When I allow user1 to read the col1 column in the table on Hive, I will add the following policy to Hive service in Ranger. However, this is not enough in case "Run as end user instead of Hive user = true". I have to add the policy to HDFS service in Ranger. The following table shows the policies at each ACL layer. In this case, user1 can access to the entire table data by hdfs command or hive command without hiveserver2. I think that Ranger support column based ACL in case when "Run as end user instead of Hive user" is true. ... View more

I'm trying to sync users and groups from LDAP into Ranger using Ranger Usersync. How do I associate the groupname in the group info and the gid in the user and the group info? In my LDAP server, the user info has the gid, but does not have the groupname. I tried LDAP Usersync, but I can't get groupnames. Ranger UI only displaied the gid. I had tried after setting ranger.usersync.group.searchenabled to true, but I could not get groupnames again. The usersync.log showed the folloing logs: INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 1, userName: user1, groupList: [] INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 2, userName: user2, groupList: [] ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・ INFO LdapUserGroupBuilder [UnixUserSyncThread] - computed groups for user: user1, groups: [] ERROR LdapUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: org/apache/commons/httpclient/URIException, for user: user1, groups: [] INFO LdapUserGroupBuilder [UnixUserSyncThread] - computed groups for user: user2, groups: []ERROR LdapUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: org/apache/commons/httpclient/URIException, for user: user2, groups: [] Settings of usersync was as follows : ranger.usersync.source.impl.class = org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder ranger.usersync.ldap.user.searchscope = sub ranger.usersync.ldap.user.searchfilter = (space) ranger.usersync.ldap.user.searchbase = ou=account,dc=TEST ranger.usersync.ldap.user.objectclass = user ranger.usersync.group.memberattributename = member ranger.usersync.group.nameattribute = cn ranger.usersync.group.objectclass = group ranger.usersync.group.searchbase = ou=group,dc=TEST ranger.usersync.group.searchenabled = true ranger.usersync.group.searchfilter = (space) ranger.usersync.group.searchscope = (space) ranger.usersync.ldap.searchBase = dc=TEST ranger.usersync.ldap.user.groupnameattribute = gidNumber ranger.usersync.ldap.user.nameattribute = uid The user and group setting is as follows: ・User dn: uid=user1,ou=user,dc=TEST uid: user1 objectClass: user uidNumber: 10 gidNumber: 50100 cn: user1 ・Group dn: cn=group1,ou=group,dc=TEST cn: group1 objectClass: group gidNumber: 50100 member: user1 Please let me know what I should check. Version HDP 2.3.0.0 Ranger 0.5.0.2.3 I have bad English, so I apologize if I say something strange. Thanks. ... View more