Kashif
Thanks for creating the JIRA. Let’s see if someone picks it up or gets enough
up votes…
Thanks
Bosco
From: Kashif Khan <rafz...@gmail.com>
Reply-To: <user@ranger.incubator.apache.org>
Date: Friday, November 13, 2015 at 10:08 AM
To: <user@ranger.incubator.apache.org>
Cc: Ramesh Mani <rm...@hortonworks.com>
Subject: Re: Ranger LDAP Group sync issue
Hi Bosco,
I have created jira RANGER-732 for this issue. I don't have much bandwidth
right now to work on this, but would be very helpful if someone can work on
this.
Thanks,
Kashif
On Fri, Nov 13, 2015 at 12:51 PM, Don Bosco Durai <bo...@apache.org> wrote:
Kashif
I don’t think Ranger currently has support for writing policy update audits to
file. Would you be able to create a JIRA for this? I think, this should be
straight forward to implement. In most Hadoop projects, they use log4j appender
to write to file. We could do the same. Hopefully, you or someone can volunteer
to implement it.
FYI, the audit logs done by the plugin already supports Log4J as a destination.
But it uses a different framework and RangerAdmin doesn’t use it.
Thanks
Bosco
From: Kashif Khan <rafz...@gmail.com>
Reply-To: <user@ranger.incubator.apache.org>
Date: Thursday, November 12, 2015 at 9:37 PM
To: Ramesh Mani <rm...@hortonworks.com>
Cc: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
Subject: Re: Ranger LDAP Group sync issue
You are right Ramesh. Is there any setting that can enable logging this
information in the file as well.
Thanks,
Kashif
On Fri, Nov 13, 2015 at 12:31 AM, Ramesh Mani <rm...@hortonworks.com> wrote:
I think Kashif is asking for the policy change logs which is in ranger_audit
db. Option is to get it querying table.
From: Arvind S <arvind18...@gmail.com>
Reply-To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
Date: Thursday, November 12, 2015 at 9:28 PM
To: Kashif Khan <rafz...@gmail.com>
Cc: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
Subject: Re: Ranger LDAP Group sync issue
you want the same information in the DB table in file format ? or something
more that that ..like debug?
for 1st option .. in ranger 0.5 there is an option to enable logging to HDFS
also .. not sure if its there in 0.4 ..
if you want the 2nd then i don't have an answer right-away ..
Cheers !!
Arvind
On Fri, Nov 13, 2015 at 8:10 AM, Kashif Khan <rafz...@gmail.com> wrote:
Hi Arvind,
Deleting all users and groups and pulling them again didn't help. Still same
issue. Looks like upgrade is the only option.
I have another question, where can I check the logs for all ranger policy
changes logs. I know it is written in ranger_audit db but is it possible to log
that in a log file.
Thanks,
Kashif
On Wed, Nov 11, 2015 at 11:14 PM, Kashif Khan <rafz...@gmail.com> wrote:
Thanks Arvind, I will try that tomorrow and will see if it get fixed.
On Wed, Nov 11, 2015 at 11:10 PM, Arvind S <arvind18...@gmail.com> wrote:
the only issue i can see is that the member group list has some groups with
space in them "ho proxy" .. "nro proxy" ..
options
> can test by removing user member ship from groups with space in the names
> ..then check sync
> as Ramesh said you can try to move to a newer version ..
this is a long shot but did work for me once when i was testing initially with
lots of changes being done on config ..and ranger had pulled incomplete
group/user list in the 1st attempt ..
> stop ranger user sync ..
> delete all the groups and user using ranger REST API
....
https://github.com/apache/incubator-ranger/blob/master/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
.... group delete e.g.
curl -i -X DELETE --header "AcceptDELETEplication/json" -H
"Content-Type: application/json" -u admin:admin
http://<ranger-ip/fqdn>:6080/service/xusers/groups/{<comma seperated group
id's>}
.... user delete e.g.
curl -i -X DELETE --header "Accept:application/json" -H "Content-Type:
application/json" -u admin:admin
http://<ranger-ip/fqdn>:6080/service/xusers/users/{<comma seperated user id's>}
> Re-start ranger admin and start ranger user sync ..
Cheers !!
Arvind
On Tue, Nov 10, 2015 at 11:18 PM, Kashif Khan <rafz...@gmail.com> wrote:
Thanks for your response Arvind. Here is the log. The group name I have issue
with is "PRV-BUS-DataScientist-DISABILITY" that is not showing in Ranger.
However, the other group "prv-bus-datascientist-life" that was added same day
and being pulled in ranger successfully.
10 Nov 2015 12:04:40 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
longGroupName:
CN=PRV-BUS-DataScientist-DISABILITY,OU=Security-Groups,DC=domain_name,DC=com,
groupName: PRV-BUS-DataScientist-DISABILITY
10 Nov 2015 12:04:40 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 57, userName: xyza1b, groupList: [domain_name-w7-admin-wkstn-users,
wireless_production, prv-bus-datascientist-life, ho proxy, vpnusers,
domain_name-w7-std-user-g, nro proxy, prv-bus-datascientist-disability,
domain_name-w7-std-user-fr-g, wireless_location]
10 Nov 2015 12:04:40 DEBUG PolicyMgrUserGroupBuilder [UnixUserSyncThread] -
INFO: addPMXAGroupToUser(xyza1b,prv-bus-datascientist-disability)
10 Nov 2015 12:04:40 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
longGroupName:
CN=PRV-BUS-DataScientist-DISABILITY,OU=Security-Groups,DC=domain_name,DC=com,
groupName: PRV-BUS-DataScientist-DISABILITY
10 Nov 2015 12:04:40 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating
user count: 59, userName: xyza2b, groupList: [domain_name-w7-admin-wkstn-users,
wireless_production, prv-bus-datascientist-life, ho proxy, vpnusers,
domain_name-w7-std-user-g, nro proxy, prv-bus-datascientist-disability,
domain_name-w7-std-user-fr-g, wireless_location]
10 Nov 2015 12:04:40 DEBUG PolicyMgrUserGroupBuilder [UnixUserSyncThread] -
INFO: addPMXAGroupToUser(xyza2b,prv-bus-datascientist-disability)
On Tue, Nov 10, 2015 at 1:52 AM, Arvind S <arvind18...@gmail.com> wrote:
can you post the log section where you see the groups and users being pulled ..
i have had issues when using AD (internally setting were using LDAP in AD) as
user/group source and user/ group names had spaces or dots in them.
If possible update to ranger .5 it has some better handling.
Cheers !!
Arvind
On Tue, Nov 10, 2015 at 9:34 AM, Kashif Khan <rafz...@gmail.com> wrote:
Hi All,
I am trying to pull one LDAP group into ranger but it is not being added.
Looking at usersync.log, the group is being pulled and users are added to that
group, but I am not able to figure out why group is not showing up in either
ranger x_group table or ranger UI.
Tried to run usersync process in debug mode with no luck. Would appreciate any
help. I am using 0.4 version.
--
Thanks,
Kashif
--
Thanks,
Kashif
--
Thanks,
Kashif
--
Thanks,
Kashif
--
Thanks,
Kashif
--
Thanks,
Kashif
