>So now, all my groups are on the same page : lowercase :-) Can I assume your issue is now resolved? :-)
Thanks on the tip for lower case in SSSD. I will try it out. Bosco From: Loïc Chanel <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Wednesday, August 26, 2015 at 8:57 AM To: "[email protected]" <[email protected]> Subject: Re: HBase group authroizations > Hi Bosco ! > > Actually the problem came from my configuration. In the LDAP of my company, as > case is not important in there my groups have been declared using mixed > lowercase and uppercase. But when they are in the attribute memberOf of my > users, it is only lowercase. Therefore, in Ranger UserSync I pull the groups > using lowercase only, but on my nodes, default configurations makes me use the > other ones, with mixed lower and uppercase. > > Therefore I had to change the configuration of SSSD there. > So yeah, basically the problem only came from SSSD configuration on > RegionServer. > To solve it I just added the following property to sssd.conf : case_sensitive > = False > > So now, all my groups are on the same page : lowercase :-) > Still, if you're trying to reproduce my issue, you may want to restart HBase > service after restarting SSSD in order your changes on the case conversion to > be taken in account. > > Hope this helps ! > Regards, > > > Loïc > > Loïc CHANEL > Engineering student at TELECOM Nancy > Trainee at Worldline - Villeurbanne > > 2015-08-26 17:47 GMT+02:00 Don Bosco Durai <[email protected]>: >> Loïc, sorry I am trying to understand the issue here. >> >>> >n my case, on HBaseMaster and in Ranger database, the group I made policies >>> for was called "sysadmin" when on the nodes containing the RegionServers it >>> was called "SysAdmin². >> >> Is this a SSSD issue? Is the SSSD configuration on the RegionServer not >> configured properly? >> >> I just setup SSSD with Active Directory, but I didn¹t use lower case. I can >> try making it lower case, but I am not sure whether it will help me >> understand your issue. >> >> Can I assume, that this issue is happening only for Region Servers? >> >> Thanks >> >> Bosco >> >> >> >> From: Loïc Chanel <[email protected]> >> Reply-To: "[email protected]" >> <[email protected]> >> Date: Wednesday, August 26, 2015 at 1:09 AM >> To: "[email protected]" <[email protected]> >> >> Subject: Re: HBase group authroizations >> >>> Actually my groups are synchronized on every node of the cluster from a LDAP >>> via SSSD, and are converted into lower case. But sometimes lower case >>> doesn't work as it needs a special configurations, and there are slight >>> differences between the group names I make security policies for and the >>> groups that are synchronized. >>> >>> In my case, on HBaseMaster and in Ranger database, the group I made policies >>> for was called "sysadmin" when on the nodes containing the RegionServers it >>> was called "SysAdmin". >>> >>> Loïc CHANEL >>> Engineering student at TELECOM Nancy >>> Trainee at Worldline - Villeurbanne >>> >>> 2015-08-26 2:58 GMT+02:00 Balaji Ganesan <[email protected]>: >>>> <<Actually my problem went from the fact that the user identity is asserted >>>> on the region server you are working on, and groups are not defined very >>>> precisely there.>> >>>> >>>> What do you mean by groups are not defined precisely? Can you please >>>> elaborate? >>>> >>>> >>>> On Mon, Aug 24, 2015 at 8:46 AM, Loïc Chanel <[email protected]> >>>> wrote: >>>>> Actually my problem went from the fact that the user identity is asserted >>>>> on the region server you are working on, and groups are not defined very >>>>> precisely there. >>>>> I was able to identify it with the debug level enabled on xasecure, so >>>>> thanks a lot (no pun intention) ! >>>>> >>>>> Regards, >>>>> >>>>> >>>>> Loïc >>>>> >>>>> >>>>> Loïc CHANEL >>>>> Engineering student at TELECOM Nancy >>>>> Trainee at Worldline - Villeurbanne >>>>> >>>>> 2015-08-24 17:24 GMT+02:00 Alok Lal <[email protected]>: >>>>>> Log4j.properties file should be under hbase config directory. It is >>>>>> usually /etc/hbase/conf. In it start by adding the following line: >>>>>> >>>>>> log4j.logger.com.xasecure=DEBUG >>>>>> >>>>>> >>>>>> From: Loïc Chanel >>>>>> Reply-To: "[email protected]" >>>>>> Date: Monday, August 24, 2015 at 7:54 AM >>>>>> To: "[email protected]" >>>>>> Subject: Re: HBase group authroizations >>>>>> >>>>>> Sorry, I just noticed that I wrote `hdfs groups` instead of `whoami`. >>>>>> Regards, >>>>>> >>>>>> Loïc >>>>>> >>>>>> >>>>>> Loïc CHANEL >>>>>> Engineering student at TELECOM Nancy >>>>>> Trainee at Worldline - Villeurbanne >>>>>> >>>>>> 2015-08-24 15:26 GMT+02:00 Loïc Chanel <[email protected]>: >>>>>>> Hi all, >>>>>>> >>>>>>> I'm having some troubles trying to authorize some users from HBase to >>>>>>> access to a table using a group they belong to. >>>>>>> Even if the policy is correctly set, and uses a group that `hdfs groups` >>>>>>> returns me, I can't access the database as the user can't. >>>>>>> >>>>>>> I can't see any logs indicating that the Ranger plugin tries to assert >>>>>>> the user's identity and its groups, but my debug level may not be high >>>>>>> enough (as I didn't found the corresponding property). >>>>>>> >>>>>>> Can someone help me to increase my log level to debug for XaSecure HBase >>>>>>> plugin, or give me some things I can try to look at to figure out why >>>>>>> groups cannot be used in my configuration ? >>>>>>> >>>>>>> Thanks in advance for your help ! >>>>>>> Regards, >>>>>>> >>>>>>> >>>>>>> Loïc >>>>>>> Loïc CHANEL >>>>>>> Engineering student at TELECOM Nancy >>>>>>> Trainee at Worldline - Villeurbanne >>>>>> >>>>> >>>> >>> >
