Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Using groups from LDAP in ranger - does not work

Re: Using groups from LDAP in ranger - does not work

Expert Contributor

@Laurence Da Luz Thank you! I've changed the search filter as per your recpmmendation (also modified objectclass=top which currently works for user-sync) but still same results. I'll keep on digging.

Is there a log where i can check for errors while running 'hdfs groups' command ? Also, if i'm using SSSD - does it mean i have to use it for ranger / user-sync or i can use SSSD just for the mapping ?

Highlighted

Re: Using groups from LDAP in ranger - does not work

Rising Star

@Adi Jabkowsky

Using SSSD for AD/Linux integration does not impact how you configure ranger usersync. Your ranger usersync would stay in order to provide AD integration to Ranger UI, and the SSSD config would be so that your AD users resolve on the linux OS (which HDFS will read from)

Re: Using groups from LDAP in ranger - does not work

@Adi Jabkowsky can you please check ranger UI -> setting->users , whether users are properly mapped to the groups.

so please check whether users those are part of the group are showing mapping on the UI too.

Re: Using groups from LDAP in ranger - does not work

Expert Contributor

@deepak sharma

I checked the ranger ui >> settings >> users and i can see the AD groups of every user. As you can see this is my user and my AD groups.

5243-snap-2016-06-26-at-095613.png

So the Ranger does map users & groups, but again - if i use a group instead of a user it doesn't work. I still get permission denied. I can only work with users....

Re: Using groups from LDAP in ranger - does not work

can you please check audit logs? which policy denied the operation ?

Re: Using groups from LDAP in ranger - does not work

Expert Contributor
@deepak sharma

I checked and the policy is null

5251-snap-2016-06-27-at-124323.png As you can see in the previous screenshot - the Ranger UI does map my user and my AD groups. But when adding one of my groups to any DB in hive + select permissions - i receive permission denied. Policy ID - null as you can see in the latest screenshot. However, If i add my user - no problem!

Re: Using groups from LDAP in ranger - does not work

@Adi Jabkowsky can you try the same scenario for some other service , just want to cofirm whether it is for hive only or for all the services

Re: Using groups from LDAP in ranger - does not work

New Contributor

you must add user on the node which you setup hiveserver,eg:useradd -G bigdata user1,then you add authority to group(bigdata) on ranger'UI,then test.

beeline -u jdbc:hive2://node:10000/default -n user1 -e "show databases"

it will work~

Re: Using groups from LDAP in ranger - does not work

Expert Contributor

@wang chi Thank you for taking the time to respond! Correct me if i'm wrong but what you are suggesting is creating local user and adding it to a local group. I don't want to create local users for all my end users which need access to the hive - this is ahy i use Active Directory... Or maybe i didn't quite understand your suggestion....

Re: Using groups from LDAP in ranger - does not work

New Contributor

@Adi Jabkowsky Did you ever find a solution to this?

Don't have an account?
Coming from Hortonworks? Activate your account here