Community Articles

Question: We added the following settings to our knox topology so that knox may search in ldap for the groups that a user is in, so that we can efficiently control knox permissions with ranger.

<!-- changes needed for group sync--> 
<param> 
<name>main.ldapGroupContextFactory</name> 
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> 
</param> 
<param> 
<name>main.ldapRealm.authorizationEnabled</name> 
<value>true</value> 
</param> 
<param> 
<name>main.ldapRealm.groupSearchBase</name> 
<value>OU=Infrastructure,OU=EXAMPLE,DC=test,DC=local</value> 
</param> 
<param> 
<name>main.ldapRealm.groupObjectClass</name> 
<value>group</value> 
</param> 
<param> 
<name>main.ldapRealm.groupIdAttribute</name> 
<value>cn</value> 
</param> 

Our search base and attribute settings are the same as those we have in our hadoop.security.ldap.group.mapping config, and for ranger. But in knox we get an error in the gateway.log (attached) complaining about the size of the results.

Normally the results are paginated, but it seems like knox is trying to get all of them at once. What do we need to change to make this work?

ERROR: Knox was searching in OU which has 3000 groups.

Below was setup -

1. Env has KNOX = AD integration in place

2. Env currently have 3000+ groups in AD and current limit for a search, without pagination, is 500.

3. User has Ranger -Knox plugin enabled.

4. User level policy for knox -ranger plugin works whereas it does not works if groups are specified in policy.

ROOT CAUSE:

This is a BUG - https://issues.apache.org/jira/browse/KNOX-644 and is Fixed in Knox 0.10 version.

RESOLUTION: Adding below property resolved the issue -

<param> 
<name>main.ldapRealm.authorizationEnabled</name> 
<value>false</value> 
</param>