dbukvic
Explorer

Re: Limit LDAP/AD users from a specific group to l...

by Explorer in Support Questions
‎08-11-2017 09:49 AM
‎08-11-2017 09:49 AM
Hi Fahim, I think this is not suitable. I am asking how I can filter out a AD user to connect to Ranger Admin UI. Since the filter described in my email is not working. Regards, Dino ... View more

Limit LDAP/AD users from a specific group to log i...

by Explorer in Support Questions
‎07-28-2017 02:43 PM
‎07-28-2017 02:43 PM
Hi all, I have a following config that should restrict users outside the group in the search filter to log in into Ranger Admin UI. The group contains only one user (lets say userA)However, all the users that are under the baseDN can log in, no matter what I put in the search filter. For the record, usersync is also configured with the same search filter and only one user (userA) is synced, so on that side, it works. Any ideas? Regards, Dino ... View more
Labels:

Re: Cannot log in with LDAP/AD user in Ranger UI

by Explorer in Support Questions
‎06-22-2017 02:57 PM
‎06-22-2017 02:57 PM
Another update: After changing ranger.ldap.group.searchfilter and ranger.ldap.group.searchbase from ambari placeholders {{ranger_ug_ldap_group_searchfilter}} and {{ranger_ug_ldap_group_searchbase}} to actual values, the login started to work. What I am puzzled is why is there reference of this in the documentation. Basically if you do not enable LDAP Group Sync for Ranger in Ambari, you need to set these values manually in order for Ranger UI authentication to work against LDAP users. Am I right? Regards, Dino ... View more

Re: Cannot log in with LDAP/AD user in Ranger UI

by Explorer in Support Questions
‎06-22-2017 12:21 PM
‎06-22-2017 12:21 PM
Hi, Authentication method is LDAP, group search filter is {{ranger_ug_ldap_group_searchfilter}} and gets inherited, but the problem is that Group sync is not enabled. So this value was probably empty. So we changed it to cn=* and now instead of javax.naming.directory.InvalidSearchFilterException: Empty filter; remaining name '' We get the following: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name '' The logs are not that helpful. Regards ... View more

Cannot log in with LDAP/AD user in Ranger UI

by Explorer in Support Questions
‎06-21-2017 04:22 PM
‎06-21-2017 04:22 PM
Hi all, I would appreciate a feedback on this. User ldap searchfilter is set to (uid={0}) HDP version is 2.5.3 and Ambari: 2.4.2 When login to Ranger UI by using LDAP user we get the following error: 2017-06-21 17:50:23,823 [http-bio-6080-exec-2] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:189) - Request is to process authentication 2017-06-21 17:50:23,889 [http-bio-6080-exec-2] DEBUG org.apache.ranger.security.handler.RangerAuthenticationProvider (RangerAuthenticationProvider.java:260) - LDAP Authentication Failed: org.springframework.ldap.InvalidSearchFilterException: Empty filter; nested exception is javax.naming.directory.InvalidSearchFilterException: Empty filter; remaining name '' at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:135) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:524) at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:173) at org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:215) at org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGrantedAuthorities(DefaultLdapAuthoritiesPopulator.java:185) at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.loadUserAuthorities(LdapAuthenticationProvider.java:197) at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:63) at org.apache.ranger.security.handler.RangerAuthenticationProvider.getLdapAuthentication(RangerAuthenticationProvider.java:252) at org.apache.ranger.security.handler.RangerAuthenticationProvider.authenticate(RangerAuthenticationProvider.java:102) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: javax.naming.directory.InvalidSearchFilterException: Empty filter; remaining name '' at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:57) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.springframework.ldap.core.LdapTemplate$4.executeSearch(LdapTemplate.java:253) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:293) ... 39 more Regards, Dino ... View more
Labels:

Re: HBase BulkLoad - Region Split behaviour

by Explorer in Support Questions
‎09-07-2016 08:41 AM
‎09-07-2016 08:41 AM
Thanks for confirming. The behaviour seems to match. The customer will have to revise the bulk loading procedures and rowkey design in order to have a more stable environment. ... View more

Re: HBase BulkLoad - Region Split behaviour

by Explorer in Support Questions
‎09-06-2016 09:44 PM
‎09-06-2016 09:44 PM
At the moment they deleted the table and started the new bulk load with the same frequency and the row keys. The region grew to 220 GB and the compactions were queueing up. The Splits are not triggered. The files that were loaded were around 120 MB in size, so there is a lot of files to compact. hbase.hregion.max.filesize is set to 10GB ... View more

Re: HBase BulkLoad - Region Split behaviour

by Explorer in Support Questions
‎09-06-2016 04:09 PM
‎09-06-2016 04:09 PM
Yes, I found this https://issues.apache.org/jira/browse/HBASE-12657 . In the ticket you can see the following: "Lowest sequence ID among all store files in a region is the reason that reference files are constantly getting removed from compaction selections if there are newer files in a compaction queue. This is what is happening under high load when there are too many minor compaction requests in a queue, reference files do not have a chance to be compacted. Interestingly, that current 0.94 and 0.98 code have different issues here and require different patches." The HBase version in place is 1.1.11.x. The compaction queue usually holds around 60-80 entries. ... View more

HBase BulkLoad - Region Split behaviour

by Explorer in Support Questions
‎09-06-2016 02:03 PM
1 Kudo
‎09-06-2016 02:03 PM
1 Kudo
Hi all, we have a customer that is using HBase and has a pretty strange loading pattern. They use BulkLoad to load around 120 MB of data every 5-10 secs. The table is NOT pre-splitted and has 7 ColumnFamilies. Only 2-3 CFs are populated. What happens is that data goes into a single region initially and the region goes way beyond the split threshhold (10GB or R^2*flush size - they are using default split policy), I saw a region big as 2.2T with constant compactions that take 4-5 hrs. Also, RowKey is sequential which again casts a shadow on the application but the customer is reluctant to change anything. I am sure that even if the region was splitted they would have an issue with Hotspotting. Does the frequent BulkLoad in combination with sequential Rowkey, apart from being a terrible practice for Hbase, affect splitting? Any suggestions? Regards, Dino ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎08-15-2017 09:00 AM
Public Statistics
Date Registered ‎05-13-2016 10:55 AM
Last Visited ‎08-15-2017 09:00 AM
Total Messages Posted 9
Total Kudos Received 1