Just to confirm. Have you enabled ranger plugin in all the region servers ?
On Mon, May 11, 2015 at 9:19 AM, Bradman, Dale <[email protected]> wrote: > I ran this command across all nodes: > > $ hdfs groups user1 > > And got the same output each time: > > user1: user1 group1 > > > On 7 May 2015, at 16:56, Balaji Ganesan <[email protected]> > wrote: > > Can you run this command in all the nodes and let me know if it is > giving the same result? > > $ hdfs groups user1 > > On Thu, May 7, 2015 at 3:14 AM, Bradman, Dale <[email protected]> > wrote: > >> Having the Ranger Policy like this allows user1 to read the tables: >> >> <PastedGraphic-1.png> >> However having the Ranger policy like below *prevents* user1 from >> reading tables despite user1 belonging to group1 (as proved by ” $ hdfs >> groups user1 “ ) : >> >> <PastedGraphic-2.png> >> >> >> >> Here is the audit log for the two different transactions: >> >> >> <PastedGraphic-5.png> >> >> >> >> >> On 6 May 2015, at 15:37, Balaji Ganesan <[email protected]> >> wrote: >> >> Dale, can you send across screenshot of the policy as well as what >> audit is showing for this transaction ? >> >> On May 6, 2015, at 5:51 AM, Bradman, Dale <[email protected]> >> wrote: >> >> I’m fairly certain that authToLocal is configured properly. Issuing >> the command: >> >> $ hdfs groups user1 >> >> Returns: >> >> user1: user1 group1 >> >> >> On 5 May 2015, at 18:34, Don Bosco Durai <[email protected]> wrote: >> >> Dale, have you configured authToLocal properly in Hadoop? >> >> Can you try this? >> >> $ hdfs groups user1 >> >> Thanks >> >> Bosco >> >> >> From: <Bradman>, Dale <[email protected]> >> Reply-To: "[email protected]" < >> [email protected]> >> Date: Tuesday, May 5, 2015 at 5:57 AM >> To: "[email protected]" <[email protected]> >> Subject: Cannot define HBase policy by groups >> >> Hello, >> >> I am struggling to create policies on HBase defined by a group. Here is >> what I have done: >> >> 1. I create a UNIX user “*user1*” and add this user to the group “ >> *group1*”. >> 2. Ranger UI syncs with UNIX and shows “*user1*” as an external user >> belonging to the group “*group1*”. Also, “*group1*” is automatically >> created as a new internal group in the groups section. >> 3. I create a HBase policy in RangerUI granting “*user1*” READ >> permissions on all HBase tables. As expected, “*user1*” is able to read >> the tables. >> 4. I then edit the same policy by also granting “*group1*” READ >> permissions on all HBase tables. As expected, “*user1*” is able to read >> the tables. >> 5. I then edit the same policy by removing “*user1*” entirely thus >> leaving only “*group1*” with READ permissions. Now, “*user1*” is unable >> to read the tables despite being a member of “*group1*” >> >> So essentially, what I want to be able to do is assign multiple users >> to “group1” and grant “group1” read access on tables. >> >> Can anyone clarify if this is a bug or if I am doing something >> incorrectly? >> >> Thanks, >> Dale >> >> ------------------------------ >> >> >> >> >> >> >> >> ------------------------------ >> >> Capgemini is a trading name used by the Capgemini Group of companies >> which includes Capgemini UK plc, a company registered in England and Wales >> (number 943935) whose registered office is at No. 1, Forge End, Woking, >> Surrey, GU21 6DB. >> This message contains information that may be privileged or confidential >> and is the property of the Capgemini Group. It is intended only for the >> person to whom it is addressed. If you are not the intended recipient, you >> are not authorized to read, print, retain, copy, disseminate, distribute, >> or use this message or any part thereof. If you receive this message in >> error, please notify the sender immediately and delete all copies of this >> message. >> > > > > ------------------------------ > > Capgemini is a trading name used by the Capgemini Group of companies which > includes Capgemini UK plc, a company registered in England and Wales > (number 943935) whose registered office is at No. 1, Forge End, Woking, > Surrey, GU21 6DB. >
