Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger - Hive Policies does not work with LDAP groups imported into Ranger.

Highlighted

Ranger - Hive Policies does not work with LDAP groups imported into Ranger.

Explorer

We have HDP 2.6.3 clustered with kerberos enabled. We have-Hive plugin enabled and policies set for Groups which are imported from OpenDJ(LDAP). We can see hive policies working when the permissions are granted to users, however when the same policies are granted to Groups, the user get's the error regarding - USE privilege not available for default tables.

Users and Groups are imported to Ranger, Ambari and also hadoop-group mapping is enabled.

So when we enter - hdfs groups username, we get the ldap group the user is added to.

So we are not sure, what more needs to be checked. Any suggestions would be helpful.

7 REPLIES 7
Highlighted

Re: Ranger - Hive Policies does not work with LDAP groups imported into Ranger.

@Bhanu Pamu

Check the following in the same hiveserver2 host:

1. How is group mapping configured? With LDAP or with Unix Groups implementation? If unix groups you should check on the hiveserver2 host what is the result of id <username> and if this command is returning the list of groups. What I've seen is that sometimes SSSD/Centrify is used and is not correctly synchronizing groups.

2. Policies are case sensitive for users and groups. Make sure the groups listed with hdfs groups username, and/or id <username> match exact case you see on ranger -> user/groups

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

Highlighted

Re: Ranger - Hive Policies does not work with LDAP groups imported into Ranger.

Explorer

1. The group mapping is done via LDAP with the similar settings that are used to configured Ranger User Info.

2. Yes, we have checked that possibility and hence we have changed the groups to small case to avoid any kind of doubt regarding the case sensitivity.

Yet the problem persists.

Here's the example.

>hdfs groups bhanu.pamu

bhanu.pamu : developers

And we have granted 'developers' group 'select' access in Ranger to Hive Tables.

Any further suggestions please.

Highlighted

Re: Ranger - Hive Policies does not work with LDAP groups imported into Ranger.

@Bhanu Pamu If user based authorization is working this means policies are correctly downloaded to the hiveserver2 policy cache. You can confirm anyways by checking under /etc/ranger/clusterName_hive/policycache/*.json and see if the file contains the entry for the developer group. Just to be clear on the group mapping configuration could you confirm what value you have in your core-site.xml for hadoop.security.group.mapping? Also from which node are you running the hdfs groups command? Make sure you check all this from the hiveserver2 machine.

Highlighted

Re: Ranger - Hive Policies does not work with LDAP groups imported into Ranger.

@Bhanu Pamu Please tag my name using @ next time so I get an email notification of your comment.

Re: Ranger - Hive Policies does not work with LDAP groups imported into Ranger.

@Bhanu Pamu I am also facing the same issue. Is there any solution?

Highlighted

Re: Ranger - Hive Policies does not work with LDAP groups imported into Ranger.

Explorer

@Anjali Shevadkar We had to implement the ldap settings in core-site.xml via Ambari and then restart the effected services. Later you may run the hdfs regroup mapping command to sync from backend. Let me know how it goes ?

Highlighted

Re: Ranger - Hive Policies does not work with LDAP groups imported into Ranger.

Explorer

Same here.

Don't have an account?
Coming from Hortonworks? Activate your account here