Dale Based on the comments so far, it seems you are doing everything correct. Also, since user level permission is working, it confirms that Ranger is integrated properly.
Since group level permission is not working, can we enable debug logging and see what groups we are getting? After enabling debug logs, can you upload the logs somewhere or grep for "for user² and cut paste the output. Thanks Bosco From: <Bradman>, Dale <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Monday, May 18, 2015 at 3:46 AM To: "[email protected]" <[email protected]> Subject: Re: Cannot define HBase policy by groups > Any further thoughts on this ? > > Thanks. > > >> On 13 May 2015, at 14:31, Bradman, Dale <[email protected]> wrote: >> >> >> WARNING: Kindly be aware the Sender Address on this mail may be forged. It >> appears to be from capgemini.com <http://capgemini.com> but the message has >> been received from a server outside Capgemini Group perimeter. User >> discretion is necessary before performing actions mentioned in this mail. >> >> Yes, I am 90% sure I have. Is there a way to confirm ? >> >> If I got to /etc/hbase/conf/ranger-security on each node it says enabled... >>> On 11 May 2015, at 18:04, Balaji Ganesan <[email protected]> wrote: >>> >>> Just to confirm. Have you enabled ranger plugin in all the region servers ? >>> >>> On Mon, May 11, 2015 at 9:19 AM, Bradman, Dale <[email protected]> >>> wrote: >>>> I ran this command across all nodes: >>>> >>>> $ hdfs groups user1 >>>> >>>> And got the same output each time: >>>> >>>> user1: user1 group1 >>>> >>>> >>>>> On 7 May 2015, at 16:56, Balaji Ganesan <[email protected]> >>>>> wrote: >>>>> >>>>> Can you run this command in all the nodes and let me know if it is giving >>>>> the same result? >>>>> >>>>> $ hdfs groups user1 >>>>> >>>>> On Thu, May 7, 2015 at 3:14 AM, Bradman, Dale <[email protected]> >>>>> wrote: >>>>>> Having the Ranger Policy like this allows user1 to read the tables: >>>>>> >>>>>> <PastedGraphic-1.png> >>>>>> However having the Ranger policy like below prevents user1 from reading >>>>>> tables despite user1 belonging to group1 (as proved by ² $ hdfs groups >>>>>> user1 ³ ) : >>>>>> >>>>>> <PastedGraphic-2.png> >>>>>> >>>>>> >>>>>> >>>>>> Here is the audit log for the two different transactions: >>>>>> >>>>>> >>>>>> <PastedGraphic-5.png> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On 6 May 2015, at 15:37, Balaji Ganesan <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> Dale, can you send across screenshot of the policy as well as what audit >>>>>>> is showing for this transaction ? >>>>>>> >>>>>>> On May 6, 2015, at 5:51 AM, Bradman, Dale <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> I¹m fairly certain that authToLocal is configured properly. Issuing the >>>>>>> command: >>>>>>> >>>>>>> $ hdfs groups user1 >>>>>>> >>>>>>> Returns: >>>>>>> >>>>>>> user1: user1 group1 >>>>>>> >>>>>>> >>>>>>> On 5 May 2015, at 18:34, Don Bosco Durai <[email protected]> wrote: >>>>>>> >>>>>>> Dale, have you configured authToLocal properly in Hadoop? >>>>>>> >>>>>>> Can you try this? >>>>>>> >>>>>>> $ hdfs groups user1 >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Bosco >>>>>>> >>>>>>> >>>>>>> From: <Bradman>, Dale <[email protected]> >>>>>>> Reply-To: "[email protected]" >>>>>>> <[email protected]> >>>>>>> Date: Tuesday, May 5, 2015 at 5:57 AM >>>>>>> To: "[email protected]" >>>>>>> <[email protected]> >>>>>>> Subject: Cannot define HBase policy by groups >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I am struggling to create policies on HBase defined by a group. Here is >>>>>>> what I have done: >>>>>>> >>>>>>> 1. I create a UNIX user ³user1² and add this user to the group ³group1². >>>>>>> 2. Ranger UI syncs with UNIX and shows ³user1² as an external user >>>>>>> belonging to the group ³group1². Also, ³group1² is automatically created >>>>>>> as a new internal group in the groups section. >>>>>>> 3. I create a HBase policy in RangerUI granting ³user1² READ permissions >>>>>>> on all HBase tables. As expected, ³user1² is able to read the tables. >>>>>>> 4. I then edit the same policy by also granting ³group1² READ >>>>>>> permissions on all HBase tables. As expected, ³user1² is able to read >>>>>>> the tables. >>>>>>> 5. I then edit the same policy by removing ³user1² entirely thus leaving >>>>>>> only ³group1² with READ permissions. Now, ³user1² is unable to read the >>>>>>> tables despite being a member of ³group1² >>>>>>> >>>>>>> So essentially, what I want to be able to do is assign multiple users to >>>>>>> ³group1² and grant ³group1² read access on tables. >>>>>>> >>>>>>> Can anyone clarify if this is a bug or if I am doing something >>>>>>> incorrectly? >>>>>>> >>>>>>> Thanks, >>>>>>> Dale >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Capgemini is a trading name used by the Capgemini Group of companies >>>>>> which includes Capgemini UK plc, a company registered in England and >>>>>> Wales (number 943935) whose registered office is at No. 1, Forge End, >>>>>> Woking, Surrey, GU21 6DB. >>>>>> This message contains information that may be privileged or confidential >>>>>> and is the property of the Capgemini Group. It is intended only for the >>>>>> person to whom it is addressed. If you are not the intended recipient, >>>>>> you are not authorized to read, print, retain, copy, disseminate, >>>>>> distribute, or use this message or any part thereof. If you receive this >>>>>> message in error, please notify the sender immediately and delete all >>>>>> copies of this message. >>>>> >>>> >>>> >>>> >>>> >>>> Capgemini is a trading name used by the Capgemini Group of companies which >>>> includes Capgemini UK plc, a company registered in England and Wales >>>> (number 943935) whose registered office is at No. 1, Forge End, Woking, >>>> Surrey, GU21 6DB. >>> >> >> >> >> >> Capgemini is a trading name used by the Capgemini Group of companies which >> includes Capgemini UK plc, a company registered in England and Wales (number >> 943935) whose registered office is at No. 1, Forge End, Woking, Surrey, GU21 >> 6DB. > > > > > Capgemini is a trading name used by the Capgemini Group of companies which > includes Capgemini UK plc, a company registered in England and Wales (number > 943935) whose registered office is at No. 1, Forge End, Woking, Surrey, GU21 > 6DB.
