You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Loïc Chanel <lo...@telecomnancy.net> on 2015/08/24 15:26:58 UTC
HBase group authroizations
Hi all,
I'm having some troubles trying to authorize some users from HBase to
access to a table using a group they belong to.
Even if the policy is correctly set, and uses a group that `hdfs groups`
returns me, I can't access the database as the user can't.
I can't see any logs indicating that the Ranger plugin tries to assert the
user's identity and its groups, but my debug level may not be high enough
(as I didn't found the corresponding property).
Can someone help me to increase my log level to debug for XaSecure HBase
plugin, or give me some things I can try to look at to figure out why
groups cannot be used in my configuration ?
Thanks in advance for your help !
Regards,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
Re: HBase group authroizations
Posted by Loïc Chanel <lo...@telecomnancy.net>.
> Can I assume your issue is now resolved? :-)
Yes it is ! :-)
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-08-26 18:01 GMT+02:00 Don Bosco Durai <bo...@apache.org>:
> >So now, all my groups are on the same page : lowercase :-)
> Can I assume your issue is now resolved? :-)
>
> Thanks on the tip for lower case in SSSD. I will try it out.
>
> Bosco
>
>
> From: Loïc Chanel <lo...@telecomnancy.net>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Wednesday, August 26, 2015 at 8:57 AM
>
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: Re: HBase group authroizations
>
> Hi Bosco !
>
> Actually the problem came from my configuration. In the LDAP of my
> company, as case is not important in there my groups have been declared
> using mixed lowercase and uppercase. But when they are in the attribute
> memberOf of my users, it is only lowercase. Therefore, in Ranger UserSync I
> pull the groups using lowercase only, but on my nodes, default
> configurations makes me use the other ones, with mixed lower and uppercase.
>
> Therefore I had to change the configuration of SSSD there.
> So yeah, basically the problem only came from SSSD configuration on
> RegionServer.
> To solve it I just added the following property to sssd.conf :
> case_sensitive = False
>
> So now, all my groups are on the same page : lowercase :-)
> Still, if you're trying to reproduce my issue, you may want to restart
> HBase service after restarting SSSD in order your changes on the case
> conversion to be taken in account.
>
> Hope this helps !
> Regards,
>
>
> Loïc
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-08-26 17:47 GMT+02:00 Don Bosco Durai <bo...@apache.org>:
>
>> Loïc, sorry I am trying to understand the issue here.
>>
>> >n my case, on HBaseMaster and in Ranger database, the group I made
>> policies for was called "sysadmin" when on the nodes containing the
>> RegionServers it was called "SysAdmin”.
>>
>> Is this a SSSD issue? Is the SSSD configuration on the RegionServer not
>> configured properly?
>>
>> I just setup SSSD with Active Directory, but I didn’t use lower case. I
>> can try making it lower case, but I am not sure whether it will help me
>> understand your issue.
>>
>> Can I assume, that this issue is happening only for Region Servers?
>>
>> Thanks
>>
>> Bosco
>>
>>
>>
>> From: Loïc Chanel <lo...@telecomnancy.net>
>> Reply-To: "user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> Date: Wednesday, August 26, 2015 at 1:09 AM
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>>
>>
>> Subject: Re: HBase group authroizations
>>
>> Actually my groups are synchronized on every node of the cluster from a
>> LDAP via SSSD, and are converted into lower case. But sometimes lower case
>> doesn't work as it needs a special configurations, and there are slight
>> differences between the group names I make security policies for and the
>> groups that are synchronized.
>>
>> In my case, on HBaseMaster and in Ranger database, the group I made
>> policies for was called "sysadmin" when on the nodes containing the
>> RegionServers it was called "SysAdmin".
>>
>> Loïc CHANEL
>> Engineering student at TELECOM Nancy
>> Trainee at Worldline - Villeurbanne
>>
>> 2015-08-26 2:58 GMT+02:00 Balaji Ganesan <ba...@gmail.com>:
>>
>>> <<Actually my problem went from the fact that the user identity is
>>> asserted on the region server you are working on, and groups are not
>>> defined very precisely there.>>
>>>
>>> What do you mean by groups are not defined precisely? Can you please
>>> elaborate?
>>>
>>>
>>> On Mon, Aug 24, 2015 at 8:46 AM, Loïc Chanel <
>>> loic.chanel@telecomnancy.net> wrote:
>>>
>>>> Actually my problem went from the fact that the user identity is
>>>> asserted on the region server you are working on, and groups are not
>>>> defined very precisely there.
>>>> I was able to identify it with the debug level enabled on xasecure, so
>>>> thanks a lot (no pun intention) !
>>>>
>>>> Regards,
>>>>
>>>>
>>>> Loïc
>>>>
>>>>
>>>> Loïc CHANEL
>>>> Engineering student at TELECOM Nancy
>>>> Trainee at Worldline - Villeurbanne
>>>>
>>>> 2015-08-24 17:24 GMT+02:00 Alok Lal <al...@hortonworks.com>:
>>>>
>>>>> Log4j.properties file should be under hbase config directory. It is
>>>>> usually /etc/hbase/conf. In it start by adding the following line:
>>>>>
>>>>> log4j.logger.com.xasecure=DEBUG
>>>>>
>>>>> From: Loïc Chanel
>>>>> Reply-To: "user@ranger.incubator.apache.org"
>>>>> Date: Monday, August 24, 2015 at 7:54 AM
>>>>> To: "user@ranger.incubator.apache.org"
>>>>> Subject: Re: HBase group authroizations
>>>>>
>>>>> Sorry, I just noticed that I wrote `hdfs groups` instead of `whoami`.
>>>>> Regards,
>>>>>
>>>>> Loïc
>>>>>
>>>>>
>>>>> Loïc CHANEL
>>>>> Engineering student at TELECOM Nancy
>>>>> Trainee at Worldline - Villeurbanne
>>>>>
>>>>> 2015-08-24 15:26 GMT+02:00 Loïc Chanel <lo...@telecomnancy.net>:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I'm having some troubles trying to authorize some users from HBase to
>>>>>> access to a table using a group they belong to.
>>>>>> Even if the policy is correctly set, and uses a group that `hdfs
>>>>>> groups` returns me, I can't access the database as the user can't.
>>>>>>
>>>>>> I can't see any logs indicating that the Ranger plugin tries to
>>>>>> assert the user's identity and its groups, but my debug level may not be
>>>>>> high enough (as I didn't found the corresponding property).
>>>>>>
>>>>>> Can someone help me to increase my log level to debug for XaSecure
>>>>>> HBase plugin, or give me some things I can try to look at to figure out why
>>>>>> groups cannot be used in my configuration ?
>>>>>>
>>>>>> Thanks in advance for your help !
>>>>>> Regards,
>>>>>>
>>>>>>
>>>>>> Loïc
>>>>>> Loïc CHANEL
>>>>>> Engineering student at TELECOM Nancy
>>>>>> Trainee at Worldline - Villeurbanne
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
Re: HBase group authroizations
Posted by Don Bosco Durai <bo...@apache.org>.
>So now, all my groups are on the same page : lowercase :-)
Can I assume your issue is now resolved? :-)
Thanks on the tip for lower case in SSSD. I will try it out.
Bosco
From: Loïc Chanel <lo...@telecomnancy.net>
Reply-To: "user@ranger.incubator.apache.org"
<us...@ranger.incubator.apache.org>
Date: Wednesday, August 26, 2015 at 8:57 AM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: HBase group authroizations
> Hi Bosco !
>
> Actually the problem came from my configuration. In the LDAP of my company, as
> case is not important in there my groups have been declared using mixed
> lowercase and uppercase. But when they are in the attribute memberOf of my
> users, it is only lowercase. Therefore, in Ranger UserSync I pull the groups
> using lowercase only, but on my nodes, default configurations makes me use the
> other ones, with mixed lower and uppercase.
>
> Therefore I had to change the configuration of SSSD there.
> So yeah, basically the problem only came from SSSD configuration on
> RegionServer.
> To solve it I just added the following property to sssd.conf : case_sensitive
> = False
>
> So now, all my groups are on the same page : lowercase :-)
> Still, if you're trying to reproduce my issue, you may want to restart HBase
> service after restarting SSSD in order your changes on the case conversion to
> be taken in account.
>
> Hope this helps !
> Regards,
>
>
> Loïc
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-08-26 17:47 GMT+02:00 Don Bosco Durai <bo...@apache.org>:
>> Loïc, sorry I am trying to understand the issue here.
>>
>>> >n my case, on HBaseMaster and in Ranger database, the group I made policies
>>> for was called "sysadmin" when on the nodes containing the RegionServers it
>>> was called "SysAdmin².
>>
>> Is this a SSSD issue? Is the SSSD configuration on the RegionServer not
>> configured properly?
>>
>> I just setup SSSD with Active Directory, but I didn¹t use lower case. I can
>> try making it lower case, but I am not sure whether it will help me
>> understand your issue.
>>
>> Can I assume, that this issue is happening only for Region Servers?
>>
>> Thanks
>>
>> Bosco
>>
>>
>>
>> From: Loïc Chanel <lo...@telecomnancy.net>
>> Reply-To: "user@ranger.incubator.apache.org"
>> <us...@ranger.incubator.apache.org>
>> Date: Wednesday, August 26, 2015 at 1:09 AM
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>>
>> Subject: Re: HBase group authroizations
>>
>>> Actually my groups are synchronized on every node of the cluster from a LDAP
>>> via SSSD, and are converted into lower case. But sometimes lower case
>>> doesn't work as it needs a special configurations, and there are slight
>>> differences between the group names I make security policies for and the
>>> groups that are synchronized.
>>>
>>> In my case, on HBaseMaster and in Ranger database, the group I made policies
>>> for was called "sysadmin" when on the nodes containing the RegionServers it
>>> was called "SysAdmin".
>>>
>>> Loïc CHANEL
>>> Engineering student at TELECOM Nancy
>>> Trainee at Worldline - Villeurbanne
>>>
>>> 2015-08-26 2:58 GMT+02:00 Balaji Ganesan <ba...@gmail.com>:
>>>> <<Actually my problem went from the fact that the user identity is asserted
>>>> on the region server you are working on, and groups are not defined very
>>>> precisely there.>>
>>>>
>>>> What do you mean by groups are not defined precisely? Can you please
>>>> elaborate?
>>>>
>>>>
>>>> On Mon, Aug 24, 2015 at 8:46 AM, Loïc Chanel <lo...@telecomnancy.net>
>>>> wrote:
>>>>> Actually my problem went from the fact that the user identity is asserted
>>>>> on the region server you are working on, and groups are not defined very
>>>>> precisely there.
>>>>> I was able to identify it with the debug level enabled on xasecure, so
>>>>> thanks a lot (no pun intention) !
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>> Loïc
>>>>>
>>>>>
>>>>> Loïc CHANEL
>>>>> Engineering student at TELECOM Nancy
>>>>> Trainee at Worldline - Villeurbanne
>>>>>
>>>>> 2015-08-24 17:24 GMT+02:00 Alok Lal <al...@hortonworks.com>:
>>>>>> Log4j.properties file should be under hbase config directory. It is
>>>>>> usually /etc/hbase/conf. In it start by adding the following line:
>>>>>>
>>>>>> log4j.logger.com.xasecure=DEBUG
>>>>>>
>>>>>>
>>>>>> From: Loïc Chanel
>>>>>> Reply-To: "user@ranger.incubator.apache.org"
>>>>>> Date: Monday, August 24, 2015 at 7:54 AM
>>>>>> To: "user@ranger.incubator.apache.org"
>>>>>> Subject: Re: HBase group authroizations
>>>>>>
>>>>>> Sorry, I just noticed that I wrote `hdfs groups` instead of `whoami`.
>>>>>> Regards,
>>>>>>
>>>>>> Loïc
>>>>>>
>>>>>>
>>>>>> Loïc CHANEL
>>>>>> Engineering student at TELECOM Nancy
>>>>>> Trainee at Worldline - Villeurbanne
>>>>>>
>>>>>> 2015-08-24 15:26 GMT+02:00 Loïc Chanel <lo...@telecomnancy.net>:
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I'm having some troubles trying to authorize some users from HBase to
>>>>>>> access to a table using a group they belong to.
>>>>>>> Even if the policy is correctly set, and uses a group that `hdfs groups`
>>>>>>> returns me, I can't access the database as the user can't.
>>>>>>>
>>>>>>> I can't see any logs indicating that the Ranger plugin tries to assert
>>>>>>> the user's identity and its groups, but my debug level may not be high
>>>>>>> enough (as I didn't found the corresponding property).
>>>>>>>
>>>>>>> Can someone help me to increase my log level to debug for XaSecure HBase
>>>>>>> plugin, or give me some things I can try to look at to figure out why
>>>>>>> groups cannot be used in my configuration ?
>>>>>>>
>>>>>>> Thanks in advance for your help !
>>>>>>> Regards,
>>>>>>>
>>>>>>>
>>>>>>> Loïc
>>>>>>> Loïc CHANEL
>>>>>>> Engineering student at TELECOM Nancy
>>>>>>> Trainee at Worldline - Villeurbanne
>>>>>>
>>>>>
>>>>
>>>
>
Re: HBase group authroizations
Posted by Loïc Chanel <lo...@telecomnancy.net>.
Hi Bosco !
Actually the problem came from my configuration. In the LDAP of my company,
as case is not important in there my groups have been declared using mixed
lowercase and uppercase. But when they are in the attribute memberOf of my
users, it is only lowercase. Therefore, in Ranger UserSync I pull the
groups using lowercase only, but on my nodes, default configurations makes
me use the other ones, with mixed lower and uppercase.
Therefore I had to change the configuration of SSSD there.
So yeah, basically the problem only came from SSSD configuration on
RegionServer.
To solve it I just added the following property to sssd.conf :
case_sensitive = False
So now, all my groups are on the same page : lowercase :-)
Still, if you're trying to reproduce my issue, you may want to restart
HBase service after restarting SSSD in order your changes on the case
conversion to be taken in account.
Hope this helps !
Regards,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-08-26 17:47 GMT+02:00 Don Bosco Durai <bo...@apache.org>:
> Loïc, sorry I am trying to understand the issue here.
>
> >n my case, on HBaseMaster and in Ranger database, the group I made
> policies for was called "sysadmin" when on the nodes containing the
> RegionServers it was called "SysAdmin”.
>
> Is this a SSSD issue? Is the SSSD configuration on the RegionServer not
> configured properly?
>
> I just setup SSSD with Active Directory, but I didn’t use lower case. I
> can try making it lower case, but I am not sure whether it will help me
> understand your issue.
>
> Can I assume, that this issue is happening only for Region Servers?
>
> Thanks
>
> Bosco
>
>
>
> From: Loïc Chanel <lo...@telecomnancy.net>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Wednesday, August 26, 2015 at 1:09 AM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>
> Subject: Re: HBase group authroizations
>
> Actually my groups are synchronized on every node of the cluster from a
> LDAP via SSSD, and are converted into lower case. But sometimes lower case
> doesn't work as it needs a special configurations, and there are slight
> differences between the group names I make security policies for and the
> groups that are synchronized.
>
> In my case, on HBaseMaster and in Ranger database, the group I made
> policies for was called "sysadmin" when on the nodes containing the
> RegionServers it was called "SysAdmin".
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-08-26 2:58 GMT+02:00 Balaji Ganesan <ba...@gmail.com>:
>
>> <<Actually my problem went from the fact that the user identity is
>> asserted on the region server you are working on, and groups are not
>> defined very precisely there.>>
>>
>> What do you mean by groups are not defined precisely? Can you please
>> elaborate?
>>
>>
>> On Mon, Aug 24, 2015 at 8:46 AM, Loïc Chanel <
>> loic.chanel@telecomnancy.net> wrote:
>>
>>> Actually my problem went from the fact that the user identity is
>>> asserted on the region server you are working on, and groups are not
>>> defined very precisely there.
>>> I was able to identify it with the debug level enabled on xasecure, so
>>> thanks a lot (no pun intention) !
>>>
>>> Regards,
>>>
>>>
>>> Loïc
>>>
>>>
>>> Loïc CHANEL
>>> Engineering student at TELECOM Nancy
>>> Trainee at Worldline - Villeurbanne
>>>
>>> 2015-08-24 17:24 GMT+02:00 Alok Lal <al...@hortonworks.com>:
>>>
>>>> Log4j.properties file should be under hbase config directory. It is
>>>> usually /etc/hbase/conf. In it start by adding the following line:
>>>>
>>>> log4j.logger.com.xasecure=DEBUG
>>>>
>>>> From: Loïc Chanel
>>>> Reply-To: "user@ranger.incubator.apache.org"
>>>> Date: Monday, August 24, 2015 at 7:54 AM
>>>> To: "user@ranger.incubator.apache.org"
>>>> Subject: Re: HBase group authroizations
>>>>
>>>> Sorry, I just noticed that I wrote `hdfs groups` instead of `whoami`.
>>>> Regards,
>>>>
>>>> Loïc
>>>>
>>>>
>>>> Loïc CHANEL
>>>> Engineering student at TELECOM Nancy
>>>> Trainee at Worldline - Villeurbanne
>>>>
>>>> 2015-08-24 15:26 GMT+02:00 Loïc Chanel <lo...@telecomnancy.net>:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I'm having some troubles trying to authorize some users from HBase to
>>>>> access to a table using a group they belong to.
>>>>> Even if the policy is correctly set, and uses a group that `hdfs
>>>>> groups` returns me, I can't access the database as the user can't.
>>>>>
>>>>> I can't see any logs indicating that the Ranger plugin tries to assert
>>>>> the user's identity and its groups, but my debug level may not be high
>>>>> enough (as I didn't found the corresponding property).
>>>>>
>>>>> Can someone help me to increase my log level to debug for XaSecure
>>>>> HBase plugin, or give me some things I can try to look at to figure out why
>>>>> groups cannot be used in my configuration ?
>>>>>
>>>>> Thanks in advance for your help !
>>>>> Regards,
>>>>>
>>>>>
>>>>> Loïc
>>>>> Loïc CHANEL
>>>>> Engineering student at TELECOM Nancy
>>>>> Trainee at Worldline - Villeurbanne
>>>>>
>>>>
>>>>
>>>
>>
>
Re: HBase group authroizations
Posted by Don Bosco Durai <bo...@apache.org>.
Loïc, sorry I am trying to understand the issue here.
>n my case, on HBaseMaster and in Ranger database, the group I made policies for
was called "sysadmin" when on the nodes containing the RegionServers it was
called "SysAdmin².
Is this a SSSD issue? Is the SSSD configuration on the RegionServer not
configured properly?
I just setup SSSD with Active Directory, but I didn¹t use lower case. I can
try making it lower case, but I am not sure whether it will help me
understand your issue.
Can I assume, that this issue is happening only for Region Servers?
Thanks
Bosco
From: Loïc Chanel <lo...@telecomnancy.net>
Reply-To: "user@ranger.incubator.apache.org"
<us...@ranger.incubator.apache.org>
Date: Wednesday, August 26, 2015 at 1:09 AM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: HBase group authroizations
> Actually my groups are synchronized on every node of the cluster from a LDAP
> via SSSD, and are converted into lower case. But sometimes lower case doesn't
> work as it needs a special configurations, and there are slight differences
> between the group names I make security policies for and the groups that are
> synchronized.
>
> In my case, on HBaseMaster and in Ranger database, the group I made policies
> for was called "sysadmin" when on the nodes containing the RegionServers it
> was called "SysAdmin".
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-08-26 2:58 GMT+02:00 Balaji Ganesan <ba...@gmail.com>:
>> <<Actually my problem went from the fact that the user identity is asserted
>> on the region server you are working on, and groups are not defined very
>> precisely there.>>
>>
>> What do you mean by groups are not defined precisely? Can you please
>> elaborate?
>>
>>
>> On Mon, Aug 24, 2015 at 8:46 AM, Loïc Chanel <lo...@telecomnancy.net>
>> wrote:
>>> Actually my problem went from the fact that the user identity is asserted on
>>> the region server you are working on, and groups are not defined very
>>> precisely there.
>>> I was able to identify it with the debug level enabled on xasecure, so
>>> thanks a lot (no pun intention) !
>>>
>>> Regards,
>>>
>>>
>>> Loïc
>>>
>>>
>>> Loïc CHANEL
>>> Engineering student at TELECOM Nancy
>>> Trainee at Worldline - Villeurbanne
>>>
>>> 2015-08-24 17:24 GMT+02:00 Alok Lal <al...@hortonworks.com>:
>>>> Log4j.properties file should be under hbase config directory. It is
>>>> usually /etc/hbase/conf. In it start by adding the following line:
>>>>
>>>> log4j.logger.com.xasecure=DEBUG
>>>>
>>>>
>>>> From: Loïc Chanel
>>>> Reply-To: "user@ranger.incubator.apache.org"
>>>> Date: Monday, August 24, 2015 at 7:54 AM
>>>> To: "user@ranger.incubator.apache.org"
>>>> Subject: Re: HBase group authroizations
>>>>
>>>> Sorry, I just noticed that I wrote `hdfs groups` instead of `whoami`.
>>>> Regards,
>>>>
>>>> Loïc
>>>>
>>>>
>>>> Loïc CHANEL
>>>> Engineering student at TELECOM Nancy
>>>> Trainee at Worldline - Villeurbanne
>>>>
>>>> 2015-08-24 15:26 GMT+02:00 Loïc Chanel <lo...@telecomnancy.net>:
>>>>> Hi all,
>>>>>
>>>>> I'm having some troubles trying to authorize some users from HBase to
>>>>> access to a table using a group they belong to.
>>>>> Even if the policy is correctly set, and uses a group that `hdfs groups`
>>>>> returns me, I can't access the database as the user can't.
>>>>>
>>>>> I can't see any logs indicating that the Ranger plugin tries to assert the
>>>>> user's identity and its groups, but my debug level may not be high enough
>>>>> (as I didn't found the corresponding property).
>>>>>
>>>>> Can someone help me to increase my log level to debug for XaSecure HBase
>>>>> plugin, or give me some things I can try to look at to figure out why
>>>>> groups cannot be used in my configuration ?
>>>>>
>>>>> Thanks in advance for your help !
>>>>> Regards,
>>>>>
>>>>>
>>>>> Loïc
>>>>> Loïc CHANEL
>>>>> Engineering student at TELECOM Nancy
>>>>> Trainee at Worldline - Villeurbanne
>>>>
>>>
>>
>
Re: HBase group authroizations
Posted by Loïc Chanel <lo...@telecomnancy.net>.
Actually my groups are synchronized on every node of the cluster from a
LDAP via SSSD, and are converted into lower case. But sometimes lower case
doesn't work as it needs a special configurations, and there are slight
differences between the group names I make security policies for and the
groups that are synchronized.
In my case, on HBaseMaster and in Ranger database, the group I made
policies for was called "sysadmin" when on the nodes containing the
RegionServers it was called "SysAdmin".
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-08-26 2:58 GMT+02:00 Balaji Ganesan <ba...@gmail.com>:
> <<Actually my problem went from the fact that the user identity is
> asserted on the region server you are working on, and groups are not
> defined very precisely there.>>
>
> What do you mean by groups are not defined precisely? Can you please
> elaborate?
>
>
> On Mon, Aug 24, 2015 at 8:46 AM, Loïc Chanel <loic.chanel@telecomnancy.net
> > wrote:
>
>> Actually my problem went from the fact that the user identity is asserted
>> on the region server you are working on, and groups are not defined very
>> precisely there.
>> I was able to identify it with the debug level enabled on xasecure, so
>> thanks a lot (no pun intention) !
>>
>> Regards,
>>
>>
>> Loïc
>>
>>
>> Loïc CHANEL
>> Engineering student at TELECOM Nancy
>> Trainee at Worldline - Villeurbanne
>>
>> 2015-08-24 17:24 GMT+02:00 Alok Lal <al...@hortonworks.com>:
>>
>>> Log4j.properties file should be under hbase config directory. It is
>>> usually /etc/hbase/conf. In it start by adding the following line:
>>>
>>> log4j.logger.com.xasecure=DEBUG
>>>
>>> From: Loïc Chanel
>>> Reply-To: "user@ranger.incubator.apache.org"
>>> Date: Monday, August 24, 2015 at 7:54 AM
>>> To: "user@ranger.incubator.apache.org"
>>> Subject: Re: HBase group authroizations
>>>
>>> Sorry, I just noticed that I wrote `hdfs groups` instead of `whoami`.
>>> Regards,
>>>
>>> Loïc
>>>
>>>
>>> Loïc CHANEL
>>> Engineering student at TELECOM Nancy
>>> Trainee at Worldline - Villeurbanne
>>>
>>> 2015-08-24 15:26 GMT+02:00 Loïc Chanel <lo...@telecomnancy.net>:
>>>
>>>> Hi all,
>>>>
>>>> I'm having some troubles trying to authorize some users from HBase to
>>>> access to a table using a group they belong to.
>>>> Even if the policy is correctly set, and uses a group that `hdfs
>>>> groups` returns me, I can't access the database as the user can't.
>>>>
>>>> I can't see any logs indicating that the Ranger plugin tries to assert
>>>> the user's identity and its groups, but my debug level may not be high
>>>> enough (as I didn't found the corresponding property).
>>>>
>>>> Can someone help me to increase my log level to debug for XaSecure
>>>> HBase plugin, or give me some things I can try to look at to figure out why
>>>> groups cannot be used in my configuration ?
>>>>
>>>> Thanks in advance for your help !
>>>> Regards,
>>>>
>>>>
>>>> Loïc
>>>> Loïc CHANEL
>>>> Engineering student at TELECOM Nancy
>>>> Trainee at Worldline - Villeurbanne
>>>>
>>>
>>>
>>
>
Re: HBase group authroizations
Posted by Balaji Ganesan <ba...@gmail.com>.
<<Actually my problem went from the fact that the user identity is asserted
on the region server you are working on, and groups are not defined very
precisely there.>>
What do you mean by groups are not defined precisely? Can you please
elaborate?
On Mon, Aug 24, 2015 at 8:46 AM, Loïc Chanel <lo...@telecomnancy.net>
wrote:
> Actually my problem went from the fact that the user identity is asserted
> on the region server you are working on, and groups are not defined very
> precisely there.
> I was able to identify it with the debug level enabled on xasecure, so
> thanks a lot (no pun intention) !
>
> Regards,
>
>
> Loïc
>
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-08-24 17:24 GMT+02:00 Alok Lal <al...@hortonworks.com>:
>
>> Log4j.properties file should be under hbase config directory. It is
>> usually /etc/hbase/conf. In it start by adding the following line:
>>
>> log4j.logger.com.xasecure=DEBUG
>>
>> From: Loïc Chanel
>> Reply-To: "user@ranger.incubator.apache.org"
>> Date: Monday, August 24, 2015 at 7:54 AM
>> To: "user@ranger.incubator.apache.org"
>> Subject: Re: HBase group authroizations
>>
>> Sorry, I just noticed that I wrote `hdfs groups` instead of `whoami`.
>> Regards,
>>
>> Loïc
>>
>>
>> Loïc CHANEL
>> Engineering student at TELECOM Nancy
>> Trainee at Worldline - Villeurbanne
>>
>> 2015-08-24 15:26 GMT+02:00 Loïc Chanel <lo...@telecomnancy.net>:
>>
>>> Hi all,
>>>
>>> I'm having some troubles trying to authorize some users from HBase to
>>> access to a table using a group they belong to.
>>> Even if the policy is correctly set, and uses a group that `hdfs groups`
>>> returns me, I can't access the database as the user can't.
>>>
>>> I can't see any logs indicating that the Ranger plugin tries to assert
>>> the user's identity and its groups, but my debug level may not be high
>>> enough (as I didn't found the corresponding property).
>>>
>>> Can someone help me to increase my log level to debug for XaSecure HBase
>>> plugin, or give me some things I can try to look at to figure out why
>>> groups cannot be used in my configuration ?
>>>
>>> Thanks in advance for your help !
>>> Regards,
>>>
>>>
>>> Loïc
>>> Loïc CHANEL
>>> Engineering student at TELECOM Nancy
>>> Trainee at Worldline - Villeurbanne
>>>
>>
>>
>
Re: HBase group authroizations
Posted by Loïc Chanel <lo...@telecomnancy.net>.
Actually my problem went from the fact that the user identity is asserted
on the region server you are working on, and groups are not defined very
precisely there.
I was able to identify it with the debug level enabled on xasecure, so
thanks a lot (no pun intention) !
Regards,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-08-24 17:24 GMT+02:00 Alok Lal <al...@hortonworks.com>:
> Log4j.properties file should be under hbase config directory. It is
> usually /etc/hbase/conf. In it start by adding the following line:
>
> log4j.logger.com.xasecure=DEBUG
>
> From: Loïc Chanel
> Reply-To: "user@ranger.incubator.apache.org"
> Date: Monday, August 24, 2015 at 7:54 AM
> To: "user@ranger.incubator.apache.org"
> Subject: Re: HBase group authroizations
>
> Sorry, I just noticed that I wrote `hdfs groups` instead of `whoami`.
> Regards,
>
> Loïc
>
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-08-24 15:26 GMT+02:00 Loïc Chanel <lo...@telecomnancy.net>:
>
>> Hi all,
>>
>> I'm having some troubles trying to authorize some users from HBase to
>> access to a table using a group they belong to.
>> Even if the policy is correctly set, and uses a group that `hdfs groups`
>> returns me, I can't access the database as the user can't.
>>
>> I can't see any logs indicating that the Ranger plugin tries to assert
>> the user's identity and its groups, but my debug level may not be high
>> enough (as I didn't found the corresponding property).
>>
>> Can someone help me to increase my log level to debug for XaSecure HBase
>> plugin, or give me some things I can try to look at to figure out why
>> groups cannot be used in my configuration ?
>>
>> Thanks in advance for your help !
>> Regards,
>>
>>
>> Loïc
>> Loïc CHANEL
>> Engineering student at TELECOM Nancy
>> Trainee at Worldline - Villeurbanne
>>
>
>
Re: HBase group authroizations
Posted by Alok Lal <al...@hortonworks.com>.
Log4j.properties file should be under hbase config directory. It is usually /etc/hbase/conf. In it start by adding the following line:
log4j.logger.com.xasecure=DEBUG
From: Loïc Chanel
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>"
Date: Monday, August 24, 2015 at 7:54 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>"
Subject: Re: HBase group authroizations
Sorry, I just noticed that I wrote `hdfs groups` instead of `whoami`.
Regards,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-08-24 15:26 GMT+02:00 Loïc Chanel <lo...@telecomnancy.net>>:
Hi all,
I'm having some troubles trying to authorize some users from HBase to access to a table using a group they belong to.
Even if the policy is correctly set, and uses a group that `hdfs groups` returns me, I can't access the database as the user can't.
I can't see any logs indicating that the Ranger plugin tries to assert the user's identity and its groups, but my debug level may not be high enough (as I didn't found the corresponding property).
Can someone help me to increase my log level to debug for XaSecure HBase plugin, or give me some things I can try to look at to figure out why groups cannot be used in my configuration ?
Thanks in advance for your help !
Regards,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
Re: HBase group authroizations
Posted by Loïc Chanel <lo...@telecomnancy.net>.
Sorry, I just noticed that I wrote `hdfs groups` instead of `whoami`.
Regards,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-08-24 15:26 GMT+02:00 Loïc Chanel <lo...@telecomnancy.net>:
> Hi all,
>
> I'm having some troubles trying to authorize some users from HBase to
> access to a table using a group they belong to.
> Even if the policy is correctly set, and uses a group that `hdfs groups`
> returns me, I can't access the database as the user can't.
>
> I can't see any logs indicating that the Ranger plugin tries to assert the
> user's identity and its groups, but my debug level may not be high enough
> (as I didn't found the corresponding property).
>
> Can someone help me to increase my log level to debug for XaSecure HBase
> plugin, or give me some things I can try to look at to figure out why
> groups cannot be used in my configuration ?
>
> Thanks in advance for your help !
> Regards,
>
>
> Loïc
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>