Any further thoughts on this ? Thanks.
On 13 May 2015, at 14:31, Bradman, Dale <[email protected]<mailto:[email protected]>> wrote: WARNING: Kindly be aware the Sender Address on this mail may be forged. It appears to be from capgemini.com<http://capgemini.com> but the message has been received from a server outside Capgemini Group perimeter. User discretion is necessary before performing actions mentioned in this mail. Yes, I am 90% sure I have. Is there a way to confirm ? If I got to /etc/hbase/conf/ranger-security on each node it says enabled... On 11 May 2015, at 18:04, Balaji Ganesan <[email protected]<mailto:[email protected]>> wrote: Just to confirm. Have you enabled ranger plugin in all the region servers ? On Mon, May 11, 2015 at 9:19 AM, Bradman, Dale <[email protected]<mailto:[email protected]>> wrote: I ran this command across all nodes: $ hdfs groups user1 And got the same output each time: user1: user1 group1 On 7 May 2015, at 16:56, Balaji Ganesan <[email protected]<mailto:[email protected]>> wrote: Can you run this command in all the nodes and let me know if it is giving the same result? $ hdfs groups user1 On Thu, May 7, 2015 at 3:14 AM, Bradman, Dale <[email protected]<mailto:[email protected]>> wrote: Having the Ranger Policy like this allows user1 to read the tables: <PastedGraphic-1.png> However having the Ranger policy like below prevents user1 from reading tables despite user1 belonging to group1 (as proved by ” $ hdfs groups user1 “ ) : <PastedGraphic-2.png> Here is the audit log for the two different transactions: <PastedGraphic-5.png> On 6 May 2015, at 15:37, Balaji Ganesan <[email protected]<mailto:[email protected]>> wrote: Dale, can you send across screenshot of the policy as well as what audit is showing for this transaction ? On May 6, 2015, at 5:51 AM, Bradman, Dale <[email protected]<mailto:[email protected]>> wrote: I’m fairly certain that authToLocal is configured properly. Issuing the command: $ hdfs groups user1 Returns: user1: user1 group1 On 5 May 2015, at 18:34, Don Bosco Durai <[email protected]<mailto:[email protected]>> wrote: Dale, have you configured authToLocal properly in Hadoop? Can you try this? $ hdfs groups user1 Thanks Bosco From: <Bradman>, Dale <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, May 5, 2015 at 5:57 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Cannot define HBase policy by groups Hello, I am struggling to create policies on HBase defined by a group. Here is what I have done: 1. I create a UNIX user “user1” and add this user to the group “group1”. 2. Ranger UI syncs with UNIX and shows “user1” as an external user belonging to the group “group1”. Also, “group1” is automatically created as a new internal group in the groups section. 3. I create a HBase policy in RangerUI granting “user1” READ permissions on all HBase tables. As expected, “user1” is able to read the tables. 4. I then edit the same policy by also granting “group1” READ permissions on all HBase tables. As expected, “user1” is able to read the tables. 5. I then edit the same policy by removing “user1” entirely thus leaving only “group1” with READ permissions. Now, “user1” is unable to read the tables despite being a member of “group1” So essentially, what I want to be able to do is assign multiple users to “group1” and grant “group1” read access on tables. Can anyone clarify if this is a bug or if I am doing something incorrectly? Thanks, Dale ________________________________ ________________________________ Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini UK plc, a company registered in England and Wales (number 943935) whose registered office is at No. 1, Forge End, Woking, Surrey, GU21 6DB. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. ________________________________ Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini UK plc, a company registered in England and Wales (number 943935) whose registered office is at No. 1, Forge End, Woking, Surrey, GU21 6DB. ________________________________ Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini UK plc, a company registered in England and Wales (number 943935) whose registered office is at No. 1, Forge End, Woking, Surrey, GU21 6DB. ________________________________ Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini UK plc, a company registered in England and Wales (number 943935) whose registered office is at No. 1, Forge End, Woking, Surrey, GU21 6DB.
