Dale, There was no log file attached in your email. If attachments don’t come through email, can you please file a JIRA and attach the log files to the JIRA?
Also, can you please collect the logs from master and region servers? Thanks, Madhan On 5/21/15, 7:41 AM, "林家銘" <[email protected]> wrote: >Hi > >I think you cut the wrong log messages, here is the hbase-master log >file, while the ranger-plugin should work on region servers. > >So you should try to check the region server log files out. > >And you might also try to search "UserGroupInformation" as your >keyword, it cached the user-group mappings. > >2015-05-21 19:08 GMT+08:00, Bradman, Dale <[email protected]>: >> Log file attached: >> >> hbase-hbase-master-HADOOP-MASTER.log:2015-05-20 13:31:39,070 DEBUG >> [master:HADOOP-MASTER:60000] hbase.HBaseAuthDB: RULE:[table: blogposts2, >> columnGroup:*, columnName: *, accessType: read, user:null, group: >>group1] is >> being added as Table Policy >> hbase-hbase-master-HADOOP-MASTER.log:2015-05-20 13:31:39,070 DEBUG >> [master:HADOOP-MASTER:60000] hbase.HBaseAuthDB: RULE:[table: blogposts2, >> columnGroup:*, columnName: *, accessType: read, user:null, group: >>group1] is >> being added as Table Policy >> hbase-hbase-master-HADOOP-MASTER.log:2015-05-20 13:48:14,080 DEBUG >> [XaSecureConfigURLWatcher] hbase.HBaseAuthDB: RULE:[table: blogposts2, >> columnGroup:*, columnName: *, accessType: read, user:null, group: >>group1] is >> being added as Table Policy >> hbase-hbase-master-HADOOP-MASTER.log:2015-05-20 13:48:14,080 DEBUG >> [XaSecureConfigURLWatcher] hbase.HBaseAuthDB: RULE:[table: blogposts2, >> columnGroup:*, columnName: *, accessType: read, user:null, group: >>group1] is >> being added as Table Policy >> hbase-hbase-master-HADOOP-MASTER.log:2015-05-20 13:48:14,081 DEBUG >> [XaSecureConfigURLWatcher] hbase.HBaseAuthDB: RULE:[table: blogposts2, >> columnGroup:*, columnName: *, accessType: read, user:user1, group: >>null] is >> being added as Table Policy >> hbase-hbase-master-HADOOP-MASTER.log:2015-05-20 13:48:14,081 DEBUG >> [XaSecureConfigURLWatcher] hbase.HBaseAuthDB: RULE:[table: blogposts2, >> columnGroup:*, columnName: *, accessType: read, user:user1, group: >>null] is >> being added as Table Policy >> hbase-hbase-master-HADOOP-MASTER.log:2015-05-20 14:01:17,008 DEBUG >> [XaSecureConfigURLWatcher] hbase.HBaseAuthDB: RULE:[table: blogposts2, >> columnGroup:*, columnName: *, accessType: read, user:null, group: >>group1] is >> being added as Table Policy >> hbase-hbase-master-HADOOP-MASTER.log:2015-05-20 14:01:17,008 DEBUG >> [XaSecureConfigURLWatcher] hbase.HBaseAuthDB: RULE:[table: blogposts2, >> columnGroup:*, columnName: *, accessType: read, user:null, group: >>group1] is >> being added as Table Policy >> >> Cheers. >> >> >> On 20 May 2015, at 17:54, Madhan Neethiraj >> <[email protected]<mailto:[email protected]>> wrote: >> >> Dale, >> >> Can you please fgrep for “HBaseAuthDB” in master and region server logs >> (with the command shown below) and send the output? >> >> fgrep -H HBaseAuthDB /var/log/hbase/hbase-hbase*.log >> >> Thanks, >> Madhan >> >> From: <Bradman>, Dale >> <[email protected]<mailto:[email protected]>> >> Reply-To: >> >>"[email protected]<mailto:[email protected] >>>" >> >><[email protected]<mailto:[email protected] >>>> >> Date: Wednesday, May 20, 2015 at 4:06 AM >> To: >> >>"[email protected]<mailto:[email protected] >>>" >> >><[email protected]<mailto:[email protected] >>>> >> Subject: RE: Cannot define HBase policy by groups >> >> OK, I have enabled debug logging as per Medhan's instructions...... >>Should I >> be looking at the standard HBase-Master log file found in >>/var/log/hbase? >> >> Also, as the logs are quite vast, do you have any more information on >>what I >> should be looking out for? >> >> Thank you, >> Dale >> ________________________________ >> From: Madhan Neethiraj >> [[email protected]<mailto:[email protected]>] >> Sent: 19 May 2015 16:30 >> To: >> >>[email protected]<mailto:[email protected]> >> Subject: Re: Cannot define HBase policy by groups >> >> Dale, >> >> To enable debug logging, please add the following property in HBase’s >> log4j.properties file (typically at /etc/hbase/conf/log4j.properties) >>and >> restart HBase master and region servers: >> >> log4j.logger.com.xasecure.pdp.hbase=DEBUG,DRFA >> >> >> Thanks, >> Madhan >> >> From: <Bradman>, Dale >> <[email protected]<mailto:[email protected]>> >> Reply-To: >> >>"[email protected]<mailto:[email protected] >>>" >> >><[email protected]<mailto:[email protected] >>>> >> Date: Tuesday, May 19, 2015 at 5:38 AM >> To: >> >>"[email protected]<mailto:[email protected] >>>" >> >><[email protected]<mailto:[email protected] >>>> >> Subject: Re: Cannot define HBase policy by groups >> >> Will do, how do I enable debug logging? >> Thanks >> On 18 May 2015, at 17:56, Don Bosco Durai >> <[email protected]<mailto:[email protected]>> wrote: >> >> Dale >> >> Based on the comments so far, it seems you are doing everything correct. >> Also, since user level permission is working, it confirms that Ranger is >> integrated properly. >> >> Since group level permission is not working, can we enable debug >>logging and >> see what groups we are getting? >> >> After enabling debug logs, can you upload the logs somewhere or grep for >> "for user” and cut paste the output. >> >> Thanks >> >> Bosco >> >> >> From: <Bradman>, Dale >> <[email protected]<mailto:[email protected]>> >> Reply-To: >> >>"[email protected]<mailto:[email protected] >>>" >> >><[email protected]<mailto:[email protected] >>>> >> Date: Monday, May 18, 2015 at 3:46 AM >> To: >> >>"[email protected]<mailto:[email protected] >>>" >> >><[email protected]<mailto:[email protected] >>>> >> Subject: Re: Cannot define HBase policy by groups >> >> Any further thoughts on this ? >> >> Thanks. >> >> >> On 13 May 2015, at 14:31, Bradman, Dale >> <[email protected]<mailto:[email protected]>> wrote: >> >> >> WARNING: Kindly be aware the Sender Address on this mail may be forged. >>It >> appears to be from capgemini.com<http://capgemini.com/> but the message >>has >> been received from a server outside Capgemini Group perimeter. User >> discretion is necessary before performing actions mentioned in this >>mail. >> >> Yes, I am 90% sure I have. Is there a way to confirm ? >> >> If I got to /etc/hbase/conf/ranger-security on each node it says >>enabled... >> On 11 May 2015, at 18:04, Balaji Ganesan >> <[email protected]<mailto:[email protected]>> wrote: >> >> Just to confirm. Have you enabled ranger plugin in all the region >>servers ? >> >> On Mon, May 11, 2015 at 9:19 AM, Bradman, Dale >> <[email protected]<mailto:[email protected]>> wrote: >> I ran this command across all nodes: >> >> $ hdfs groups user1 >> >> And got the same output each time: >> >> user1: user1 group1 >> >> >> On 7 May 2015, at 16:56, Balaji Ganesan >> <[email protected]<mailto:[email protected]>> wrote: >> >> Can you run this command in all the nodes and let me know if it is >>giving >> the same result? >> >> $ hdfs groups user1 >> >> On Thu, May 7, 2015 at 3:14 AM, Bradman, Dale >> <[email protected]<mailto:[email protected]>> wrote: >> Having the Ranger Policy like this allows user1 to read the tables: >> >> <PastedGraphic-1.png> >> However having the Ranger policy like below prevents user1 from reading >> tables despite user1 belonging to group1 (as proved by ” $ hdfs groups >>user1 >> “ ) : >> >> <PastedGraphic-2.png> >> >> >> >> Here is the audit log for the two different transactions: >> >> >> <PastedGraphic-5.png> >> >> >> >> >> On 6 May 2015, at 15:37, Balaji Ganesan >> <[email protected]<mailto:[email protected]>> wrote: >> >> Dale, can you send across screenshot of the policy as well as what >>audit is >> showing for this transaction ? >> >> On May 6, 2015, at 5:51 AM, Bradman, Dale >> <[email protected]<mailto:[email protected]>> wrote: >> >> I’m fairly certain that authToLocal is configured properly. Issuing the >> command: >> >> $ hdfs groups user1 >> >> Returns: >> >> user1: user1 group1 >> >> >> On 5 May 2015, at 18:34, Don Bosco Durai >> <[email protected]<mailto:[email protected]>> wrote: >> >> Dale, have you configured authToLocal properly in Hadoop? >> >> Can you try this? >> >> $ hdfs groups user1 >> >> Thanks >> >> Bosco >> >> >> From: <Bradman>, Dale >> <[email protected]<mailto:[email protected]>> >> Reply-To: >> >>"[email protected]<mailto:[email protected] >>>" >> >><[email protected]<mailto:[email protected] >>>> >> Date: Tuesday, May 5, 2015 at 5:57 AM >> To: >> >>"[email protected]<mailto:[email protected] >>>" >> >><[email protected]<mailto:[email protected] >>>> >> Subject: Cannot define HBase policy by groups >> >> Hello, >> >> I am struggling to create policies on HBase defined by a group. Here is >>what >> I have done: >> >> 1. I create a UNIX user “user1” and add this user to the group “group1”. >> 2. Ranger UI syncs with UNIX and shows “user1” as an external user >>belonging >> to the group “group1”. Also, “group1” is automatically created as a new >> internal group in the groups section. >> 3. I create a HBase policy in RangerUI granting “user1” READ >>permissions on >> all HBase tables. As expected, “user1” is able to read the tables. >> 4. I then edit the same policy by also granting “group1” READ >>permissions on >> all HBase tables. As expected, “user1” is able to read the tables. >> 5. I then edit the same policy by removing “user1” entirely thus leaving >> only “group1” with READ permissions. Now, “user1” is unable to read the >> tables despite being a member of “group1” >> >> So essentially, what I want to be able to do is assign multiple users to >> “group1” and grant “group1” read access on tables. >> >> Can anyone clarify if this is a bug or if I am doing something >>incorrectly? >> >> Thanks, >> Dale >> >> ________________________________ >> >> >> >> >> >> >> >> ________________________________ >> >> Capgemini is a trading name used by the Capgemini Group of companies >>which >> includes Capgemini UK plc, a company registered in England and Wales >>(number >> 943935) whose registered office is at No. 1, Forge End, Woking, Surrey, >>GU21 >> 6DB. >> This message contains information that may be privileged or >>confidential and >> is the property of the Capgemini Group. It is intended only for the >>person >> to whom it is addressed. If you are not the intended recipient, you are >>not >> authorized to read, print, retain, copy, disseminate, distribute, or use >> this message or any part thereof. If you receive this message in error, >> please notify the sender immediately and delete all copies of this >>message. >> >> >> >> ________________________________ >> >> Capgemini is a trading name used by the Capgemini Group of companies >>which >> includes Capgemini UK plc, a company registered in England and Wales >>(number >> 943935) whose registered office is at No. 1, Forge End, Woking, Surrey, >>GU21 >> 6DB. >> >> >> >> ________________________________ >> >> Capgemini is a trading name used by the Capgemini Group of companies >>which >> includes Capgemini UK plc, a company registered in England and Wales >>(number >> 943935) whose registered office is at No. 1, Forge End, Woking, Surrey, >>GU21 >> 6DB. >> >> >> ________________________________ >> >> Capgemini is a trading name used by the Capgemini Group of companies >>which >> includes Capgemini UK plc, a company registered in England and Wales >>(number >> 943935) whose registered office is at No. 1, Forge End, Woking, Surrey, >>GU21 >> 6DB. >> >> >> ________________________________ >> >> Capgemini is a trading name used by the Capgemini Group of companies >>which >> includes Capgemini UK plc, a company registered in England and Wales >>(number >> 943935) whose registered office is at No. 1, Forge End, Woking, Surrey, >>GU21 >> 6DB. >> >> ________________________________ >> >> Capgemini is a trading name used by the Capgemini Group of companies >>which >> includes Capgemini UK plc, a company registered in England and Wales >>(number >> 943935) whose registered office is at No. 1, Forge End, Woking, Surrey, >>GU21 >> 6DB. >> >> >> ________________________________ >> >> Capgemini is a trading name used by the Capgemini Group of companies >>which >> includes Capgemini UK plc, a company registered in England and Wales >>(number >> 943935) whose registered office is at No. 1, Forge End, Woking, Surrey, >>GU21 >> 6DB. >>
