Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Ranger policy for group not working...Checked all previous but no clue

Labels:
avatar
author-rank sriramhadoop27
Contributor

Created ‎09-07-2018 12:04 AM

Hi,

Verified various links but could not come up with solution.

Ranger policy is not applied to a user when policy has user group name but is successful when applied to user directly.

Here is the information:

a) HDP - 2.6.5; Ranger - 0.7.0; CentOS 6.5; Windows 2012 R2 is used as AD ( has full admin privileges on AD )

b) Settings:

Incremental Sync - Enabled

Username Attribute - sAMAccountName; User Object Class: user; User Search Filter: cn=*; user search scop: sub; User Group Name Attribute - memberOf,ismemberof; Group User Map Sync - False or disabled.

Enable Group Sync - Enabled; Group Member Attribute - member; Group Name Attribute - sAMAccountName; Group Object Class - group;Group Search Filter - CN=*; Enable Group Search First - False or disabled.

c) On OS side:

hdfs groups <username> gives the group name of the user and the same user name ( with exact case ) is present in Ranger Groups

Still the user is not able to access hive databases in spite of policy allowing members of group to which the user belongs to.

Can someone please help me on this.

@spolavarapu @Felix Albani or anyone can help me on this.

4,291 Views
0 Kudos
7 REPLIES 7

avatar
author-rank kgautam
Guru

Created ‎09-10-2018 02:01 PM

1. Can you please loging to the host hosting namenode.
2. id UserName : shows the group the user is pointed to .

Do you see the group present in Ranger for the user.

There is also a possibility that LDAP is configured directly, and the grousp are being pulled from LDAP.

4,140 Views
0 Kudos

avatar
author-rank saurabh_singh
Contributor

Created ‎09-10-2018 02:26 PM

Hi Sriram

I was able to do this by adding the following parameters in Custom core-site.xml in HDFS through Ambari: Please change the figures as per the environment.

hadoop.security.group.mapping=org.apache.hadoop.security.CompositeGroupsMapping

hadoop.security.group.mapping.provider.ad4users=org.apache.hadoop.security.LdapGroupsMapping

hadoop.security.group.mapping.provider.ad4users.ldap.base=dc=csmodule,dc=com

hadoop.security.group.mapping.provider.ad4users.ldap.bind.user=cn=username,OU=Users,DC=hortonworks,DC=com

hadoop.security.group.mapping.provider.ad4users.ldap.bind.password=password

hadoop.security.group.mapping.provider.ad4users.ldap.search.attr.group.name=cn

hadoop.security.group.mapping.provider.ad4users.ldap.search.attr.member=member

hadoop.security.group.mapping.provider.ad4users.ldap.search.filter.group=(objectclass=group)

hadoop.security.group.mapping.provider.ad4users.ldap.search.filter.user=(&(|(objectclass=person)(objectclass=applicationProcess))(sAMAccountName={0}))

hadoop.security.group.mapping.provider.ad4users.ldap.url=ldap-url:389

hadoop.security.group.mapping.provider.shell4services=org.apache.hadoop.security.ShellBasedUnixGroupsMapping

hadoop.security.group.mapping.providers=ad4users,shell4services

hadoop.security.group.mapping.providers.combined=true

Reference:

https://github.com/apache/hadoop/blob/f67237cbe7bc48a1b9088e990800b37529f1db2a/hadoop-common-project...

Please accept my answer if you found this helpful.

4,140 Views
0 Kudos

avatar
author-rank sriramhadoop27
Contributor

Created ‎09-10-2018 02:31 PM

@Saurabh,

Is OS integrated with AD or LDAP?

id <username> should reflect group on OS.

In my case, OS is not integrated with LDAP.

4,140 Views
0 Kudos

avatar
author-rank saurabh_singh
Contributor

Created ‎09-10-2018 02:39 PM

In my hadoop cluster OS, Ranger and Kerberos is integrated with an external AD. id <username> and hdfs groups <username> both show group to which user belongs.

4,140 Views
0 Kudos

avatar
author-rank spolavarapu author-rank
Expert Contributor

Created ‎09-10-2018 06:17 PM

@Sriram,

Can you post the output of the hdfs groups and the screenshot of ranger groups? Also, it will be good to enable debug for "org.apache.ranger" for hdfs logs so that we can see what is the group name that is coming in for authorization request.

4,140 Views
0 Kudos

avatar
author-rank sriramhadoop27
Contributor

Created ‎09-10-2018 06:24 PM

@spolavarapu...In my case - OS is not integrated with AD and on OS level id <username> does not give any details.

Is this an issue? Integration of OS with AD is mandatory?

4,140 Views
0 Kudos

avatar
author-rank spolavarapu author-rank
Expert Contributor

Created ‎09-10-2018 06:29 PM

so what does hdfs groups for that user return then? In section (C) of your initial post, you mentioned that the hdfs groups match the ones under Ranger groups.

4,140 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements