Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Ranger Group Permissions issue - AD and SSSD

Labels:
avatar
author-rank Jim_B author-rank
Expert Contributor

Created ‎10-07-2016 01:58 PM

Having an issue with applying Ranger policy permissions through groups. I see that there are several questions on this. I am having the same basic issue--Policies get applied when user is specified, but not using a group. I have gone through all of the debugging steps suggested in the questions, but still having issues.

SSSD - We do have this running and are able to see the groups (note: NN, HS2, and Ranger are all on this same host)

$ hdfs groups batyr_amp_admin
batyr_amp_admin : domain users batyr_amp_admins

$ id batyr_amp_admin
uid=1080619417(batyr_amp_admin) gid=1080600513(domain users) groups=1080600513(domain users),1080619409(batyr_amp_admins)

QUESTION: If SSSD is running, do you ALSO have to setup the core-site.mapping?

From Hiveserver2.log

2016-10-07 09:46:55,322 WARN  [HiveServer2-Handler-Pool: Thread-5841]: thrift.ThriftCLIService (ThriftCLIService.java:ExecuteStatement(512)) - Error executing statement: 
org.apache.hive.service.cli.HiveSQLException: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [batyr_amp_admin] does not have [USE] privilege on [amp_land]
at org.apache.hive.service.cli.operation.Operation.toSQLException(Operation.java:335)
at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:148)
at org.apache.hive.service.cli.operation.SQLOperation.runInternal(SQLOperation.java:226)
at org.apache.hive.service.cli.operation.Operation.run(Operation.java:276)
at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:468)
at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementAsync(HiveSessionImpl.java:456)
at org.apache.hive.service.cli.CLIService.executeStatementAsync(CLIService.java:298)
at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:506)
at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1317)
at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1302)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge.java:562)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Permission denied: user [batyr_amp_admin] does not have [USE] privilege on [amp_land]
at org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:412)
at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:855)
at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:643)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:510)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:320)
at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1219)
at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1213)
at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:146)
... 15 more
6,068 Views
1 ACCEPTED SOLUTION

avatar
author-rank spolavarapu author-rank
Expert Contributor

Created ‎10-07-2016 04:03 PM

When SSSD is configured, the request that comes to ranger will have the same case as the hdfs groups and this should match the one that is stored in ranger DB. But looks like ranger DB has upper case as that is sync'd from AD with case conversion as none. In this case the behavior seen above is expected behavior. Can you please set case conversion to "lower" and try?

View solution in original post

4,498 Views
11 REPLIES 11

avatar
author-rank jmlero
Rising Star

Created ‎11-28-2017 08:58 AM

Hi all,

I have the same problem, HDP 2.5 with Ranger, policies are only working when applied to users, not to groups where users and groups are managed with AD and SSSD on the Linux side.

Athough all the users and groups are correctly mapped on ranger and on Linux, even the groups permissions are working fine with the Ranger encryption, but not with the policies.

I tried all the suggestions like the lowercase conversion but still is not working for me.

Any other idea?

Thanks in advance.

2,081 Views
0 Kudos

avatar
author-rank james_bashforth
Explorer

Created ‎05-01-2018 07:09 AM

I'm having this same problem. I recently move our cluster to Ubuntu. When using the previous Centos it was working fine. I have tried the case conversion options with no luck. I can however access everything if I add the user to ranger and not the group.

2,081 Views
0 Kudos
webinar banner
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements
meetups banner