Hi Vipin, I tried with same configurations(With HDP 2.5.5,Zeppelin version 0.6.0.2.5.5.0-157)but I got the below exception. ERROR LoginRestApi.java[postLogin]:103) - Exception in login: org.apache.shiro.authc.AuthenticationException: LDAP naming error while attempting to authenticate user. at org.apache.shiro.realm.ldap.AbstractLdapRealm.doGetAuthenticationInfo(AbstractLdapRealm.java:197) Caused by: javax.naming.CommunicationException: simple bind failed: <server>:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] Advanced zeppelin-config: zeppelin.anonymous.allowed=false Advanced zeppelin-env: shiro_ini_content: [users] # List of users with their password allowed to access Zeppelin. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections #admin = password1 #user1 = password2, role1, role2 #user2 = password3, role3 #user3 = password4, role2 # Sample LDAP configuration, for user Authentication, currently tested for single Realm [main] activeDirectoryRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm activeDirectoryRealm.systemUsername = CN=<systemusername>,OU=<VALUE>,OU=<VALUE>,DC=<VALUE>,DC=<VALUE>,DC=<VALUE> activeDirectoryRealm.systemPassword = <systempassword> #activeDirectoryRealm.hadoopSecurityCredentialPath= jceks://user/zeppelin/conf/zeppelin.jceks activeDirectoryRealm.searchBase = OU=<VALUE>,OU=<VALUE>,DC=<VALUE>,DC=<VALUE>,DC=<VALUE> activeDirectoryRealm.url = ldaps://<VALUE>:636 activeDirectoryRealm.authorizationCachingEnabled = false sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.realms = $activeDirectoryRealm # 86,400,000 milliseconds = 24 hour securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login [roles] [urls] /api/version = anon #/** = anon /** = authc ... View more

I found the issue. My Ranger admin and ranger database reside on different nodes. I was giving the database host instead of Ranger admin host in "policymgr_external_url" property. Correcting it solved the issue. Thanks for your reply. ... View more

@Deepak Sharma Thanks for your reply. Following are my usersync configs: Sync Source: LDAP/AD LDAP/AD URL: ldaps://<server>:636 Authentication method: ACTIVE_DIRECTORY Username Attribute: cn User Object Class: user User Search Filter: cn=* User Search Scope: sub User Group Name Attribute: memberof Group Member Attribute: member Group Name Attribute: cn Group Object Class: group Group Search Filter: cn=* Also, these configs worked with a different Ranger that I had configured before wit the same LDAP cert file. But now I don't understand what the issue is. ... View more

@vperiasamy Yes, I understand from @Deepak Sharma and @Terry Stebbens that Hive Ranger plugin works with Beeline and not Hive CLI. ... View more

Right now I am trying with Hive CLI as I am familiar with it. So, is it that the Ranger hive plugin won't work with Hive CLI at all? ... View more

I have attached screenshot for hive audit. In this only "USE' access type audits are displayed for servicetype=Hive ... View more

@Hari Rongali I set mapreduce.job.queuename=<queue name> and it works. Thanks a lot for your answer. ... View more