kangkaixin created RANGER-3237:
----------------------------------
Summary: The Hive plugin cannot synchronize policy information
after Kerberos is enabled
Key: RANGER-3237
URL: https://issues.apache.org/jira/browse/RANGER-3237
Project: Ranger
Issue Type: Bug
Components: admin, plugins
Affects Versions: 2.1.0
Environment: CDH6.3.1
CM 6.3.2
Ranger 2.1.0
Kerberos : FreeIPA
Reporter: kangkaixin
I have a question
when i enable kerberos , hive plugin can't sync info to hiveservice ,i see
log ,But there was no useful information, if no have kerberos ,The function
is normal ,so ,who can help me?
=============================================================
h1. question1:
in hive policy server config ,i click test connection show me Error
detail :
*Connection Failed.*
Unable to retrieve any files using given parameters, You can still save the
repository and start creating policies, but you would not be able to use
autocomplete for resource names. Check ranger_admin.log for more info.
org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [show
databases like "*"]..
Error while compiling statement: FAILED: HiveAccessControlException Permission
denied: user [hive] does not have [USE] privilege on [*].
Permission denied: user [hive] does not have [USE] privilege on [*].
h1. question2:
hive plugin can't sync info to hiveservice
show me Error 401 from hive log and rangeradmin log
h1. some info
h2. hostname : idc-bigdata-185-56.jdy.kd.internal
h2. principal: ranger.keytab
Keytab name: FILE:ranger.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 04/09/2021 13:51:55 HTTP/[email protected]
1 04/09/2021 13:51:55 HTTP/[email protected]
1 04/09/2021 13:51:55 HTTP/[email protected]
1 04/09/2021 13:51:55 HTTP/[email protected]
1 04/09/2021 13:51:55 HTTP/[email protected]
1 04/09/2021 13:51:55 HTTP/[email protected]
1 04/09/2021 13:52:12
rangeradmin/[email protected]
1 04/09/2021 13:52:12
rangeradmin/[email protected]
1 04/09/2021 13:52:12
rangeradmin/[email protected]
1 04/09/2021 13:52:12
rangeradmin/[email protected]
1 04/09/2021 13:52:12
rangeradmin/[email protected]
1 04/09/2021 13:52:12
rangeradmin/[email protected]
1 04/09/2021 13:52:23
rangerlookup/[email protected]
1 04/09/2021 13:52:23
rangerlookup/[email protected]
1 04/09/2021 13:52:23
rangerlookup/[email protected]
1 04/09/2021 13:52:23
rangerlookup/[email protected]
1 04/09/2021 13:52:23
rangerlookup/[email protected]
1 04/09/2021 13:52:23
rangerlookup/[email protected]
============================================================
h2. ranger admin install.properties
spnego_principal=HTTP/[email protected]
spnego_keytab=/data/service/ranger/ranger.keytab
token_valid=30
cookie_domain=idc-bigdata-185-56.jdy.kd.internal
cookie_path=/
admin_principal=rangeradmin/[email protected]
admin_keytab=/data/service/ranger/ranger.keytab
lookup_principal=rangerlookup/[email protected]
lookup_keytab=/data/service/ranger/ranger.keytab
hadoop_conf=/opt/cloudera/parcels/CDH/lib/hadoop/etc/hadoop
h2. ranger hive install.properties
POLICY_MGR_URL=[http://idc-bigdata-185-56.jdy.kd.internal:6080|http://idc-bigdata-185-56.jdy.kd.internal:6080/]
REPOSITORY_NAME=HIVE_CDH
COMPONENT_INSTALL_DIR_NAME=/opt/cloudera/parcels/CDH/lib/hive
h2. ranger admin UI hive policy service
*Service Name* : HIVE_CDH
*Username* : [email protected]
*jdbc.driverClassName* :org.apache.hive.jdbc.HiveDriver
*jdbc.url* :
jdbc:hive2://idc-bigdata-185-57.jdy.kd.internal:2181,idc-bigdata-185-58.jdy.kd.internal:2181,idc-bigdata-185-59.jdy.kd.internal:2181/;principal=hive/[email protected];serviceDiscoveryMode=zooKeeper;user=hive;zooKeeperNamespace=hiveserver2
h2. hive log info :
stdout.log
[esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
Roles. secureMode=true,
user=hive/[email protected] (auth:KERBEROS),
response=
{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
, serviceName=HIVE_CDH
[esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
policies. secureMode=true,
user=hive/[email protected] (auth:KERBEROS),
response=
{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
, serviceName=HIVE_CDH
[esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
Roles. secureMode=true,
user=hive/[email protected] (auth:KERBEROS),
response=
{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
, serviceName=HIVE_CDH
[esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
policies. secureMode=true,
user=hive/[email protected] (auth:KERBEROS),
response=
{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
, serviceName=HIVE_CDH
[esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
Roles. secureMode=true,
user=hive/[email protected] (auth:KERBEROS),
response=
{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
, serviceName=HIVE_CDH
[esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
policies. secureMode=true,
user=hive/[email protected] (auth:KERBEROS),
response=
{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
, serviceName=HIVE_CDH
[esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
Roles. secureMode=true,
user=hive/[email protected] (auth:KERBEROS),
response=
{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
, serviceName=HIVE_CDH
[esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
policies. secureMode=true,
user=hive/[email protected] (auth:KERBEROS),
response=
{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
, serviceName=HIVE_CDH
[esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
Roles. secureMode=true,
user=hive/[email protected] (auth:KERBEROS),
response=
{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
, serviceName=HIVE_CDH
[esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
policies. secureMode=true,
user=hive/[email protected] (auth:KERBEROS),
response=
{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
, serviceName=HIVE_CDH
============================================================
h2. ranger access log
access_log.2021-04-12.log
172.20.185.56 - - [12/Apr/2021:09:50:08 +0000] "GET
/service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
172.20.185.56 - - [12/Apr/2021:09:50:38 +0000] "GET
/service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
172.20.185.56 - - [12/Apr/2021:09:50:38 +0000] "GET
/service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
172.20.185.56 - - [12/Apr/2021:09:51:08 +0000] "GET
/service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
172.20.185.56 - - [12/Apr/2021:09:51:08 +0000] "GET
/service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
172.20.185.56 - - [12/Apr/2021:09:51:38 +0000] "GET
/service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
172.20.185.56 - - [12/Apr/2021:09:51:38 +0000] "GET
/service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
