question Re: Ranger Group Permissions issue - AD and SSSD in Archives of Support Questions (Read Only)

Ranger Group Permissions issue - AD and SSSD

Jim_B — Fri, 07 Oct 2016 20:58:19 GMT

Having an issue with applying Ranger policy permissions through groups. I see that there are several questions on this. I am having the same basic issue--Policies get applied when user is specified, but not using a group. I have gone through all of the debugging steps suggested in the questions, but still having issues.

SSSD - We do have this running and are able to see the groups (note: NN, HS2, and Ranger are all on this same host)

$ hdfs groups batyr_amp_admin
batyr_amp_admin : domain users batyr_amp_admins

$ id batyr_amp_admin
uid=1080619417(batyr_amp_admin) gid=1080600513(domain users) groups=1080600513(domain users),1080619409(batyr_amp_admins)

QUESTION: If SSSD is running, do you ALSO have to setup the core-site.mapping?

From Hiveserver2.log

2016-10-07 09:46:55,322 WARN  [HiveServer2-Handler-Pool: Thread-5841]: thrift.ThriftCLIService (ThriftCLIService.java:ExecuteStatement(512)) - Error executing statement: 
org.apache.hive.service.cli.HiveSQLException: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [batyr_amp_admin] does not have [USE] privilege on [amp_land]
at org.apache.hive.service.cli.operation.Operation.toSQLException(Operation.java:335)
at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:148)
at org.apache.hive.service.cli.operation.SQLOperation.runInternal(SQLOperation.java:226)
at org.apache.hive.service.cli.operation.Operation.run(Operation.java:276)
at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:468)
at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementAsync(HiveSessionImpl.java:456)
at org.apache.hive.service.cli.CLIService.executeStatementAsync(CLIService.java:298)
at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:506)
at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1317)
at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1302)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge.java:562)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Permission denied: user [batyr_amp_admin] does not have [USE] privilege on [amp_land]
at org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:412)
at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:855)
at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:643)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:510)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:320)
at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1219)
at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1213)
at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:146)
... 15 more

Re: Ranger Group Permissions issue - AD and SSSD

ldaluz — Fri, 07 Oct 2016 21:22:24 GMT

@jbarnett

To answer your question - no, if you have SSSD configured you do not need to also configure core-site mapping with LDAP.

Regarding your issue, it could be related to the space in your group name - could you try remove the space in the 'domain users' or test with a group that doesn't contain any spaces.

Re: Ranger Group Permissions issue - AD and SSSD

Jim_B — Fri, 07 Oct 2016 21:28:35 GMT

'domain users' is one of the groups that all users are associated with. However, it is NOT the one we are using for the policy. That group is 'batyr_amp_admins' (underscores and no spaces.) Would this still be an issue?

Re: Ranger Group Permissions issue - AD and SSSD

vperiasamy — Fri, 07 Oct 2016 22:15:52 GMT

I don't think underscores will present an issue. Do you see any errors in the component logs?

Re: Ranger Group Permissions issue - AD and SSSD

Jim_B — Fri, 07 Oct 2016 22:18:09 GMT

See snippet from HS2 log added to main question.

Re: Ranger Group Permissions issue - AD and SSSD

spolavarapu — Fri, 07 Oct 2016 22:25:39 GMT

Is the group sync'd in ranger same case as hdfs groups? As you might already know the policy resolution in Ranger is case sensitive.

Re: Ranger Group Permissions issue - AD and SSSD

Jim_B — Fri, 07 Oct 2016 22:31:06 GMT

In Ranger, group name is 'BATYR_AMP_ADMINS' (both under groups and when added to policy)

It is uppercase in Active Directory, and shows uppercase in the usersync.log

ranger.usersync.ldap.groupname.caseconversion=none

HOWEVER,

As you can see in the main question, the hdfs groups command and linux id command show lowercase.

Is this expected behaviour?

Re: Ranger Group Permissions issue - AD and SSSD

spolavarapu — Fri, 07 Oct 2016 23:03:23 GMT

When SSSD is configured, the request that comes to ranger will have the same case as the hdfs groups and this should match the one that is stored in ranger DB. But looks like ranger DB has upper case as that is sync'd from AD with case conversion as none. In this case the behavior seen above is expected behavior. Can you please set case conversion to "lower" and try?

Re: Ranger Group Permissions issue - AD and SSSD

Jim_B — Sat, 08 Oct 2016 00:58:34 GMT

WINNER! That did the trick.

Changed

ranger.usersync.ldap.username.caseconversion=lower

ranger.usersync.ldap.groupname.caseconversion=lower

Restarted Ranger (which performs usersync)
All group names are now lowercase in both Ranger and HDFS

Re: Ranger Group Permissions issue - AD and SSSD

SuriNuthalapati — Wed, 25 Oct 2017 03:44:04 GMT

I have a similar issue in our environmet: we are thinking to usersync ranger with AD. below is the issue I have:

AD group name: cfyG_GG-HDP_HadoopAdmins

SSD mapped group on linux machine: hadoopadmin

This command yields $hdfs groups hdpadmin

hdpadmin : hdpadmin hadoopadmin hadoopdev hadoopusers

------------------

Now the problem is I can save the AD group to lower case in ranger as : cfyg_gg-hdp-hadoopadmins

but, if I use this group to give permission it wont work, since the linux group name is hadoopadmin, as mapped in SSSD. How can I over come this issue?

any help is appreciated.

Suri

Re: Ranger Group Permissions issue - AD and SSSD

jmlero — Tue, 28 Nov 2017 16:58:33 GMT

Hi all,

I have the same problem, HDP 2.5 with Ranger, policies are only working when applied to users, not to groups where users and groups are managed with AD and SSSD on the Linux side.

Athough all the users and groups are correctly mapped on ranger and on Linux, even the groups permissions are working fine with the Ranger encryption, but not with the policies.

I tried all the suggestions like the lowercase conversion but still is not working for me.

Any other idea?

Thanks in advance.

Re: Ranger Group Permissions issue - AD and SSSD

james_bashforth — Tue, 01 May 2018 14:09:48 GMT

I'm having this same problem. I recently move our cluster to Ubuntu. When using the previous Centos it was working fine. I have tried the case conversion options with no luck. I can however access everything if I add the user to ranger and not the group.