Verified various links but could not come up with solution.
Ranger policy is not applied to a user when policy has user group name but is successful when applied to user directly.
Here is the information:
a) HDP - 2.6.5; Ranger - 0.7.0; CentOS 6.5; Windows 2012 R2 is used as AD ( has full admin privileges on AD )
Incremental Sync - Enabled
Username Attribute - sAMAccountName; User Object Class: user; User Search Filter: cn=*; user search scop: sub; User Group Name Attribute - memberOf,ismemberof; Group User Map Sync - False or disabled.
Enable Group Sync - Enabled; Group Member Attribute - member; Group Name Attribute - sAMAccountName; Group Object Class - group;Group Search Filter - CN=*; Enable Group Search First - False or disabled.
c) On OS side:
hdfs groups <username> gives the group name of the user and the same user name ( with exact case ) is present in Ranger Groups
Still the user is not able to access hive databases in spite of policy allowing members of group to which the user belongs to.
Can you post the output of the hdfs groups and the screenshot of ranger groups? Also, it will be good to enable debug for "org.apache.ranger" for hdfs logs so that we can see what is the group name that is coming in for authorization request.