Created 10-07-2016 01:58 PM
Having an issue with applying Ranger policy permissions through groups. I see that there are several questions on this. I am having the same basic issue--Policies get applied when user is specified, but not using a group. I have gone through all of the debugging steps suggested in the questions, but still having issues.
SSSD - We do have this running and are able to see the groups (note: NN, HS2, and Ranger are all on this same host)
$ hdfs groups batyr_amp_admin batyr_amp_admin : domain users batyr_amp_admins $ id batyr_amp_admin uid=1080619417(batyr_amp_admin) gid=1080600513(domain users) groups=1080600513(domain users),1080619409(batyr_amp_admins)
QUESTION: If SSSD is running, do you ALSO have to setup the core-site.mapping?
From Hiveserver2.log
2016-10-07 09:46:55,322 WARN [HiveServer2-Handler-Pool: Thread-5841]: thrift.ThriftCLIService (ThriftCLIService.java:ExecuteStatement(512)) - Error executing statement: org.apache.hive.service.cli.HiveSQLException: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [batyr_amp_admin] does not have [USE] privilege on [amp_land] at org.apache.hive.service.cli.operation.Operation.toSQLException(Operation.java:335) at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:148) at org.apache.hive.service.cli.operation.SQLOperation.runInternal(SQLOperation.java:226) at org.apache.hive.service.cli.operation.Operation.run(Operation.java:276) at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:468) at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementAsync(HiveSessionImpl.java:456) at org.apache.hive.service.cli.CLIService.executeStatementAsync(CLIService.java:298) at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:506) at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1317) at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1302) at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge.java:562) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Permission denied: user [batyr_amp_admin] does not have [USE] privilege on [amp_land] at org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:412) at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:855) at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:643) at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:510) at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:320) at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1219) at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1213) at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:146) ... 15 more
Created 10-07-2016 04:03 PM
When SSSD is configured, the request that comes to ranger will have the same case as the hdfs groups and this should match the one that is stored in ranger DB. But looks like ranger DB has upper case as that is sync'd from AD with case conversion as none. In this case the behavior seen above is expected behavior. Can you please set case conversion to "lower" and try?
Created 11-28-2017 08:58 AM
Hi all,
I have the same problem, HDP 2.5 with Ranger, policies are only working when applied to users, not to groups where users and groups are managed with AD and SSSD on the Linux side.
Athough all the users and groups are correctly mapped on ranger and on Linux, even the groups permissions are working fine with the Ranger encryption, but not with the policies.
I tried all the suggestions like the lowercase conversion but still is not working for me.
Any other idea?
Thanks in advance.
Created 05-01-2018 07:09 AM
I'm having this same problem. I recently move our cluster to Ubuntu. When using the previous Centos it was working fine. I have tried the case conversion options with no luck. I can however access everything if I add the user to ranger and not the group.