Actually my groups are synchronized on every node of the cluster from a LDAP via SSSD, and are converted into lower case. But sometimes lower case doesn't work as it needs a special configurations, and there are slight differences between the group names I make security policies for and the groups that are synchronized.
In my case, on HBaseMaster and in Ranger database, the group I made policies for was called "sysadmin" when on the nodes containing the RegionServers it was called "SysAdmin". Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-08-26 2:58 GMT+02:00 Balaji Ganesan <[email protected]>: > <<Actually my problem went from the fact that the user identity is > asserted on the region server you are working on, and groups are not > defined very precisely there.>> > > What do you mean by groups are not defined precisely? Can you please > elaborate? > > > On Mon, Aug 24, 2015 at 8:46 AM, Loïc Chanel <[email protected] > > wrote: > >> Actually my problem went from the fact that the user identity is asserted >> on the region server you are working on, and groups are not defined very >> precisely there. >> I was able to identify it with the debug level enabled on xasecure, so >> thanks a lot (no pun intention) ! >> >> Regards, >> >> >> Loïc >> >> >> Loïc CHANEL >> Engineering student at TELECOM Nancy >> Trainee at Worldline - Villeurbanne >> >> 2015-08-24 17:24 GMT+02:00 Alok Lal <[email protected]>: >> >>> Log4j.properties file should be under hbase config directory. It is >>> usually /etc/hbase/conf. In it start by adding the following line: >>> >>> log4j.logger.com.xasecure=DEBUG >>> >>> From: Loïc Chanel >>> Reply-To: "[email protected]" >>> Date: Monday, August 24, 2015 at 7:54 AM >>> To: "[email protected]" >>> Subject: Re: HBase group authroizations >>> >>> Sorry, I just noticed that I wrote `hdfs groups` instead of `whoami`. >>> Regards, >>> >>> Loïc >>> >>> >>> Loïc CHANEL >>> Engineering student at TELECOM Nancy >>> Trainee at Worldline - Villeurbanne >>> >>> 2015-08-24 15:26 GMT+02:00 Loïc Chanel <[email protected]>: >>> >>>> Hi all, >>>> >>>> I'm having some troubles trying to authorize some users from HBase to >>>> access to a table using a group they belong to. >>>> Even if the policy is correctly set, and uses a group that `hdfs >>>> groups` returns me, I can't access the database as the user can't. >>>> >>>> I can't see any logs indicating that the Ranger plugin tries to assert >>>> the user's identity and its groups, but my debug level may not be high >>>> enough (as I didn't found the corresponding property). >>>> >>>> Can someone help me to increase my log level to debug for XaSecure >>>> HBase plugin, or give me some things I can try to look at to figure out why >>>> groups cannot be used in my configuration ? >>>> >>>> Thanks in advance for your help ! >>>> Regards, >>>> >>>> >>>> Loïc >>>> Loïc CHANEL >>>> Engineering student at TELECOM Nancy >>>> Trainee at Worldline - Villeurbanne >>>> >>> >>> >> >
