Hi Bosco ! Actually the problem came from my configuration. In the LDAP of my company, as case is not important in there my groups have been declared using mixed lowercase and uppercase. But when they are in the attribute memberOf of my users, it is only lowercase. Therefore, in Ranger UserSync I pull the groups using lowercase only, but on my nodes, default configurations makes me use the other ones, with mixed lower and uppercase.
Therefore I had to change the configuration of SSSD there. So yeah, basically the problem only came from SSSD configuration on RegionServer. To solve it I just added the following property to sssd.conf : case_sensitive = False So now, all my groups are on the same page : lowercase :-) Still, if you're trying to reproduce my issue, you may want to restart HBase service after restarting SSSD in order your changes on the case conversion to be taken in account. Hope this helps ! Regards, Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-08-26 17:47 GMT+02:00 Don Bosco Durai <[email protected]>: > Loïc, sorry I am trying to understand the issue here. > > >n my case, on HBaseMaster and in Ranger database, the group I made > policies for was called "sysadmin" when on the nodes containing the > RegionServers it was called "SysAdmin”. > > Is this a SSSD issue? Is the SSSD configuration on the RegionServer not > configured properly? > > I just setup SSSD with Active Directory, but I didn’t use lower case. I > can try making it lower case, but I am not sure whether it will help me > understand your issue. > > Can I assume, that this issue is happening only for Region Servers? > > Thanks > > Bosco > > > > From: Loïc Chanel <[email protected]> > Reply-To: "[email protected]" < > [email protected]> > Date: Wednesday, August 26, 2015 at 1:09 AM > To: "[email protected]" <[email protected]> > > Subject: Re: HBase group authroizations > > Actually my groups are synchronized on every node of the cluster from a > LDAP via SSSD, and are converted into lower case. But sometimes lower case > doesn't work as it needs a special configurations, and there are slight > differences between the group names I make security policies for and the > groups that are synchronized. > > In my case, on HBaseMaster and in Ranger database, the group I made > policies for was called "sysadmin" when on the nodes containing the > RegionServers it was called "SysAdmin". > > Loïc CHANEL > Engineering student at TELECOM Nancy > Trainee at Worldline - Villeurbanne > > 2015-08-26 2:58 GMT+02:00 Balaji Ganesan <[email protected]>: > >> <<Actually my problem went from the fact that the user identity is >> asserted on the region server you are working on, and groups are not >> defined very precisely there.>> >> >> What do you mean by groups are not defined precisely? Can you please >> elaborate? >> >> >> On Mon, Aug 24, 2015 at 8:46 AM, Loïc Chanel < >> [email protected]> wrote: >> >>> Actually my problem went from the fact that the user identity is >>> asserted on the region server you are working on, and groups are not >>> defined very precisely there. >>> I was able to identify it with the debug level enabled on xasecure, so >>> thanks a lot (no pun intention) ! >>> >>> Regards, >>> >>> >>> Loïc >>> >>> >>> Loïc CHANEL >>> Engineering student at TELECOM Nancy >>> Trainee at Worldline - Villeurbanne >>> >>> 2015-08-24 17:24 GMT+02:00 Alok Lal <[email protected]>: >>> >>>> Log4j.properties file should be under hbase config directory. It is >>>> usually /etc/hbase/conf. In it start by adding the following line: >>>> >>>> log4j.logger.com.xasecure=DEBUG >>>> >>>> From: Loïc Chanel >>>> Reply-To: "[email protected]" >>>> Date: Monday, August 24, 2015 at 7:54 AM >>>> To: "[email protected]" >>>> Subject: Re: HBase group authroizations >>>> >>>> Sorry, I just noticed that I wrote `hdfs groups` instead of `whoami`. >>>> Regards, >>>> >>>> Loïc >>>> >>>> >>>> Loïc CHANEL >>>> Engineering student at TELECOM Nancy >>>> Trainee at Worldline - Villeurbanne >>>> >>>> 2015-08-24 15:26 GMT+02:00 Loïc Chanel <[email protected]>: >>>> >>>>> Hi all, >>>>> >>>>> I'm having some troubles trying to authorize some users from HBase to >>>>> access to a table using a group they belong to. >>>>> Even if the policy is correctly set, and uses a group that `hdfs >>>>> groups` returns me, I can't access the database as the user can't. >>>>> >>>>> I can't see any logs indicating that the Ranger plugin tries to assert >>>>> the user's identity and its groups, but my debug level may not be high >>>>> enough (as I didn't found the corresponding property). >>>>> >>>>> Can someone help me to increase my log level to debug for XaSecure >>>>> HBase plugin, or give me some things I can try to look at to figure out >>>>> why >>>>> groups cannot be used in my configuration ? >>>>> >>>>> Thanks in advance for your help ! >>>>> Regards, >>>>> >>>>> >>>>> Loïc >>>>> Loïc CHANEL >>>>> Engineering student at TELECOM Nancy >>>>> Trainee at Worldline - Villeurbanne >>>>> >>>> >>>> >>> >> >
