@Edgar Daeds Thank you for replying. Audit to DB is checked in Ambari. I also unchecked, saved and restarted, then checked again, saved and restarted - but still problem remains. Regarding using own values instead of variables - i'm not sure exactly what to enter and again - until the reboot it worked flawlessly. ... View more

@Sagar Shimpi Thank you for replying. I wanted to add that login sessions are being audited. It's just the Access information (Hive access) ism't audited. I enabled debug as per your recommendation and restarted ranger but haven't found any errors regarding audit or connection to db. There is an LDAP error: DEBUG org.apache.ranger.security.handler.RangerAuthenticationProvider (RangerAuthenticationProvider.java:280) - AD Authentication Failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials But it doesn't say which user and i'm not sure it is related. Our Hive is configured for LDAP auth so maybe it is related. ... View more

@Sagar Shimpi Thank you for replying. I've completed all configurations for group mapping as described in the document, and group mapping works. The problem is that usersync does not import groups from LDAP. Just users and creates their groups as internal. This means that groups from ldap which have no users (new groups) are unavailable in Ranger. I can't attach the logs because they hold names and addresses from out production environment, however i can attach the beginning of the log file which shows the values for usersync and i can tell you that there are no errors in the log. Here is the problem in screenshots: Users from Active Directory and their respectable groups: Groups are only "internal" No external groups: The begining of the log (i did change some of the OU names for privacy reasons): 09 Nov 2016 09:21:19 INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder 09 Nov 2016 09:21:19 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink 09 Nov 2016 09:21:19 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started 09 Nov 2016 09:21:19 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started 09 Nov 2016 09:21:19 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with -- ldapUrl: ldap://<myldapserver>:389, ldapBindDn: CN=<ldapuser>,OU=<blabla>,OU=Users,OU=Administration,DC=corp,DC=cellcom,DC=co,DC=il, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: OU=Administration,DC=corp,DC=cellcom,DC=co,DC=il, userSearchBase: OU=<usersOU>,OU=<parentou>,OU=Organization,OU=Administration,DC=corp,DC=cellcom,DC=co,DC=il, userSearchScope: 2, userObjectClass: person, userSearchFilter: objectclass=top, extendedUserSearchFilter: (&(objectclass=person)(objectclass=top)), userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName, ismemberof, memberof], userGroupNameAttributeSet: [ismemberof, memberof], pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: true, groupSearchBase: OU=<ouforgroups>,OU=<parentou>,DC=corp,DC=cellcom,DC=co,DC=il, groupSearchScope: 2, groupObjectClass: group, groupSearchFilter: , extendedGroupSearchFilter: (&(objectclass=group)(member={0})), extendedAllGroupsSearchFilter: (&(objectclass=group)), groupMemberAttributeName: member, groupNameAttribute: distinguishedName, groupUserMapSyncEnabled: true, ldapReferral: ignore I would expect usersync to import groups from the groups OU thanks to the following: groupSearchEnabled: true, groupSearchBase: OU=<ouforgroups>,OU=<parentou>,DC=corp,DC=cellcom,DC=co,DC=il, Any ideas ? ... View more

I've noticed that in the new Edge running the HiveServer2 in /etc/hive/conf/conf.server the ranger-hive-audit.xml & ranger-hive-security.xml were configured with localhost values. Fixed the issue by setting the server name instead of localhost in Ranger settings (Ambari) (External URL, authServiceHostName etc.) Now the new server can contact the Ranger and Hive is working. Thank you for the heads up ! ... View more

@Neeraj Sabharwal @srai Thanks for the observation, i haven't considered this as a Ranger issue because it says that Access is allowed.. Anyways - disabling Ranger plugin fixed the issue.... but i need the Ranger plugin so i could manage Hive authorizations using Ranger. Can't i use two HiveServer2 instances while managing hive auth using Ranger ?? ... View more

When i'm connected to the additional hiveserver and run beeline >>> show tables i get no tables In the log it says: 2016-11-01 12:11:59,214 INFO [HiveServer2-Background-Pool: Thread-165]: HiveMetaStore.audit (HiveMetaStore.java:logAuditEvent(372)) - ugi=adijaip=unknown-ip-addr cmd=get_tables: db=default pat=.* 2016-11-01 12:11:59,229 WARN [HiveServer2-Background-Pool: Thread-165]: security.UserGroupInformation (UserGroupInformation.java:getGroupNames(1521)) - No groups available for user adija 2016-11-01 12:11:59,230 ERROR [HiveServer2-Background-Pool: Thread-165]: authorizer.RangerHiveAuthorizer (RangerHiveAuthorizer.java:filterListCmdObjects(430)) - filterListCmdObjects: Internal error: null RangerAccessResult object received back from isAccessAllowed()! ... View more