@Laurence Da Luz Thank you! I've changed the search filter as per your recpmmendation (also modified objectclass=top which currently works for user-sync) but still same results. I'll keep on digging.
Is there a log where i can check for errors while running 'hdfs groups' command ? Also, if i'm using SSSD - does it mean i have to use it for ranger / user-sync or i can use SSSD just for the mapping ?
Using SSSD for AD/Linux integration does not impact how you configure ranger usersync. Your ranger usersync would stay in order to provide AD integration to Ranger UI, and the SSSD config would be so that your AD users resolve on the linux OS (which HDFS will read from)
@Adi Jabkowsky can you please check ranger UI -> setting->users , whether users are properly mapped to the groups.
so please check whether users those are part of the group are showing mapping on the UI too.
I checked the ranger ui >> settings >> users and i can see the AD groups of every user. As you can see this is my user and my AD groups.
So the Ranger does map users & groups, but again - if i use a group instead of a user it doesn't work. I still get permission denied. I can only work with users....
I checked and the policy is null
As you can see in the previous screenshot - the Ranger UI does map my user and my AD groups. But when adding one of my groups to any DB in hive + select permissions - i receive permission denied. Policy ID - null as you can see in the latest screenshot. However, If i add my user - no problem!
you must add user on the node which you setup hiveserver,eg:useradd -G bigdata user1,then you add authority to group(bigdata) on ranger'UI,then test.
beeline -u jdbc:hive2://node:10000/default -n user1 -e "show databases"
it will work~
@wang chi Thank you for taking the time to respond! Correct me if i'm wrong but what you are suggesting is creating local user and adding it to a local group. I don't want to create local users for all my end users which need access to the hive - this is ahy i use Active Directory... Or maybe i didn't quite understand your suggestion....