Assuming your users are in LDAP, what you need to do is: Make user Ranger UserSync and NameNode ldap group mapping provider point to the same LDAP.
Please see the following for some help. http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/ Thanks Dilli From: Loïc Chanel <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, June 9, 2015 8:29 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Issues with UserSync Hi Dilli, First of all, thanks for answering so fast. Actually, I would like to have some synchronization between RangerAdmin UI and NameNode users, in order to manage Users and authorizations directly from RangerAdmin UI. Is it possible somehow via Ranger UserSync ? Thanks, Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-06-09 17:18 GMT+02:00 Dilli Arumugam <[email protected]<mailto:[email protected]>>: Please note that user/group mapping that you see in RangerAdmin UI is only used for policy definition time. At policy enforcement time, user group membership is computed by NameNode based on group mapping provider defined in NameNode. You can check what NameNode sees as groups that a user belongs to by issuing command hdfs groups sam Sam is sample username here. You would use your username in its place. Thanks Dilli From: Loïc Chanel <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, June 9, 2015 7:39 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Issues with UserSync Hi All, As I am using Ranger with Unix authentication to manage the security of HDFS on my cluster, I could not help but notice that even if I add users to groups in the Ranger console, Ranger cannot find to which groups they belong, and therefore do not authorize them to perform actions they should be able to do. As I thought this issue came from UserSync, I noticed that in its logs the following exception is printed every minute : ERROR PasswordValidator [Thread-22] - Response [FAILED: unable to validate due to error javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake] for user: null javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source) at sun.security.ssl.AppInputStream.read(Unknown Source) at sun.nio.cs.StreamDecoder.readBytes(Unknown Source) at sun.nio.cs.StreamDecoder.implRead(Unknown Source) at sun.nio.cs.StreamDecoder.read(Unknown Source) at java.io.InputStreamReader.read(Unknown Source) at java.io.BufferedReader.fill(Unknown Source) at java.io.BufferedReader.readLine(Unknown Source) at java.io.BufferedReader.readLine(Unknown Source) at com.xasecure.authentication.PasswordValidator.run(PasswordValidator.java:58) at java.lang.Thread.run(Unknown Source) Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.InputRecord.read(Unknown Source) ... 13 more As usually this is the sign of a problem of missing certificate, I ensured the certificate corresponding to Unix authentication (<host>:5151) is in Java trustore and restarted the NameNode and Ranger, but nothing changed. When looking a little bit more into RangerAdmin and RangerUserSync logs, it seems that RangerAdmin is the source of the problem, closing the connection before handshake is fully established, but I have no idea about how to correct it. Did someone encountered this error too ? Did I miss something ? Thanks in advance for your help, Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne
