looking into this further i got to this article .. http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/ which mentions that groups need to be managed at LDAP/AD side .. for assertion .. is this still a valid scenario with ranger in play?
Does this mean groups are to come exclusively from LDAP/AD for both the service users (hdfs,hive ..etc) and user defined groups? or is there a mechanism to fall back to linux level groups if they are not in LDAP/AD ? *Cheers !!* Arvind On Fri, Jul 31, 2015 at 1:32 PM, Loïc Chanel <[email protected]> wrote: > Hi, > > I experienced that issue too. Most of the time, this problem is related to > the identity assertion of the user on the NameNode. Actually, Ranger plugin > for HDFS is deployed on the NameNode, and therefore the user you try to > define policies for must be able to be fully recognized by HDFS on this > machine. > To be sure that its groups are recognized by HDFS, I highly recommend you > try to make a hdfs groups on the NameNode and see if the groups your are > trying to make policies with are recognized by Hadoop. > > Hope this helps, > Regards, > > > Loïc > > Loïc CHANEL > Engineering student at TELECOM Nancy > Trainee at Worldline - Villeurbanne > > 2015-07-31 9:43 GMT+02:00 Bradman, Dale <[email protected]>: > >> I too have experienced this issue with Ranger 0.4. Assigning policies to >> groups does not work!! Instead you have to assign policies to each >> individual user. Is there a fix for this? >> >> Thanks >> >> >> -------- Original message -------- >> From: Arvind S <[email protected]> >> Date: 31/07/2015 07:45 (GMT+00:00) >> To: [email protected] >> Subject: issue with Group permissions in Ranger >> >> hi . >>> I have configured Ranger (4.0) on my 4 node node HDP 2.2.6 cluster. >>> User sync and validation is through windows AD (2008). >>> >>> ----WHAT WORKS----- >>> Designated users and corresponding groups are successfully sync'd into >>> ranger admin. I am able to login with my AD id/pass into ranger as user.. i >>> also see appropriate groups associated to each user. >>> >>> ---- ISSUES ------ >>> When i assign HDFS policy to groups the same is not effective and gives >>> me access denied on the resource. But if same policy is assigned to the >>> users directly then i am able to access the resource. Does any one have >>> hints to help on this? >>> >>> in addition to this .. while AD imported users are marked as "external" >>> ..the groups are getting marked as "internal" . ... >>> >>> Ranger admin/ portal access logs are not helping much .. >>> >>> *Thanks in Advance !!* >>> Arvind >>> >> >> >> ------------------------------ >> >> Capgemini is a trading name used by the Capgemini Group of companies >> which includes Capgemini UK plc, a company registered in England and Wales >> (number 943935) whose registered office is at No. 1, Forge End, Woking, >> Surrey, GU21 6DB. >> This message contains information that may be privileged or confidential >> and is the property of the Capgemini Group. It is intended only for the >> person to whom it is addressed. If you are not the intended recipient, you >> are not authorized to read, print, retain, copy, disseminate, distribute, >> or use this message or any part thereof. If you receive this message in >> error, please notify the sender immediately and delete all copies of this >> message. >> > >
