Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger group policy not being applied to the users with in the group

Labels:
avatar
author-rank hrongali
Expert Contributor

Created ‎10-26-2015 03:28 PM

Customer has synced the users and groups from AD/LDAP into Ranger using Usersync and is having issues with assigning group privileges on Hive tables usder "group permissions" section. It is not granting any users within the group to run any queries on the Hive table. If he explicitly specified the username and assign the selelct permission user "user permissions" section in Ranger then it works for him. Any ideas on how to get around this issue ?

8,825 Views
1 ACCEPTED SOLUTION

avatar
author-rank sneethiraj
Contributor

Created ‎10-26-2015 04:17 PM

Group permission on the ranger works fine.

However, there is a misconception in the community about how the group association for the logged-in user is calculated.

The group membership of the "logged in user" is calculated by Hive based on the core-site.xml configuration, hadoop.security.group.mapping. By default, it uses unix groups associated with the "logged in user". However, it can be set to look up LDAP based on the info specified in http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/

You can view the user's group by executing the following command on the hiveserver2 box:

$ hdfs groups [username]

This command should help you to find out the groups associated with the username. If you do not see the correct group association, you should fix the "hadoop.security.group.mapping" configuration in core-site.xml or the unix group membership on the hiveserver2 box to fix the issue.

View solution in original post

5,884 Views
8 REPLIES 8

avatar
author-rank jstraub
Guru

Created ‎10-26-2015 03:37 PM

Can you check if the users are really in the defined groups? (run: hdfs groups <userid>)

Ranger 0.4 or 0.5?

My group permissions work on Ranger 0.5, havent seen any issues so far.

5,884 Views

avatar
author-rank sneethiraj
Contributor

Created ‎10-26-2015 04:17 PM

Group permission on the ranger works fine.

However, there is a misconception in the community about how the group association for the logged-in user is calculated.

The group membership of the "logged in user" is calculated by Hive based on the core-site.xml configuration, hadoop.security.group.mapping. By default, it uses unix groups associated with the "logged in user". However, it can be set to look up LDAP based on the info specified in http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/

You can view the user's group by executing the following command on the hiveserver2 box:

$ hdfs groups [username]

This command should help you to find out the groups associated with the username. If you do not see the correct group association, you should fix the "hadoop.security.group.mapping" configuration in core-site.xml or the unix group membership on the hiveserver2 box to fix the issue.

5,885 Views

avatar
author-rank amiller
Guru

Created ‎10-26-2015 07:12 PM

It's worth noting that case conversion could be an issue here. For instance, if "hdfs groups <user>" returns mixed case group names, and the group names auto-populated in Policy Manager are lower case, then check the Ranger config property: SYNC_LDAP_GROUPNAME_CASE_CONVERSION

5,884 Views

avatar
author-rank abajwa author-rank
Guru

Created ‎10-26-2015 10:05 PM

Thanks @Alex Miller this was exactly the issue we were debugging today

5,884 Views
0 Kudos

avatar
author-rank condla
Contributor

Created ‎12-10-2015 09:35 PM

How does Storm obtain group information? Does it also use the hadoop.security.group.mapping from the core-site.xml? I have configured hadoop.security.group.mapping to obtain the LDAP groups and it works fine for HDFS, Hive,.... but Storm does not seem to recognize the correct groups.

Is there a way to test this?

5,884 Views

avatar
author-rank ychenma
Explorer

Created ‎11-08-2018 04:37 PM

Followed the instruction exactly. Core-site.xml is configured using LDAP. Even hdfs groups [user] returns the correct group. But the policy defined (allow the group to select a table in a database) for the group without specify specific user name denies access from members of the group unless I add the individual user to the policy. The users/group shows correctly the users belong to the group.

5,884 Views
0 Kudos

avatar
author-rank ychenma
Explorer

Created ‎11-08-2018 05:42 PM

My mistake. Got it working. Look like my problem is on the privilege selection. I only checked 'select' and 'read'. That obviously not enough for the user to select and the error message shows simply the user does not have select * privilege.

5,884 Views
0 Kudos

avatar
author-rank darkz1984
Expert Contributor

Created ‎03-06-2019 06:04 AM

@sneethiraj

I notice that in ranger configure, there a user and group sync setting, and could sync users and groups from file,unix users,ldap, as mentioned above ,just unix users and ldap group cna be recognized in ranger or hdfs ???

5,884 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements