Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger policies not getting applied on groups

Labels:
avatar
author-rank kothari
New Contributor

Created ‎08-21-2023 05:43 AM

Hi Everyone, 
I have Ranger 2.4 installed. 
On the ranger ui, when I give a allow policy to my user, the policy is getting applied and my user is able to see the desired table. But when I give the same policy to a whole group instead of a single user, the users in that group are not able to see the desired table.
Any idea how can I resolve this?

1,111 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank steven-matison
Guru

Created ‎08-21-2023 07:00 AM

@kothari   here is a very good match with several comments w/ things you should check.

 

https://community.cloudera.com/t5/Support-Questions/Ranger-group-policy-not-being-applied-to-the-use...


To summarize:

  1. Make sure user is in the AD group.
  2. Make sure users and groups synced.
  3. Check case sensitivity
  4. Confirm ranger policies are correct.

View solution in original post

1,096 Views
0 Kudos
3 REPLIES 3

avatar
author-rank steven-matison
Guru

Created ‎08-21-2023 07:00 AM

@kothari   here is a very good match with several comments w/ things you should check.

 

https://community.cloudera.com/t5/Support-Questions/Ranger-group-policy-not-being-applied-to-the-use...


To summarize:

  1. Make sure user is in the AD group.
  2. Make sure users and groups synced.
  3. Check case sensitivity
  4. Confirm ranger policies are correct.
1,097 Views
0 Kudos

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎08-24-2023 10:53 AM

@kothari Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks.

Regards,

Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
1,061 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎08-24-2023 12:31 PM

@kothari 

It is not Ranger's job to inform the client applications using Ranger what users belong to what group.  Each client application is responsible for determining which groups the user authenticated into that service belong to.

The policies generated by Ranger are downloaded by the client applications.  Within that downloaded policy json will be a resource identifier(s), list if user identities authorized (read, write, and/or delete) , and list of group identities authorized (read, write, or delete) against each resource identifier.  So when client checks the downloaded policies from Ranger it is looking for the user identity being authorized and if client is aware of the group(s) that user belongs to, will also check authorization for that group identity.

 

so in your case, it i s most likely that your client service/application has not been configured with the same user and group association setup in your Ranger service.

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

1,054 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements