ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Md Mehrab Alam (Jira)" <j...@apache.org>
Subject [jira] [Comment Edited] (RANGER-3099) Ranger hdfs policies not syncing automatically
Date Tue, 29 Dec 2020 12:18:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17255956#comment-17255956
] 

Md Mehrab Alam edited comment on RANGER-3099 at 12/29/20, 12:17 PM:
--------------------------------------------------------------------

Don't use @REALMS in policy.download.auth.users  value

can you try this in config

*policy.download.auth.users = hdfs*

*tag.download.auth.users=hdfs*

 

Also in log  secureMode=false ideally it must be secureMode=true when core-site.xml  have hadoop.security.authentication
= kerberos property.


was (Author: iammehrabalam):
Don't use @REALMS in policy.download.auth.users  value

can you try this in config

*policy.download.auth.users = hdfs*

*tag.download.auth.users=hdfs*

> Ranger hdfs policies not syncing automatically
> ----------------------------------------------
>
>                 Key: RANGER-3099
>                 URL: https://issues.apache.org/jira/browse/RANGER-3099
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins, Ranger
>    Affects Versions: 2.1.0
>         Environment: AWS EMR, WIndows AD
>            Reporter: Anoop Kumar K M
>            Priority: Blocker
>
> Hi,
> We are trying to implement Ranger 2 .1.0 on top of AWS EMR 6.1.0.
> EMR 6.1.0 has  hadoop 3. The cluster is Kerberos enabled.
> I have installed ranger in a separate ec2 machine and able to install hdfs plugin in
EMR.
> But the problem is that for policies to be applied, both ranger server and hdfs namenode
should be restarted . After I restart both the policies becomes effective
> Ranger admin logs shows below error.
> ==========
> 2020-11-30 10:57:42,397 [http-bio-6080-exec-9] INFO org.apache.ranger.common.RESTErrorUtil
(RESTErrorUtil.java:345) - Request failed. loginId=null, logMessage=Unauthenticated access
not allowed javax.ws.rs.WebApplicationException at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:337)
=========
>  
> Namenode logs show below error.
> ==========
>  
> 2020-12-02 13:32:53,863 ERROR org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29):
Error getting Roles; service not found. secureMode=false, user=hdfs/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
(auth:KERBEROS), response=404, serviceName=hadoopdev, lastKnownRoleVersion=-1, lastActivationTimeInMillis=1606746562885
>  
> 2020-12-02 13:32:53,863 WARN org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29):
Received 404 error code with body:[null], Ignoring
>  2020-12-02 13:32:53,863 INFO org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29):
Skip Securetrue
>  2020-12-02 13:32:53,869 WARN org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29):
Error getting policies. secureMode=false, user=hdfs/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
(auth:KERBEROS), response=\{"httpStatusCode":400,"statusCode":0}, serviceName=hadoopdev
> ==========
>  
> Under kerberos config in install.properties of ranger I have the below settings
>  
> --------------Kerberos Config -----------------
>  spnego_principal=HTTP/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
>  spnego_keytab=/etc/security/keytabs/spnego.keytab
>  token_valid=30
>  cookie_domain=ip-10-98-84-189.eu-west-1.compute.internal
>  cookie_path=/
>  admin_principal=rangeradmin/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
>  admin_keytab=/etc/security/keytabs/rangeradmin.keytab
>  lookup_principal=rangerlookup/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
>  lookup_keytab=/etc/security/keytabs/rangerlookup.keytab
>  hadoop_conf=/etc/hadoop/conf
>  
> In the ranger console for the service config I have given below property
>  
> [policy.download.auth.users = hdfs@EU-WEST-1.COMPUTE.INTERNAL|mailto:policy.download.auth.users=hdfs@EU-WEST-1.COMPUTE.INTERNAL]
>  
> Not sure what I am missing. Any input in this will be a great help
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message