Hi, Bosco, I noticed group level permission works when we set hadoop permissions to 000. I am just curious why it is so ?
is it always necessary to set hadoop permissions to 000 for ranger to work? thanks On Mon, Nov 30, 2015 at 10:59 PM, Hafiz Mujadid <hafizmujadi...@gmail.com> wrote: > Bosco, I have tried both mysql db and solr as well, only plugin related > auditing is being shown > > On Mon, Nov 30, 2015 at 10:53 PM, Don Bosco Durai <bo...@apache.org> > wrote: > >> Yes, you should fix audit first. That will help in debugging these issues >> also. >> >> BTW, are you using Solr or DB? >> >> Recommendation is to use Solr. Yesterday, I have uploaded a new package >> for setting up Solr. It is available as attachment in >> https://issues.apache.org/jira/browse/RANGER-728. The instructions are >> in >> https://cwiki.apache.org/confluence/display/RANGER/Install+and+Configure+Solr+for+Ranger+Audits+-+Apache+Ranger+0.5 >> >> Give it a try. >> >> Thanks >> >> Bosco >> >> >> From: Madhan Neethiraj <mneethi...@hortonworks.com> >> Reply-To: <user@ranger.incubator.apache.org> >> Date: Monday, November 30, 2015 at 8:57 AM >> >> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> >> Subject: Re: Group level permission are not working in ranger >> >> Hafiz, >> >> Few things to check: >> 1. Do you have another policy in Ranger that allows WRITE access? >> 2. Can you disable this policy and try mkdir? >> >> Fixing the issue with audit will help; audit log will have the details of >> how the access was allowed (hadoop-acl or ranger-acl; in case of >> ranger-acl, the policy-ID that determined the access). >> >> Madhan >> >> From: Hafiz Mujadid <hafizmujadi...@gmail.com> >> Reply-To: "user@ranger.incubator.apache.org" < >> user@ranger.incubator.apache.org> >> Date: Monday, November 30, 2015 at 6:16 AM >> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> >> Subject: Re: Group level permission are not working in ranger >> >> Bosco, >> >> I have followed above steps >> >> 1. drwxr-xr-x - hduser hadoop 0 2015-11-30 18:49 /pg >> 2. changed the umask so newly created folder or files have following >> permissions >> d---rwxrwx - asma hadoop 0 2015-11-30 19:03 /pg/b >> 3. i changed the ownership of all folders in hdfs with hduser:hadoop >> 4. ran the command hdfs dfs -chmod -R 000 /pg >> >> >> but still group level permissions are not working. >> >> my audits are not working, i am trying to figure out the issue with >> audits. i will let you know when audits are available. >> >> >> thanks >> >> On Mon, Nov 30, 2015 at 7:13 PM, Hafiz Mujadid <hafizmujadi...@gmail.com> >> wrote: >> >>> Bosco, >>> >>> I have followed above steps >>> drwxr-xr-x - hduser hadoop 0 2015-11-30 18:49 /pg >>> changed the umask so newly created folder or files have following >>> permissions >>> d---rwxrwx - asma hadoop 0 2015-11-30 19:03 /pg/b >>> i changed the ownership of all folders in hdfs with hduser:hadoop >>> >>> but still group level permissions are not working. >>> >>> >>> my audits are not working, i am trying to figure out the issue with >>> audits. i will let you know when audits are available. >>> >>> >>> thanks >>> >>> >>> On Mon, Nov 30, 2015 at 9:34 AM, Don Bosco Durai <bo...@apache.org> >>> wrote: >>> >>>> Can you check Ranger Audits? >>>> >>>> Also, do couple of things: >>>> 1. hdfs dfs -ls /pg (check the HDFS level permissions) >>>> 2. In HDFS settngs, set the umask to 700 and restart name node. >>>> 3. hdfs dfs -chown hdfs:hdfs /pg >>>> 4. hdfs dfs -chmod -R 000 /pg >>>> >>>> For all user folders, e.g. /app/hive, do #3 and #4 as above. >>>> >>>> Bosco >>>> >>>> >>>> From: Hafiz Mujadid <hafizmujadi...@gmail.com> >>>> Reply-To: <user@ranger.incubator.apache.org> >>>> Date: Sunday, November 29, 2015 at 8:29 PM >>>> To: <user@ranger.incubator.apache.org> >>>> Subject: Re: Group level permission are not working in ranger >>>> >>>> Yes Bosco, directory is being created. >>>> >>>> On Mon, Nov 30, 2015 at 2:47 AM, Don Bosco Durai <bo...@apache.org> >>>> wrote: >>>> >>>>> What is happening here? Is the directory getting created? >>>>> >>>>> Thanks >>>>> >>>>> Bosco >>>>> >>>>> >>>>> From: Hafiz Mujadid <hafizmujadi...@gmail.com> >>>>> Reply-To: <user@ranger.incubator.apache.org> >>>>> Date: Sunday, November 29, 2015 at 1:44 PM >>>>> To: <user@ranger.incubator.apache.org> >>>>> Subject: Group level permission are not working in ranger >>>>> >>>>> Hi all >>>>> >>>>> I am trying to apply permission on an ldap group but it's not working >>>>> >>>>> [image: Inline image 1] >>>>> >>>>> >>>>> But when i run following command >>>>> *HADOOP_USER_NAME=asma hdfs dfs -mkdir /pg/b* >>>>> >>>>> i works successfully >>>>> what is the issue? ldap users and groups are synced correctly as when >>>>> i run the command *hdfs groups asma* it returns correct group >>>>> asma : datascientist >>>>> >>>>> >>>> >>>> >>>> -- >>>> Regards: HAFIZ MUJADID >>>> >>>> >>> >>> >>> -- >>> Regards: HAFIZ MUJADID >>> >> >> >> >> -- >> Regards: HAFIZ MUJADID >> >> > > > -- > Regards: HAFIZ MUJADID > -- Regards: HAFIZ MUJADID