Member since
10-22-2015
69
Posts
39
Kudos Received
14
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
6086 | 07-24-2018 11:19 PM | |
3140 | 03-01-2018 06:18 PM | |
11750 | 02-26-2018 06:51 PM | |
3410 | 11-10-2017 07:35 PM | |
2839 | 09-08-2017 11:32 PM |
09-10-2018
06:29 PM
so what does hdfs groups for that user return then? In section (C) of your initial post, you mentioned that the hdfs groups match the ones under Ranger groups.
... View more
09-10-2018
06:17 PM
@Sriram, Can you post the output of the hdfs groups and the screenshot of ranger groups? Also, it will be good to enable debug for "org.apache.ranger" for hdfs logs so that we can see what is the group name that is coming in for authorization request.
... View more
07-24-2018
11:19 PM
@Steven Matison With the above configuration (after "Enable User Search" is turned on), you should now be able to see the user (smatison) with samaccountname. Do you see that user in ranger admin? Few points to consider: 1. When "Enable Group Search First" is "ON" and "Enable User Search" is "OFF", Ranger syncs users using the "Group Member Attribute" which is in general configured with "CN" of the user. 2. When "Enable Group Search First" is "ON" and "Enable User Search" is "ON", Ranger syncs users using the value configured for "Username Attribute" (which is samaccountname in your case). 3. Once the users or groups are sync'd to Ranger, they are not deleted by Ranger automatically. It is a manual operation by ranger admin to go and delete the unused users/groups from UI. 4. For more details on how ranger syncs users and groups with different configuration options, you can refer to these articles: - https://community.hortonworks.com/articles/105620/configuring-ranger-usersync-with-adldap-for-a-comm.html - https://community.hortonworks.com/articles/105623/various-options-supported-in-ranger-usersync-with.html Thanks, Sailaja.
... View more
07-23-2018
08:53 PM
@Steven Matison, Is it possible to provide usersync.log file and/or screenshot of "User Configs" and "Group Configs" tabs in Ambari?
... View more
07-20-2018
07:02 PM
@Steven Matison Do you have "Group Search First" enabled (under Group Config tab in Ambari)? If so, please enable "User search" (under User Config tab) as well. Then you can configure the username attribute to "sAMAccountName" so that the users are mapped correctly. Please provide your usersync configuration if you need more help. >> I am also wondering how to get the First Name, Last Name and Email Address mapped correctly as well? The First Name, Last Name is the same as User Name and Email Address is empty. This is currently not supported in Ranger. We have an internal jira for tracking this. Please let us know the customer info that is asking for this feature so that we can prioritize accordingly. Thanks, Sailaja.
... View more
03-01-2018
06:18 PM
1 Kudo
@Pit Err, You are in right direction with option #3 above. One minor change is that, you can use "cn=*" in the user search filter instead. When group search first is enabled and user search is enabled, then the logic is - 1. First sync all the groups based on the group configuration (including group search base and group search filter). 2. Cache all the members for each group using the member attribute. 3. For syncing the users - a. If user search is not enabled, then just use the short name for the user names (from member attribute of the user) b. If user search is enabled, then sync the users based on the user configuration (including user search base and user search filter) and the cached users from step2. For the users that are in the cache, update the username with samaccountname retrieved from the user search. Discard all the other users from the user search base and user search filter that doesn't match the cached users from step2. Effectively, you are just getting all the users from the groups that are sync'd from step1. Hope this helps, Thanks, Sailaja.
... View more
02-26-2018
06:51 PM
@GN_Exp, In order to disable incremental sync following properties are to be set in ranger-ugsync-site.xml: <property> <name>ranger.usersync.ldap.deltasync</name> <value>false</value> </property>
<property>
<name>ranger.usersync.sink.impl.class</name>
<value>org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder</value>
</property>
... View more
02-23-2018
05:37 AM
@Sagar Shimpi This is not related as the issue here is even the users are not sync'd. And about RANGER-1615, the way we retrieve the groups when incremental sync is enabled is different from when the incremental sync is disabled. For more details on the incremental sync design and implementation, please refer to https://issues.apache.org/jira/browse/RANGER-1211
... View more
02-23-2018
01:57 AM
@GN_Exp, From the logs I see that ranger is able to connect to the ldap server but the server return 0 users and 0 groups. Can you run the following ldap search command: ldapsearch -h localhost -p 33389 -D "uid=admin,ou=people,dc=hadoop,dc=apache,dc=org" -b "ou=people,dc=hadoop,dc=apache,dc=org" "(&(objectclass=person)(uid=*))" -W enter admin password when prompted. If this returns all the entries from ou=people, then can you try the following ldap search command: ldapsearch -h localhost -p 33389 -D "uid=admin,ou=people,dc=hadoop,dc=apache,dc=org" -b "ou=people,dc=hadoop,dc=apache,dc=org" "(&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101120000Z))(uid=*))" -W enter admin password when prompted. If this doesn't return any entries, then you can try disable "incremental sync" from ranger user info config. May be your ldap doesn't support modifyTimestamp attribute? Hope this helps!
... View more
12-07-2017
06:29 PM
@Pedro Antonio Gonzalez Perez This issue is fixed as part of https://issues.apache.org/jira/browse/RANGER-1632
... View more