environment
+is_secure = false
+tagsync_principal=
+tagsync_keytab=
+
+
+
+hadoop_conf=/etc/hadoop/conf
+
+# if you want to enable or disable jvm metrics for tagsync process
+# valid values: true, false
+# any value other than true would be treated as false
+# default value: false
+# if the value is false, jvm metrics is not created
+JVM_METRICS_ENABLED=
+
+# filename of jvm metrics created for tagsync process
+# default value: ranger_tagsync_metric.json
+JVM_METRICS_FILENAME=
+
+#file directory for jvm metrics
+# default value : logdir
+JVM_METRICS_FILEPATH=
+
+#frequency for jvm metrics to be updated
+# default value : 10000 milliseconds
+JVM_METRICS_FREQUENCY_TIME_IN_MILLIS=
diff --git a/dev-support/ranger-docker/scripts/ranger-tagsync-tags.json b/dev-support/ranger-docker/scripts/ranger-tagsync-tags.json
new file mode 100644
index 0000000..ae9f5de
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/ranger-tagsync-tags.json
@@ -0,0 +1,50 @@
+{
+ "op": "add_or_update",
+ "serviceName": "dev_hive",
+ "tagVersion": 0,
+ "tagDefinitions": {
+ "0": { "name": "PII" },
+ "1": { "name": "EMPLOYEE_ID" },
+ "2": { "name": "ADDRESS" }
+ },
+ "tags": {
+ "0": { "type": "PII" },
+ "1": { "type": "EMPLOYEE_ID" },
+ "2": { "type": "ADDRESS" }
+ },
+ "serviceResources": [
+ {
+ "id": 0,
+ "serviceName": "dev_hive",
+ "resourceElements": {
+ "database": { "values": [ "hr" ] },
+ "table": { "values": [ "employee" ] },
+ "column": { "values": [ "ssn" ] }
+ }
+ },
+ {
+ "id": 1,
+ "serviceName": "dev_hive",
+ "resourceElements": {
+ "database": { "values": [ "hr" ] },
+ "table": { "values": [ "employee" ] },
+ "column": { "values": [ "address" ] }
+ }
+ },
+ {
+ "id": 2,
+ "serviceName": "dev_hive",
+ "serviceName": "dev_hive",
+ "resourceElements": {
+ "database": { "values": [ "hr" ] },
+ "table": { "values": [ "employee" ] },
+ "column": { "values": [ "id" ] }
+ }
+ }
+ ],
+ "resourceToTagIds": {
+ "0": [ "0" ],
+ "1": [ "0", "2" ],
+ "2": [ "1" ]
+ }
+}
diff --git a/dev-support/ranger-docker/scripts/ranger-tagsync.sh b/dev-support/ranger-docker/scripts/ranger-tagsync.sh
new file mode 100755
index 0000000..f761394
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/ranger-tagsync.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+if [ ! -e ${RANGER_HOME}/.setupDone ]
+then
+ SETUP_RANGER=true
+else
+ SETUP_RANGER=false
+fi
+
+if [ "${SETUP_RANGER}" == "true" ]
+then
+ cd ${RANGER_HOME}/tagsync && ./setup.sh
+
+ touch ${RANGER_HOME}/.setupDone
+fi
+
+su -c "cd ${RANGER_HOME}/tagsync && ./ranger-tagsync-services.sh start" ranger
+
+RANGER_TAGSYNC_PID=`ps -ef | grep -v grep | grep -i "org.apache.ranger.tagsync.process.TagSynchronizer" | awk '{print $2}'`
+
+# prevent the container from exiting
+tail --pid=$RANGER_TAGSYNC_PID -f /dev/null
diff --git a/dev-support/ranger-docker/scripts/ranger-usersync-install.properties b/dev-support/ranger-docker/scripts/ranger-usersync-install.properties
new file mode 100644
index 0000000..8233aa2
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/ranger-usersync-install.properties
@@ -0,0 +1,237 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# The base path for the usersync process
+ranger_base_dir = /opt/ranger/usersync
+
+#
+# The following URL should be the base URL for connecting to the policy manager web application
+# For example:
+#
+# POLICY_MGR_URL = http://policymanager.xasecure.net:6080
+#
+POLICY_MGR_URL = http://ranger:6080
+
+# sync source, only unix and ldap are supported at present
+# defaults to unix
+SYNC_SOURCE = unix
+
+#
+# Minimum Unix User-id to start SYNC.
+# This should avoid creating UNIX system-level users in the Policy Manager
+#
+MIN_UNIX_USER_ID_TO_SYNC = 500
+
+# Minimum Unix Group-id to start SYNC.
+# This should avoid creating UNIX system-level users in the Policy Manager
+#
+MIN_UNIX_GROUP_ID_TO_SYNC = 500
+
+# sync interval in minutes
+# user, groups would be synced again at the end of each sync interval
+# defaults to 5 if SYNC_SOURCE is unix
+# defaults to 360 if SYNC_SOURCE is ldap
+SYNC_INTERVAL =
+
+#User and group for the usersync process
+unix_user=ranger
+unix_group=ranger
+
+#change password of rangerusersync user. Please note that this password should be as per rangerusersync user in ranger
+rangerUsersync_password=rangerR0cks!
+
+#Set to run in kerberos environment
+usersync_principal=
+usersync_keytab=
+hadoop_conf=/etc/hadoop/conf
+#
+# The file where all credential is kept in cryptic format
+#
+CRED_KEYSTORE_FILENAME=/opt/ranger/usersync/conf/rangerusersync.jceks
+
+# SSL Authentication
+AUTH_SSL_ENABLED=true
+AUTH_SSL_KEYSTORE_FILE=/opt/ranger/usersync/conf/cert/unixauthservice.jks
+AUTH_SSL_KEYSTORE_PASSWORD=UnIx529p
+AUTH_SSL_TRUSTSTORE_FILE=
+AUTH_SSL_TRUSTSTORE_PASSWORD=
+
+# ---------------------------------------------------------------
+# The following properties are relevant only if SYNC_SOURCE = ldap
+# ---------------------------------------------------------------
+
+# The below properties ROLE_ASSIGNMENT_LIST_DELIMITER, USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER, USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER,
+#and GROUP_BASED_ROLE_ASSIGNMENT_RULES can be used to assign role to LDAP synced users and groups
+#NOTE all the delimiters should have different values and the delimiters should not contain characters that are allowed in userName or GroupName
+
+# default value ROLE_ASSIGNMENT_LIST_DELIMITER = &
+ROLE_ASSIGNMENT_LIST_DELIMITER = &
+
+#default value USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = :
+USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = :
+
+#default value USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = ,
+USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = ,
+
+# with above mentioned delimiters a sample value would be ROLE_SYS_ADMIN:u:userName1,userName2&ROLE_SYS_ADMIN:g:groupName1,groupName2&ROLE_KEY_ADMIN:u:userName&ROLE_KEY_ADMIN:g:groupName&ROLE_USER:u:userName3,userName4&ROLE_USER:g:groupName3
+#&ROLE_ADMIN_AUDITOR:u:userName&ROLE_KEY_ADMIN_AUDITOR:u:userName&ROLE_KEY_ADMIN_AUDITOR:g:groupName&ROLE_ADMIN_AUDITOR:g:groupName
+GROUP_BASED_ROLE_ASSIGNMENT_RULES =
+
+# URL of source ldap
+# a sample value would be: ldap://ldap.example.com:389
+# Must specify a value if SYNC_SOURCE is ldap
+SYNC_LDAP_URL =
+
+# ldap bind dn used to connect to ldap and query for users and groups
+# a sample value would be cn=admin,ou=users,dc=hadoop,dc=apache,dc=org
+# Must specify a value if SYNC_SOURCE is ldap
+SYNC_LDAP_BIND_DN =
+
+# ldap bind password for the bind dn specified above
+# please ensure read access to this file is limited to root, to protect the password
+# Must specify a value if SYNC_SOURCE is ldap
+# unless anonymous search is allowed by the directory on users and group
+SYNC_LDAP_BIND_PASSWORD =
+
+# ldap delta sync flag used to periodically sync users and groups based on the updates in the server
+# please customize the value to suit your deployment
+# default value is set to true when is SYNC_SOURCE is ldap
+SYNC_LDAP_DELTASYNC =
+
+# search base for users and groups
+# sample value would be dc=hadoop,dc=apache,dc=org
+SYNC_LDAP_SEARCH_BASE =
+
+# search base for users
+# sample value would be ou=users,dc=hadoop,dc=apache,dc=org
+# overrides value specified in SYNC_LDAP_SEARCH_BASE
+SYNC_LDAP_USER_SEARCH_BASE =
+
+# search scope for the users, only base, one and sub are supported values
+# please customize the value to suit your deployment
+# default value: sub
+SYNC_LDAP_USER_SEARCH_SCOPE = sub
+
+# objectclass to identify user entries
+# please customize the value to suit your deployment
+# default value: person
+SYNC_LDAP_USER_OBJECT_CLASS = person
+
+# optional additional filter constraining the users selected for syncing
+# a sample value would be (dept=eng)
+# please customize the value to suit your deployment
+# default value is empty
+SYNC_LDAP_USER_SEARCH_FILTER =
+
+# attribute from user entry that would be treated as user name
+# please customize the value to suit your deployment
+# default value: cn
+SYNC_LDAP_USER_NAME_ATTRIBUTE = cn
+
+# attribute from user entry whose values would be treated as
+# group values to be pushed into Policy Manager database
+# You could provide multiple attribute names separated by comma
+# default value: memberof, ismemberof
+SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = memberof,ismemberof
+#
+# UserSync - Case Conversion Flags
+# possible values: none, lower, upper
+SYNC_LDAP_USERNAME_CASE_CONVERSION=lower
+SYNC_LDAP_GROUPNAME_CASE_CONVERSION=lower
+
+#user sync log path
+logdir=/var/log/ranger/usersync
+
+# PID DIR PATH
+USERSYNC_PID_DIR_PATH=/var/run/ranger
+
+# do we want to do ldapsearch to find groups instead of relying on user entry attributes
+# valid values: true, false
+# any value other than true would be treated as false
+# default value: false
+SYNC_GROUP_SEARCH_ENABLED=
+
+# do we want to do ldapsearch to find groups instead of relying on user entry attributes and
+# sync memberships of those groups
+# valid values: true, false
+# any value other than true would be treated as false
+# default value: false
+SYNC_GROUP_USER_MAP_SYNC_ENABLED=
+
+# search base for groups
+# sample value would be ou=groups,dc=hadoop,dc=apache,dc=org
+# overrides value specified in SYNC_LDAP_SEARCH_BASE, SYNC_LDAP_USER_SEARCH_BASE
+# if a value is not specified, takes the value of SYNC_LDAP_SEARCH_BASE
+# if SYNC_LDAP_SEARCH_BASE is also not specified, takes the value of SYNC_LDAP_USER_SEARCH_BASE
+SYNC_GROUP_SEARCH_BASE=
+
+# search scope for the groups, only base, one and sub are supported values
+# please customize the value to suit your deployment
+# default value: sub
+SYNC_GROUP_SEARCH_SCOPE=
+
+# objectclass to identify group entries
+# please customize the value to suit your deployment
+# default value: groupofnames
+SYNC_GROUP_OBJECT_CLASS=
+
+# optional additional filter constraining the groups selected for syncing
+# a sample value would be (dept=eng)
+# please customize the value to suit your deployment
+# default value is empty
+SYNC_LDAP_GROUP_SEARCH_FILTER=
+
+# attribute from group entry that would be treated as group name
+# please customize the value to suit your deployment
+# default value: cn
+SYNC_GROUP_NAME_ATTRIBUTE=
+
+# attribute from group entry that is list of members
+# please customize the value to suit your deployment
+# default value: member
+SYNC_GROUP_MEMBER_ATTRIBUTE_NAME=
+
+# do we want to use paged results control during ldapsearch for user entries
+# valid values: true, false
+# any value other than true would be treated as false
+# default value: true
+# if the value is false, typical AD would not return more than 1000 entries
+SYNC_PAGED_RESULTS_ENABLED=
+
+# page size for paged results control
+# search results would be returned page by page with the specified number of entries per page
+# default value: 500
+SYNC_PAGED_RESULTS_SIZE=
+#LDAP context referral could be ignore or follow
+SYNC_LDAP_REFERRAL =ignore
+
+# if you want to enable or disable jvm metrics for usersync process
+# valid values: true, false
+# any value other than true would be treated as false
+# default value: false
+# if the value is false, jvm metrics is not created
+JVM_METRICS_ENABLED=
+
+# filename of jvm metrics created for usersync process
+# default value: ranger_usersync_metric.json
+JVM_METRICS_FILENAME=
+
+#file directory for jvm metrics
+# default value : logdir
+JVM_METRICS_FILEPATH=
+
+#frequency for jvm metrics to be updated
+# default value : 10000 milliseconds
+JVM_METRICS_FREQUENCY_TIME_IN_MILLIS=
diff --git a/dev-support/ranger-docker/scripts/ranger-usersync.sh b/dev-support/ranger-docker/scripts/ranger-usersync.sh
new file mode 100755
index 0000000..48287d2
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/ranger-usersync.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+if [ ! -e ${RANGER_HOME}/.setupDone ]
+then
+ SETUP_RANGER=true
+else
+ SETUP_RANGER=false
+fi
+
+if [ "${SETUP_RANGER}" == "true" ]
+then
+ cd ${RANGER_HOME}/usersync && ./setup.sh
+
+ touch ${RANGER_HOME}/.setupDone
+fi
+
+su -c "cd ${RANGER_HOME}/usersync && ./start.sh" ranger
+
+RANGER_USERSYNC_PID=`ps -ef | grep -v grep | grep -i "org.apache.ranger.authentication.UnixAuthenticationService" | awk '{print $2}'`
+
+# prevent the container from exiting
+tail --pid=$RANGER_USERSYNC_PID -f /dev/null