[
https://issues.apache.org/jira/browse/RANGER-3237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17319327#comment-17319327
]
kangkaixin commented on RANGER-3237:
------------------------------------
kerberos principal can run ,kinit everyone is ok ,
hive principal configuration from CDH ,i try kinit ,this is ok
> The Hive plugin cannot synchronize policy information after Kerberos is
> enabled
> -------------------------------------------------------------------------------
>
> Key: RANGER-3237
> URL: https://issues.apache.org/jira/browse/RANGER-3237
> Project: Ranger
> Issue Type: Bug
> Components: admin, plugins
> Affects Versions: 2.1.0
> Environment: CDH6.3.1
> CM 6.3.2
> Ranger 2.1.0
> Kerberos : FreeIPA
> Reporter: kangkaixin
> Priority: Blocker
>
> I have a question
> when i enable kerberos , hive plugin can't sync info to hiveservice ,i
> see log ,But there was no useful information, if no have kerberos ,The
> function is normal ,so ,who can help me?
> =============================================================
> h1. question1:
> in hive policy server config ,i click test connection show me Error
> detail :
> *Connection Failed.*
> Unable to retrieve any files using given parameters, You can still save the
> repository and start creating policies, but you would not be able to use
> autocomplete for resource names. Check ranger_admin.log for more info.
> org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [show
> databases like "*"]..
> Error while compiling statement: FAILED: HiveAccessControlException
> Permission denied: user [hive] does not have [USE] privilege on [*].
> Permission denied: user [hive] does not have [USE] privilege on [*].
>
> h1. question2:
> hive plugin can't sync info to hiveservice
> show me Error 401 from hive log and rangeradmin log
> h1. some info
> h2. hostname : idc-bigdata-185-56.jdy.kd.internal
> h2. principal: ranger.keytab
> Keytab name: FILE:ranger.keytab
> KVNO Timestamp Principal
> ---- -------------------
> ------------------------------------------------------
> 1 04/09/2021 13:51:55 HTTP/[email protected]
> 1 04/09/2021 13:51:55 HTTP/[email protected]
> 1 04/09/2021 13:51:55 HTTP/[email protected]
> 1 04/09/2021 13:51:55 HTTP/[email protected]
> 1 04/09/2021 13:51:55 HTTP/[email protected]
> 1 04/09/2021 13:51:55 HTTP/[email protected]
> 1 04/09/2021 13:52:12
> rangeradmin/[email protected]
> 1 04/09/2021 13:52:12
> rangeradmin/[email protected]
> 1 04/09/2021 13:52:12
> rangeradmin/[email protected]
> 1 04/09/2021 13:52:12
> rangeradmin/[email protected]
> 1 04/09/2021 13:52:12
> rangeradmin/[email protected]
> 1 04/09/2021 13:52:12
> rangeradmin/[email protected]
> 1 04/09/2021 13:52:23
> rangerlookup/[email protected]
> 1 04/09/2021 13:52:23
> rangerlookup/[email protected]
> 1 04/09/2021 13:52:23
> rangerlookup/[email protected]
> 1 04/09/2021 13:52:23
> rangerlookup/[email protected]
> 1 04/09/2021 13:52:23
> rangerlookup/[email protected]
> 1 04/09/2021 13:52:23
> rangerlookup/[email protected]
> ============================================================
> h2. ranger admin install.properties
> spnego_principal=HTTP/[email protected]
> spnego_keytab=/data/service/ranger/ranger.keytab
> token_valid=30
> cookie_domain=idc-bigdata-185-56.jdy.kd.internal
> cookie_path=/
> admin_principal=rangeradmin/[email protected]
> admin_keytab=/data/service/ranger/ranger.keytab
> lookup_principal=rangerlookup/[email protected]
> lookup_keytab=/data/service/ranger/ranger.keytab
> hadoop_conf=/opt/cloudera/parcels/CDH/lib/hadoop/etc/hadoop
> h2. ranger hive install.properties
> POLICY_MGR_URL=[http://idc-bigdata-185-56.jdy.kd.internal:6080|http://idc-bigdata-185-56.jdy.kd.internal:6080/]
> REPOSITORY_NAME=HIVE_CDH
> COMPONENT_INSTALL_DIR_NAME=/opt/cloudera/parcels/CDH/lib/hive
> h2. ranger admin UI hive policy service
> *Service Name* : HIVE_CDH
> *Username* : [email protected]
> *jdbc.driverClassName* :org.apache.hive.jdbc.HiveDriver
> *jdbc.url* :
> jdbc:hive2://idc-bigdata-185-57.jdy.kd.internal:2181,idc-bigdata-185-58.jdy.kd.internal:2181,idc-bigdata-185-59.jdy.kd.internal:2181/;principal=hive/[email protected];serviceDiscoveryMode=zooKeeper;user=hive;zooKeeperNamespace=hiveserver2
>
> h2. hive log info :
> stdout.log
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> Roles. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> policies. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> Roles. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> policies. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> Roles. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> policies. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> Roles. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> policies. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> Roles. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> policies. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> ============================================================
> h2. ranger access log
> access_log.2021-04-12.log
> 172.20.185.56 - - [12/Apr/2021:09:50:08 +0000] "GET
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
> HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
> 172.20.185.56 - - [12/Apr/2021:09:50:38 +0000] "GET
> /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
> HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
> 172.20.185.56 - - [12/Apr/2021:09:50:38 +0000] "GET
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
> HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
> 172.20.185.56 - - [12/Apr/2021:09:51:08 +0000] "GET
> /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
> HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
> 172.20.185.56 - - [12/Apr/2021:09:51:08 +0000] "GET
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
> HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
> 172.20.185.56 - - [12/Apr/2021:09:51:38 +0000] "GET
> /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
> HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
> 172.20.185.56 - - [12/Apr/2021:09:51:38 +0000] "GET
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
> HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
