Support Questions

Find answers, ask questions, and share your expertise

Ranger group policy not being applied to the users with in the group

avatar
Expert Contributor

Customer has synced the users and groups from AD/LDAP into Ranger using Usersync and is having issues with assigning group privileges on Hive tables usder "group permissions" section. It is not granting any users within the group to run any queries on the Hive table. If he explicitly specified the username and assign the selelct permission user "user permissions" section in Ranger then it works for him. Any ideas on how to get around this issue ?

1 ACCEPTED SOLUTION

avatar
Contributor

Group permission on the ranger works fine.

However, there is a misconception in the community about how the group association for the logged-in user is calculated.

The group membership of the "logged in user" is calculated by Hive based on the core-site.xml configuration, hadoop.security.group.mapping. By default, it uses unix groups associated with the "logged in user". However, it can be set to look up LDAP based on the info specified in http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/

You can view the user's group by executing the following command on the hiveserver2 box:

$ hdfs groups [username]

This command should help you to find out the groups associated with the username. If you do not see the correct group association, you should fix the "hadoop.security.group.mapping" configuration in core-site.xml or the unix group membership on the hiveserver2 box to fix the issue.

View solution in original post

8 REPLIES 8

avatar

Can you check if the users are really in the defined groups? (run: hdfs groups <userid>)

Ranger 0.4 or 0.5?

My group permissions work on Ranger 0.5, havent seen any issues so far.

avatar
Contributor

Group permission on the ranger works fine.

However, there is a misconception in the community about how the group association for the logged-in user is calculated.

The group membership of the "logged in user" is calculated by Hive based on the core-site.xml configuration, hadoop.security.group.mapping. By default, it uses unix groups associated with the "logged in user". However, it can be set to look up LDAP based on the info specified in http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/

You can view the user's group by executing the following command on the hiveserver2 box:

$ hdfs groups [username]

This command should help you to find out the groups associated with the username. If you do not see the correct group association, you should fix the "hadoop.security.group.mapping" configuration in core-site.xml or the unix group membership on the hiveserver2 box to fix the issue.

avatar

It's worth noting that case conversion could be an issue here. For instance, if "hdfs groups <user>" returns mixed case group names, and the group names auto-populated in Policy Manager are lower case, then check the Ranger config property: SYNC_LDAP_GROUPNAME_CASE_CONVERSION

avatar

Thanks @Alex Miller this was exactly the issue we were debugging today

avatar
Contributor

How does Storm obtain group information? Does it also use the hadoop.security.group.mapping from the core-site.xml? I have configured hadoop.security.group.mapping to obtain the LDAP groups and it works fine for HDFS, Hive,.... but Storm does not seem to recognize the correct groups.

Is there a way to test this?

avatar
Explorer

Followed the instruction exactly. Core-site.xml is configured using LDAP. Even hdfs groups [user] returns the correct group. But the policy defined (allow the group to select a table in a database) for the group without specify specific user name denies access from members of the group unless I add the individual user to the policy. The users/group shows correctly the users belong to the group.

avatar
Explorer

My mistake. Got it working. Look like my problem is on the privilege selection. I only checked 'select' and 'read'. That obviously not enough for the user to select and the error message shows simply the user does not have select * privilege.

avatar
Expert Contributor

@sneethiraj

I notice that in ranger configure, there a user and group sync setting, and could sync users and groups from file,unix users,ldap, as mentioned above ,just unix users and ldap group cna be recognized in ranger or hdfs ???