Member since
05-13-2016
9
Posts
1
Kudos Received
0
Solutions
08-11-2017
09:49 AM
Hi Fahim, I think this is not suitable. I am asking how I can filter out a AD user to connect to Ranger Admin UI. Since the filter described in my email is not working. Regards, Dino
... View more
07-28-2017
02:43 PM
Hi all, I have a following config that should restrict users outside the group in the search filter to log in into Ranger Admin UI. The group contains only one user (lets say userA)However, all the users that are under the baseDN can log in, no matter what I put in the search filter. For the record, usersync is also configured with the same search filter and only one user (userA) is synced, so on that side, it works. Any ideas? Regards, Dino
... View more
Labels:
- Labels:
-
Apache Ranger
06-22-2017
02:57 PM
Another update: After changing ranger.ldap.group.searchfilter and ranger.ldap.group.searchbase from ambari placeholders {{ranger_ug_ldap_group_searchfilter}} and {{ranger_ug_ldap_group_searchbase}} to actual values, the login started to work. What I am puzzled is why is there reference of this in the documentation. Basically if you do not enable LDAP Group Sync for Ranger in Ambari, you need to set these values manually in order for Ranger UI authentication to work against LDAP users. Am I right? Regards, Dino
... View more
06-22-2017
12:21 PM
Hi, Authentication method is LDAP, group search filter is {{ranger_ug_ldap_group_searchfilter}} and gets inherited, but the problem is that Group sync is not enabled. So this value was probably empty. So we changed it to cn=* and now instead of javax.naming.directory.InvalidSearchFilterException: Empty filter; remaining name '' We get the following: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name '' The logs are not that helpful. Regards
... View more
06-21-2017
04:22 PM
Hi all, I would appreciate a feedback on this. User ldap searchfilter is set to (uid={0}) HDP version is 2.5.3 and Ambari: 2.4.2 When login to Ranger UI by using LDAP user we get the following error: 2017-06-21 17:50:23,823 [http-bio-6080-exec-2] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:189) - Request is to process authentication 2017-06-21 17:50:23,889 [http-bio-6080-exec-2] DEBUG org.apache.ranger.security.handler.RangerAuthenticationProvider (RangerAuthenticationProvider.java:260) - LDAP Authentication Failed: org.springframework.ldap.InvalidSearchFilterException: Empty filter; nested exception is javax.naming.directory.InvalidSearchFilterException: Empty filter; remaining name '' at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:135) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:524) at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:173) at org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:215) at org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGrantedAuthorities(DefaultLdapAuthoritiesPopulator.java:185) at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.loadUserAuthorities(LdapAuthenticationProvider.java:197) at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:63) at org.apache.ranger.security.handler.RangerAuthenticationProvider.getLdapAuthentication(RangerAuthenticationProvider.java:252) at org.apache.ranger.security.handler.RangerAuthenticationProvider.authenticate(RangerAuthenticationProvider.java:102) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: javax.naming.directory.InvalidSearchFilterException: Empty filter; remaining name '' at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:57) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.springframework.ldap.core.LdapTemplate$4.executeSearch(LdapTemplate.java:253) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:293) ... 39 more Regards, Dino
... View more
Labels:
- Labels:
-
Apache Ranger
09-07-2016
08:41 AM
Thanks for confirming. The behaviour seems to match. The customer will have to revise the bulk loading procedures and rowkey design in order to have a more stable environment.
... View more
09-06-2016
09:44 PM
At the moment they deleted the table and started the new bulk load with the same frequency and the row keys. The region grew to 220 GB and the compactions were queueing up. The Splits are not triggered. The files that were loaded were around 120 MB in size, so there is a lot of files to compact. hbase.hregion.max.filesize is set to 10GB
... View more
09-06-2016
04:09 PM
Yes, I found this https://issues.apache.org/jira/browse/HBASE-12657 . In the ticket you can see the following: "Lowest sequence ID among all store files in a region is the reason that reference files are constantly getting removed from compaction selections if there are newer files in a compaction queue. This is what is happening under high load when there are too many minor compaction requests in a queue, reference files do not have a chance to be compacted. Interestingly, that current 0.94 and 0.98 code have different issues here and require different patches."
The HBase version in place is 1.1.11.x. The compaction queue usually holds around 60-80 entries.
... View more
09-06-2016
02:03 PM
1 Kudo
Hi all, we have a customer that is using HBase and has a pretty strange loading pattern. They use BulkLoad to load around 120 MB of data every 5-10 secs. The table is NOT pre-splitted and has 7 ColumnFamilies. Only 2-3 CFs are populated. What happens is that data goes into a single region initially and the region goes way beyond the split threshhold (10GB or R^2*flush size - they are using default split policy), I saw a region big as 2.2T with constant compactions that take 4-5 hrs. Also, RowKey is sequential which again casts a shadow on the application but the customer is reluctant to change anything. I am sure that even if the region was splitted they would have an issue with Hotspotting. Does the frequent BulkLoad in combination with sequential Rowkey, apart from being a terrible practice for Hbase, affect splitting? Any suggestions? Regards, Dino
... View more
Labels:
- Labels:
-
Apache HBase