[
https://issues.apache.org/jira/browse/RANGER-2621?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16957145#comment-16957145
]
Susi Dev commented on RANGER-2621:
----------------------------------
[~vel] :
There is some additional setting that Ranger is expecting/missing. Let me break
it down, so we know what is configured as per doc and what is missing...
By following the documentation we have below configuration;
{color:#0747a6}*Ranger Admin (Attached full file):*{color}
{color:#00875a}authentication_method={color:#172b4d}UNIX{color}{color}
{color:#00875a}remoteLoginEnabled={color:#172b4d}true{color}{color}
{color:#00875a}authServiceHostName={color:#172b4d}localhost{color}{color}
{color:#00875a}authServicePort={color:#172b4d}5151{color}{color}
{color:#00875a}#------------ Kerberos Config -----------------{color}
{color:#00875a}spnego_principal={color:#172b4d}HTTP/ip-10-6-62-...@example.net{color}{color}
{color:#00875a}spnego_keytab={color:#172b4d}/usr/local/ranger-admin/keytabs/spnego.service.keytab{color}{color}
{color:#00875a}token_valid=30{color}
{color:#00875a}cookie_domain=i{color:#172b4d}p-10-6-62-150{color}{color}
{color:#00875a}cookie_path=/{color}
{color:#00875a}admin_principal={color:#172b4d}rangeradmin/ip-10-6-62-...@example.net{color}{color}
{color:#00875a}admin_keytab={color:#172b4d}/usr/local/ranger-admin/keytabs/rangeradmin.keytab{color}{color}
{color:#00875a}lookup_principal={color:#172b4d}rangerlookup/ip-10-6-62-...@example.net{color}{color}
{color:#00875a}lookup_keytab={color:#172b4d}/usr/local/ranger-admin/keytabs/rangerlookup.keytab{color}{color}
{color:#00875a}hadoop_conf={color:#172b4d}/etc/hadoop/conf{color}{color}
*## Note:*
* Is hadoop_conf parameter is referring to localhost? because there is no
hadoop installed in Ranger Admin Server, its a Vanilla RHEL node.
* all the principals exists in KDC Server in EMR Master Node, which is
reachable, the krb5.conf is updated properly at Ranger Server host and able to
authenticate via keytabs.
{color:#0747a6}*Hive-Plugin(In Ranger UI):*{color}
{color:#ff0000}Plugin Config:{color}
Service Name : hivedev
Active Status: Enabled
{color:#ff0000}Config Properties :{color}
Username : rangeradmin/_hostn...@example.net
Password : ********
jdbc.driverClassName: org.apache.hive.jdbc.HiveDriver
jdbc.url: jdbc:hive2://hostname:10000/;principal=hive/hostn...@domain.net
Common Name for Certificate:
{color:#de350b}Add New Configurations: (Tried all three values individually by
replacing the val everytime){color}
||Name||Value||
|policy.download.auth.users | rangeradmin/hostn...@domain.net | |
||Name||Value||
|policy.download.auth.users | hive/hostn...@domain.net | |
||Name||Value||
|policy.download.auth.users | hive| |
*From EMR Master Node:*
Enable Hive-plugin(install.properties):
POLICY_MGR_URL=[http://ip-10-6-62-186:6080|http://ip-10-6-62-186:6080/]
REPOSITORY_NAME=hivedev
[^Ranger-admin.txt][^hive-plugin.txt]
When we enable the hive plugin, it is trying perform the REST call to get the
policies and update the cache file, but there is no configuration mentioned
about which user does the enable pluging script uses to authenticate against
Ranger.
This is the error we get..
+*Hive Server 2 log:*+
2019-10-14T20:03:34,353 WARN [Thread-8([])]: client.RangerAdminRESTClient
(RangerAdminRESTClient.java:getServicePoliciesIfUpdated(186)) - Error getting
policies. secureMode=true, *{color:#de350b}user=hive/i...@domain.net{color}*
{color:#de350b}(*auth:KERBEROS*{color}),
response={"httpStatusCode":401,"statusCode":401,{color:#de350b}"msgDesc":"Authentication
Failed"{color}}, serviceName=hivedev
Our question is how to make sure the REST call go through without
authentication or how to configure that?
If I run the curl statement with admin:Admin@123 credential, the policy gets
downloaded. Now sure, how to make enable hive plugin use these credentials to
download policies?
Ironically, this issue goes away when Ranger and Kerberos servers are in the
same host.
> Ranger Policy Update fails on Kerberized Cluster
> ------------------------------------------------
>
> Key: RANGER-2621
> URL: https://issues.apache.org/jira/browse/RANGER-2621
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 2.0.0
> Reporter: Susi Dev
> Priority: Major
>
> {color:#4c9aff}Can someone help configuring RANGER for KERBERIZED cluster
> ??{color}
> We have Ranger 2.0 installed on separate EC2 node, while trying to integrate
> with EMR cluster.
> When the EMR cluster is not kerberized, the policy sync works just fine..
> When EMR is kerberized, policy download does not work anymore...
>
> We see below error:
> +*Access Log:*+
> 10.23.123.150 - - [14/Oct/2019:20:07:09 +0000] "GET
> /service/plugins/secure/policies/download/hadoopdev?supportsPolicyDeltas=false
> HTTP/1.1" 401 52 "-" "curl/7.61.1"
>
> +*Hive Server 2 log:*+
> 2019-10-14T20:03:34,353 WARN [Thread-8([])]: client.RangerAdminRESTClient
> (RangerAdminRESTClient.java:getServicePoliciesIfUpdated(186)) - Error getting
> policies. secureMode=true, user=hive/i...@domain.net (auth:KERBEROS),
> response=\{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication
> Failed"}, serviceName=hivedev
>
> +*Plugin Error(Test Connection):*+
> org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [show
> databases like "*"]..
> Unable to execute SQL [show databases like "*"]..
> Error running query: java.lang.NoSuchFieldError: REPLLOAD.
> REPLLOAD.
>
>
> {color:#FF0000}Plugin Config:{color}
> Service Name : hivedev
> Active Status: Enabled
>
> {color:#FF0000}Config Properties :{color}
> Username : Rangeradmin/_hostn...@domain.net
> Password : ********
> jdbc.driverClassName: org.apache.hive.jdbc.HiveDriver
> jdbc.url: jdbc:hive2://hostname:10000/;principal=hive/hostn...@domain.net
> Common Name for Certificate:
> Add New Configurations
> ||Name||Value||
> |policy.download.auth.users | rangeradmin/hostn...@domain.net | |
>
>
> {color:#FF0000}*Ranger 2.0 looks great but with not enough documentation
> around the installation and configuration, we are all handicapped when it
> comes to using. Appreciate if some of you add good documentation, it helps us
> appreciate the amount of work done by you ... Right now, we are only shooting
> in the DARK.*{color}
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
