A bit late to the party, but hope the following will help.   By calling the main functions of the classes,  UnixUserGroupBuilder, PolicyMgrUserGroupBuilder or LdapUserGroupBuilder is not going to work, since the main classes of these are only initializing the classes. In order to start the actual sync, the function updateSink needs to be called. During startup this is handled by the class org.apache.ranger.usergroupsync.UserGroupSync thus, calling its main function will trigger the syncing using the configuration that you set in your cluster.   A complete example for triggering the usersync manually could be: java -Dlogdir=/var/log/ranger/usersync -cp "/usr/hdp/current/ranger-usersync/dist/unixusersync-1.2.0.3.1.5.135-2.jar:/usr/hdp/current/ranger-usersync/lib/*:/etc/ranger/usersync/conf" org.apache.ranger.usergroupsync.UserGroupSync for HDP and java -Dlogdir=/var/log/ranger/usersync -cp "/opt/cloudera/parcels/CDH/lib/ranger-usersync/dist/unixusersync-2.1.7.1.7.0-460.jar:/opt/cloudera/parcels/CDH/lib/ranger-usersync/lib/*:/etc/ranger/usersync/conf" org.apache.ranger.usergroupsync.UserGroupSync for CDP. ... View more

were you able to resolve this? ... View more

I found the Ranger KMS Admin Guide for HDP 2.4.0, hopefully this is what you are looking for. ... View more

You are right. I just not carefully was reading documentation, not admin user can't view policy. ... View more

Prakash Punj Audit source from HDFS is not supported at Ranger end. However, you can store audits in HDFS through plugins. so if you want to get audits on ranger UI, you need to change the audit source to solr and store the audits to solr. ... View more

Can you check you hadoop.kms.authentication.kerberos.name.rules settings from kms-site.xml? Try "DEFAULT" if you have a customized setting that is invalid. You mentioned that the kms principle is changed. Can you also post your hadoop.kms.authentication.kerberos.principal and hadoop.security.auth_to_local settings from core-site.xml? ... View more

I found the solution. Issue is fixed now. In my case, one of LDAP username is 'dvteam' but in LDAP database there was full description of username as 'architecture dev team, locations, team details, etc'. Error messages I found in nifi-user.log. is 'architecture dev team' user was trying to authenticate with nifi nodes. Authentication was successful but authorizations not happening. The username which I've mentioned in initial admin identity was 'dvteam'.(cn=dvteam,ou=xx,ou=xx,ou=xx,ou=xx,dc=abc,dc=com) Then as per logs, I changed it to (cn=architecture dev team,ou=xx,ou=xx,ou=xx,ou=xx,dc=abc,dc=com) Also there was some mismatch about host names in node identities section. 'hostname -f' shows a hostname ip-zz-xx-ec2-internal. So, I have given 'ip-zz-xx-ec2-internal' in node identities section but that was not working. Then I have changed the hostnames to 'nifi1.abc.local' and mentioned in node identities. In 'Template for login-identity-providers.xml' I've made some changes. Earlier I had set 'use_username' in '<property name="Identity Strategy">USE_DN</property>' this section. later I've changed to use_dn. because as per nifi-user log authentication is happening with LDAP user 'architecture dev team'. So in my case user_username was not working for authentications. Every configurations changes I used to remove authorizations.xml and users.xml file from my all nifi nodes. Also There was confusion on about 'OU' in Node identities section. What does it mean OU in node identities section? I don't know yet. Later I've mentioned 'OU=nifi' and also gave host names as 'nifi1.abc.local' , 'nifi2.abc.local', etc. I have added AD/LDAP user in Initial Admin Identity(cn=architecture dev team,ou=xx,ou=xx,ou=xx,ou=xx,dc=abc,dc=com) After setting above all, I was facing an error about setting nifi.security.identity.mapping.pattern.dn. There was a challenge about the pattern definition. There was 4 'ou' I have defined in initial admin identities and login-identity-providers.xml. So I've used below pattern and it worked well. ^cn=(.?),ou=(.?),ou=(.?),ou=(.?),ou=(.?),dc=(.?),dc=(.?)$ Note: I have removed Ranger completely. Thanks, Suraj ... View more

@vperiasamy I was experiencing a similar issue with my Atlas UI after this 'ABORTED' upgrade, and I did happen to try a different type of browser, and issue was resolved. I tried with Ranger as well, and it's indeed a browser issue. Thanks. ... View more