> Can I assume your issue is now resolved? :-) Yes it is ! :-)
Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-08-26 18:01 GMT+02:00 Don Bosco Durai <[email protected]>: > >So now, all my groups are on the same page : lowercase :-) > Can I assume your issue is now resolved? :-) > > Thanks on the tip for lower case in SSSD. I will try it out. > > Bosco > > > From: Loïc Chanel <[email protected]> > Reply-To: "[email protected]" < > [email protected]> > Date: Wednesday, August 26, 2015 at 8:57 AM > > To: "[email protected]" <[email protected]> > Subject: Re: HBase group authroizations > > Hi Bosco ! > > Actually the problem came from my configuration. In the LDAP of my > company, as case is not important in there my groups have been declared > using mixed lowercase and uppercase. But when they are in the attribute > memberOf of my users, it is only lowercase. Therefore, in Ranger UserSync I > pull the groups using lowercase only, but on my nodes, default > configurations makes me use the other ones, with mixed lower and uppercase. > > Therefore I had to change the configuration of SSSD there. > So yeah, basically the problem only came from SSSD configuration on > RegionServer. > To solve it I just added the following property to sssd.conf : > case_sensitive = False > > So now, all my groups are on the same page : lowercase :-) > Still, if you're trying to reproduce my issue, you may want to restart > HBase service after restarting SSSD in order your changes on the case > conversion to be taken in account. > > Hope this helps ! > Regards, > > > Loïc > > Loïc CHANEL > Engineering student at TELECOM Nancy > Trainee at Worldline - Villeurbanne > > 2015-08-26 17:47 GMT+02:00 Don Bosco Durai <[email protected]>: > >> Loïc, sorry I am trying to understand the issue here. >> >> >n my case, on HBaseMaster and in Ranger database, the group I made >> policies for was called "sysadmin" when on the nodes containing the >> RegionServers it was called "SysAdmin”. >> >> Is this a SSSD issue? Is the SSSD configuration on the RegionServer not >> configured properly? >> >> I just setup SSSD with Active Directory, but I didn’t use lower case. I >> can try making it lower case, but I am not sure whether it will help me >> understand your issue. >> >> Can I assume, that this issue is happening only for Region Servers? >> >> Thanks >> >> Bosco >> >> >> >> From: Loïc Chanel <[email protected]> >> Reply-To: "[email protected]" < >> [email protected]> >> Date: Wednesday, August 26, 2015 at 1:09 AM >> To: "[email protected]" <[email protected]> >> >> >> Subject: Re: HBase group authroizations >> >> Actually my groups are synchronized on every node of the cluster from a >> LDAP via SSSD, and are converted into lower case. But sometimes lower case >> doesn't work as it needs a special configurations, and there are slight >> differences between the group names I make security policies for and the >> groups that are synchronized. >> >> In my case, on HBaseMaster and in Ranger database, the group I made >> policies for was called "sysadmin" when on the nodes containing the >> RegionServers it was called "SysAdmin". >> >> Loïc CHANEL >> Engineering student at TELECOM Nancy >> Trainee at Worldline - Villeurbanne >> >> 2015-08-26 2:58 GMT+02:00 Balaji Ganesan <[email protected]>: >> >>> <<Actually my problem went from the fact that the user identity is >>> asserted on the region server you are working on, and groups are not >>> defined very precisely there.>> >>> >>> What do you mean by groups are not defined precisely? Can you please >>> elaborate? >>> >>> >>> On Mon, Aug 24, 2015 at 8:46 AM, Loïc Chanel < >>> [email protected]> wrote: >>> >>>> Actually my problem went from the fact that the user identity is >>>> asserted on the region server you are working on, and groups are not >>>> defined very precisely there. >>>> I was able to identify it with the debug level enabled on xasecure, so >>>> thanks a lot (no pun intention) ! >>>> >>>> Regards, >>>> >>>> >>>> Loïc >>>> >>>> >>>> Loïc CHANEL >>>> Engineering student at TELECOM Nancy >>>> Trainee at Worldline - Villeurbanne >>>> >>>> 2015-08-24 17:24 GMT+02:00 Alok Lal <[email protected]>: >>>> >>>>> Log4j.properties file should be under hbase config directory. It is >>>>> usually /etc/hbase/conf. In it start by adding the following line: >>>>> >>>>> log4j.logger.com.xasecure=DEBUG >>>>> >>>>> From: Loïc Chanel >>>>> Reply-To: "[email protected]" >>>>> Date: Monday, August 24, 2015 at 7:54 AM >>>>> To: "[email protected]" >>>>> Subject: Re: HBase group authroizations >>>>> >>>>> Sorry, I just noticed that I wrote `hdfs groups` instead of `whoami`. >>>>> Regards, >>>>> >>>>> Loïc >>>>> >>>>> >>>>> Loïc CHANEL >>>>> Engineering student at TELECOM Nancy >>>>> Trainee at Worldline - Villeurbanne >>>>> >>>>> 2015-08-24 15:26 GMT+02:00 Loïc Chanel <[email protected]>: >>>>> >>>>>> Hi all, >>>>>> >>>>>> I'm having some troubles trying to authorize some users from HBase to >>>>>> access to a table using a group they belong to. >>>>>> Even if the policy is correctly set, and uses a group that `hdfs >>>>>> groups` returns me, I can't access the database as the user can't. >>>>>> >>>>>> I can't see any logs indicating that the Ranger plugin tries to >>>>>> assert the user's identity and its groups, but my debug level may not be >>>>>> high enough (as I didn't found the corresponding property). >>>>>> >>>>>> Can someone help me to increase my log level to debug for XaSecure >>>>>> HBase plugin, or give me some things I can try to look at to figure out >>>>>> why >>>>>> groups cannot be used in my configuration ? >>>>>> >>>>>> Thanks in advance for your help ! >>>>>> Regards, >>>>>> >>>>>> >>>>>> Loïc >>>>>> Loïc CHANEL >>>>>> Engineering student at TELECOM Nancy >>>>>> Trainee at Worldline - Villeurbanne >>>>>> >>>>> >>>>> >>>> >>> >> >
