ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Susi Dev (Jira)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-2621) Ranger Policy Update fails on Kerberized Cluster
Date Tue, 22 Oct 2019 14:57:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-2621?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16957145#comment-16957145
] 

Susi Dev commented on RANGER-2621:
----------------------------------

[~vel] :

There is some additional setting that Ranger is expecting/missing. Let me break it down, so
we know what is configured as per doc and what is missing...

By following the documentation we have below configuration;

{color:#0747a6}*Ranger Admin (Attached full file):*{color}

{color:#00875a}authentication_method={color:#172b4d}UNIX{color}{color}
{color:#00875a}remoteLoginEnabled={color:#172b4d}true{color}{color}
{color:#00875a}authServiceHostName={color:#172b4d}localhost{color}{color}
{color:#00875a}authServicePort={color:#172b4d}5151{color}{color}

{color:#00875a}#------------ Kerberos Config -----------------{color}
{color:#00875a}spnego_principal={color:#172b4d}HTTP/ip-10-6-62-150@EXAMPLE.NET{color}{color}
{color:#00875a}spnego_keytab={color:#172b4d}/usr/local/ranger-admin/keytabs/spnego.service.keytab{color}{color}
{color:#00875a}token_valid=30{color}
{color:#00875a}cookie_domain=i{color:#172b4d}p-10-6-62-150{color}{color}
{color:#00875a}cookie_path=/{color}
{color:#00875a}admin_principal={color:#172b4d}rangeradmin/ip-10-6-62-150@EXAMPLE.NET{color}{color}
{color:#00875a}admin_keytab={color:#172b4d}/usr/local/ranger-admin/keytabs/rangeradmin.keytab{color}{color}
{color:#00875a}lookup_principal={color:#172b4d}rangerlookup/ip-10-6-62-150@EXAMPLE.NET{color}{color}
{color:#00875a}lookup_keytab={color:#172b4d}/usr/local/ranger-admin/keytabs/rangerlookup.keytab{color}{color}
{color:#00875a}hadoop_conf={color:#172b4d}/etc/hadoop/conf{color}{color}

 

*## Note:* 
 * Is hadoop_conf parameter is referring to localhost? because there is no hadoop installed
in Ranger Admin Server, its a Vanilla RHEL node. 
 * all the principals exists in KDC Server in EMR Master Node, which is reachable, the krb5.conf
is updated properly at Ranger Server host and able to authenticate via keytabs. 

 

{color:#0747a6}*Hive-Plugin(In Ranger UI):*{color}

{color:#ff0000}Plugin Config:{color}

Service Name : hivedev
Active Status:  Enabled
 
{color:#ff0000}Config Properties :{color}
Username : rangeradmin/_hostname@EXAMPLE.NET 
Password : ********  
jdbc.driverClassName: org.apache.hive.jdbc.HiveDriver 
jdbc.url: jdbc:hive2://hostname:10000/;principal=hive/hostname@DOMAIN.NET 
Common Name for Certificate: 

{color:#de350b}Add New Configurations: (Tried all three values individually by replacing the
val everytime){color}

 
||Name||Value||
|policy.download.auth.users | rangeradmin/hostname@DOMAIN.NET | |

 
||Name||Value||
|policy.download.auth.users | hive/hostname@DOMAIN.NET | |

  
||Name||Value||
|policy.download.auth.users | hive| |

 

*From EMR Master Node:*

Enable Hive-plugin(install.properties):

POLICY_MGR_URL=[http://ip-10-6-62-186:6080|http://ip-10-6-62-186:6080/]

REPOSITORY_NAME=hivedev

 

[^Ranger-admin.txt][^hive-plugin.txt]

 

When we enable the hive plugin, it is trying perform the REST call to get the policies and
update the cache file, but there is no configuration mentioned about which user does the enable
pluging script uses to authenticate against Ranger.

 

This is the error we get.. 

 

+*Hive Server 2 log:*+

2019-10-14T20:03:34,353 WARN [Thread-8([])]: client.RangerAdminRESTClient (RangerAdminRESTClient.java:getServicePoliciesIfUpdated(186))
- Error getting policies. secureMode=true, *{color:#de350b}user=hive/ip@DOMAIN.NET{color}*
{color:#de350b}(*auth:KERBEROS*{color}), response={"httpStatusCode":401,"statusCode":401,{color:#de350b}"msgDesc":"Authentication
Failed"{color}}, serviceName=hivedev

 

Our question is how to make sure the REST call go through without authentication or how to
configure that? 

 

If I run the curl statement with admin:Admin@123 credential, the policy gets downloaded. Now
sure, how to make enable hive plugin use these credentials to download policies? 

 

Ironically, this issue goes away when Ranger and Kerberos servers are in the same host. 

 

 

> Ranger Policy Update fails on Kerberized Cluster
> ------------------------------------------------
>
>                 Key: RANGER-2621
>                 URL: https://issues.apache.org/jira/browse/RANGER-2621
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 2.0.0
>            Reporter: Susi Dev
>            Priority: Major
>
> {color:#4c9aff}Can someone help configuring RANGER for KERBERIZED cluster ??{color}
> We have Ranger 2.0 installed on separate EC2 node, while trying to integrate with EMR
cluster.
> When the EMR cluster is not kerberized, the policy sync works just fine.. 
> When EMR is kerberized, policy download does not work anymore...
>  
> We see below error:
> +*Access Log:*+ 
> 10.23.123.150 - - [14/Oct/2019:20:07:09 +0000] "GET /service/plugins/secure/policies/download/hadoopdev?supportsPolicyDeltas=false
HTTP/1.1" 401 52 "-" "curl/7.61.1"
>  
> +*Hive Server 2 log:*+
> 2019-10-14T20:03:34,353 WARN [Thread-8([])]: client.RangerAdminRESTClient (RangerAdminRESTClient.java:getServicePoliciesIfUpdated(186))
- Error getting policies. secureMode=true, user=hive/ip@DOMAIN.NET (auth:KERBEROS), response=\{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication
Failed"}, serviceName=hivedev
>  
> +*Plugin Error(Test Connection):*+
> org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [show databases
like "*"]..
> Unable to execute SQL [show databases like "*"]..
> Error running query: java.lang.NoSuchFieldError: REPLLOAD.
> REPLLOAD.
>  
>  
> {color:#FF0000}Plugin Config:{color}
> Service Name : hivedev
> Active Status:  Enabled
>  
> {color:#FF0000}Config Properties :{color}
> Username : Rangeradmin/_hostname@DOMAIN.NET 
> Password : ********  
> jdbc.driverClassName: org.apache.hive.jdbc.HiveDriver 
> jdbc.url: jdbc:hive2://hostname:10000/;principal=hive/hostname@DOMAIN.NET 
> Common Name for Certificate: 
> Add New Configurations 
> ||Name||Value||
> |policy.download.auth.users | rangeradmin/hostname@DOMAIN.NET | |
>  
>  
> {color:#FF0000}*Ranger 2.0 looks great but with not enough documentation around the installation
and configuration, we are all handicapped when it comes to using. Appreciate if some of you
add good documentation, it helps us appreciate the amount of work done by you ... Right now,
we are only shooting in the DARK.*{color} 
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message