Loïc, sorry I am trying to understand the issue here. >n my case, on HBaseMaster and in Ranger database, the group I made policies for was called "sysadmin" when on the nodes containing the RegionServers it was called "SysAdmin².
Is this a SSSD issue? Is the SSSD configuration on the RegionServer not configured properly? I just setup SSSD with Active Directory, but I didn¹t use lower case. I can try making it lower case, but I am not sure whether it will help me understand your issue. Can I assume, that this issue is happening only for Region Servers? Thanks Bosco From: Loïc Chanel <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Wednesday, August 26, 2015 at 1:09 AM To: "[email protected]" <[email protected]> Subject: Re: HBase group authroizations > Actually my groups are synchronized on every node of the cluster from a LDAP > via SSSD, and are converted into lower case. But sometimes lower case doesn't > work as it needs a special configurations, and there are slight differences > between the group names I make security policies for and the groups that are > synchronized. > > In my case, on HBaseMaster and in Ranger database, the group I made policies > for was called "sysadmin" when on the nodes containing the RegionServers it > was called "SysAdmin". > > Loïc CHANEL > Engineering student at TELECOM Nancy > Trainee at Worldline - Villeurbanne > > 2015-08-26 2:58 GMT+02:00 Balaji Ganesan <[email protected]>: >> <<Actually my problem went from the fact that the user identity is asserted >> on the region server you are working on, and groups are not defined very >> precisely there.>> >> >> What do you mean by groups are not defined precisely? Can you please >> elaborate? >> >> >> On Mon, Aug 24, 2015 at 8:46 AM, Loïc Chanel <[email protected]> >> wrote: >>> Actually my problem went from the fact that the user identity is asserted on >>> the region server you are working on, and groups are not defined very >>> precisely there. >>> I was able to identify it with the debug level enabled on xasecure, so >>> thanks a lot (no pun intention) ! >>> >>> Regards, >>> >>> >>> Loïc >>> >>> >>> Loïc CHANEL >>> Engineering student at TELECOM Nancy >>> Trainee at Worldline - Villeurbanne >>> >>> 2015-08-24 17:24 GMT+02:00 Alok Lal <[email protected]>: >>>> Log4j.properties file should be under hbase config directory. It is >>>> usually /etc/hbase/conf. In it start by adding the following line: >>>> >>>> log4j.logger.com.xasecure=DEBUG >>>> >>>> >>>> From: Loïc Chanel >>>> Reply-To: "[email protected]" >>>> Date: Monday, August 24, 2015 at 7:54 AM >>>> To: "[email protected]" >>>> Subject: Re: HBase group authroizations >>>> >>>> Sorry, I just noticed that I wrote `hdfs groups` instead of `whoami`. >>>> Regards, >>>> >>>> Loïc >>>> >>>> >>>> Loïc CHANEL >>>> Engineering student at TELECOM Nancy >>>> Trainee at Worldline - Villeurbanne >>>> >>>> 2015-08-24 15:26 GMT+02:00 Loïc Chanel <[email protected]>: >>>>> Hi all, >>>>> >>>>> I'm having some troubles trying to authorize some users from HBase to >>>>> access to a table using a group they belong to. >>>>> Even if the policy is correctly set, and uses a group that `hdfs groups` >>>>> returns me, I can't access the database as the user can't. >>>>> >>>>> I can't see any logs indicating that the Ranger plugin tries to assert the >>>>> user's identity and its groups, but my debug level may not be high enough >>>>> (as I didn't found the corresponding property). >>>>> >>>>> Can someone help me to increase my log level to debug for XaSecure HBase >>>>> plugin, or give me some things I can try to look at to figure out why >>>>> groups cannot be used in my configuration ? >>>>> >>>>> Thanks in advance for your help ! >>>>> Regards, >>>>> >>>>> >>>>> Loïc >>>>> Loïc CHANEL >>>>> Engineering student at TELECOM Nancy >>>>> Trainee at Worldline - Villeurbanne >>>> >>> >> >
