Support Questions
Find answers, ask questions, and share your expertise

Using groups from LDAP in ranger - does not work

Expert Contributor

Hello We are using Ranger & Usersync from LDAP in order to manage permissions for our hdp data. Everything works fine while managing users - LDAP users appear in ranger, adding them to a policy, giving the appropriate permissions works flawless. However, when adding a group to a policy instead of users - the users of that group fail to query data even though their LDAP group has been given the right permissions. Just to clarify: Usersync works without any problems and users & groups appear in Ranger. It's just that using groups instead of users - is not working. So if i have a team of 10 users that need access to a data in my HDP - i have to specify those 10 users with select permissions. If i use an LDAP group that holds these users - they get permission denied error. Anyone has an idea why ? Maybe it's a "universal" vs "security" group in LDAP ? Adi J.

24 REPLIES 24

Expert Contributor

@Laurence Da Luz Thank you! I've changed the search filter as per your recpmmendation (also modified objectclass=top which currently works for user-sync) but still same results. I'll keep on digging.

Is there a log where i can check for errors while running 'hdfs groups' command ? Also, if i'm using SSSD - does it mean i have to use it for ranger / user-sync or i can use SSSD just for the mapping ?

Rising Star

@Adi Jabkowsky

Using SSSD for AD/Linux integration does not impact how you configure ranger usersync. Your ranger usersync would stay in order to provide AD integration to Ranger UI, and the SSSD config would be so that your AD users resolve on the linux OS (which HDFS will read from)

@Adi Jabkowsky can you please check ranger UI -> setting->users , whether users are properly mapped to the groups.

so please check whether users those are part of the group are showing mapping on the UI too.

Expert Contributor

@deepak sharma

I checked the ranger ui >> settings >> users and i can see the AD groups of every user. As you can see this is my user and my AD groups.

5243-snap-2016-06-26-at-095613.png

So the Ranger does map users & groups, but again - if i use a group instead of a user it doesn't work. I still get permission denied. I can only work with users....

can you please check audit logs? which policy denied the operation ?

Expert Contributor
@deepak sharma

I checked and the policy is null

5251-snap-2016-06-27-at-124323.png As you can see in the previous screenshot - the Ranger UI does map my user and my AD groups. But when adding one of my groups to any DB in hive + select permissions - i receive permission denied. Policy ID - null as you can see in the latest screenshot. However, If i add my user - no problem!

@Adi Jabkowsky can you try the same scenario for some other service , just want to cofirm whether it is for hive only or for all the services

New Contributor

you must add user on the node which you setup hiveserver,eg:useradd -G bigdata user1,then you add authority to group(bigdata) on ranger'UI,then test.

beeline -u jdbc:hive2://node:10000/default -n user1 -e "show databases"

it will work~

Expert Contributor

@wang chi Thank you for taking the time to respond! Correct me if i'm wrong but what you are suggesting is creating local user and adding it to a local group. I don't want to create local users for all my end users which need access to the hive - this is ahy i use Active Directory... Or maybe i didn't quite understand your suggestion....

New Contributor

@Adi Jabkowsky Did you ever find a solution to this?