ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Susi Dev (Jira)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-2621) Ranger Policy Update fails on Kerberized Cluster
Date Mon, 21 Oct 2019 15:50:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-2621?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16956207#comment-16956207

Susi Dev commented on RANGER-2621:


Thank you for giving some insights..

1) Yes, we tried different combinations... We created local users with the principal name
given here, changed it to hive principal as well. Yet, it won't go through. The crucial information
here is that ... *Ranger* is installed on a *standalone EC2* whereas *Kerberos* server is
present in *EMR Master Node*. If Ranger server is also installed on EMR Master Node, then
the policy download works just fine. Only if we place the *Ranger Server* on a *different
host* than the *Kerberos* server, we are running into this issue.  So I assume that it is
trying to authenticate with some user account but not sure which one it is using and how to
configure that.. Perhaps, that is the only missing piece in getting this work. Please throw
some light if there are any pre-reqs here. 

2) Yes, We are running latest Ranger version that was built recently from the git master branch.
I hope it has all the latest break-fixes. 
h2. {color:#4c9aff}Your timely help is very much appreciated. Thanks again. {color}


CC  [~rmani] / [~mehul] / [~abhayk]

> Ranger Policy Update fails on Kerberized Cluster
> ------------------------------------------------
>                 Key: RANGER-2621
>                 URL: https://issues.apache.org/jira/browse/RANGER-2621
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 2.0.0
>            Reporter: Susi Dev
>            Priority: Major
> {color:#4c9aff}Can someone help configuring RANGER for KERBERIZED cluster ??{color}
> We have Ranger 2.0 installed on separate EC2 node, while trying to integrate with EMR
> When the EMR cluster is not kerberized, the policy sync works just fine.. 
> When EMR is kerberized, policy download does not work anymore...
> We see below error:
> +*Access Log:*+ 
> - - [14/Oct/2019:20:07:09 +0000] "GET /service/plugins/secure/policies/download/hadoopdev?supportsPolicyDeltas=false
HTTP/1.1" 401 52 "-" "curl/7.61.1"
> +*Hive Server 2 log:*+
> 2019-10-14T20:03:34,353 WARN [Thread-8([])]: client.RangerAdminRESTClient (RangerAdminRESTClient.java:getServicePoliciesIfUpdated(186))
- Error getting policies. secureMode=true, user=hive/ip@DOMAIN.NET (auth:KERBEROS), response=\{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication
Failed"}, serviceName=hivedev
> +*Plugin Error(Test Connection):*+
> org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [show databases
like "*"]..
> Unable to execute SQL [show databases like "*"]..
> Error running query: java.lang.NoSuchFieldError: REPLLOAD.
> {color:#FF0000}Plugin Config:{color}
> Service Name : hivedev
> Active Status:  Enabled
> {color:#FF0000}Config Properties :{color}
> Username : Rangeradmin/_hostname@DOMAIN.NET 
> Password : ********  
> jdbc.driverClassName: org.apache.hive.jdbc.HiveDriver 
> jdbc.url: jdbc:hive2://hostname:10000/;principal=hive/hostname@DOMAIN.NET 
> Common Name for Certificate: 
> Add New Configurations 
> ||Name||Value||
> |policy.download.auth.users | rangeradmin/hostname@DOMAIN.NET | |
> {color:#FF0000}*Ranger 2.0 looks great but with not enough documentation around the installation
and configuration, we are all handicapped when it comes to using. Appreciate if some of you
add good documentation, it helps us appreciate the amount of work done by you ... Right now,
we are only shooting in the DARK.*{color} 

This message was sent by Atlassian Jira

View raw message