[
https://issues.apache.org/jira/browse/RANGER-3237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458210#comment-17458210
]
Jiayi Liu commented on RANGER-3237:
-----------------------------------
For question 1. This is because the hive user in your original policy does not
have permissions. You can ignore this failure first. After the policy is
synchronized normally, add the corresponding permissions to the hive user, and
then enter the service configuration page and click test.
> The Hive plugin cannot synchronize policy information after Kerberos is
> enabled
> -------------------------------------------------------------------------------
>
> Key: RANGER-3237
> URL: https://issues.apache.org/jira/browse/RANGER-3237
> Project: Ranger
> Issue Type: Bug
> Components: admin, plugins
> Affects Versions: 2.1.0
> Environment: CDH6.3.1
> CM 6.3.2
> Ranger 2.1.0
> Kerberos : FreeIPA
> Reporter: kangkaixin
> Priority: Blocker
>
> I have a question
> when i enable kerberos , hive plugin can't sync info to hiveservice ,i
> see log ,But there was no useful information, if no have kerberos ,The
> function is normal ,so ,who can help me?
> =============================================================
> h1. question1:
> in hive policy server config ,i click test connection show me Error
> detail :
> *Connection Failed.*
> Unable to retrieve any files using given parameters, You can still save the
> repository and start creating policies, but you would not be able to use
> autocomplete for resource names. Check ranger_admin.log for more info.
> org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [show
> databases like "*"]..
> Error while compiling statement: FAILED: HiveAccessControlException
> Permission denied: user [hive] does not have [USE] privilege on [*].
> Permission denied: user [hive] does not have [USE] privilege on [*].
>
> h1. question2:
> hive plugin can't sync info to hiveservice
> show me Error 401 from hive log and rangeradmin log
> h1. some info
> h2. hostname : idc-bigdata-185-56.jdy.kd.internal
> h2. principal: ranger.keytab
> Keytab name: FILE:ranger.keytab
> KVNO Timestamp Principal
> ---- -------------------
> ------------------------------------------------------
> 1 04/09/2021 13:51:55 HTTP/[email protected]
> 1 04/09/2021 13:51:55 HTTP/[email protected]
> 1 04/09/2021 13:51:55 HTTP/[email protected]
> 1 04/09/2021 13:51:55 HTTP/[email protected]
> 1 04/09/2021 13:51:55 HTTP/[email protected]
> 1 04/09/2021 13:51:55 HTTP/[email protected]
> 1 04/09/2021 13:52:12
> rangeradmin/[email protected]
> 1 04/09/2021 13:52:12
> rangeradmin/[email protected]
> 1 04/09/2021 13:52:12
> rangeradmin/[email protected]
> 1 04/09/2021 13:52:12
> rangeradmin/[email protected]
> 1 04/09/2021 13:52:12
> rangeradmin/[email protected]
> 1 04/09/2021 13:52:12
> rangeradmin/[email protected]
> 1 04/09/2021 13:52:23
> rangerlookup/[email protected]
> 1 04/09/2021 13:52:23
> rangerlookup/[email protected]
> 1 04/09/2021 13:52:23
> rangerlookup/[email protected]
> 1 04/09/2021 13:52:23
> rangerlookup/[email protected]
> 1 04/09/2021 13:52:23
> rangerlookup/[email protected]
> 1 04/09/2021 13:52:23
> rangerlookup/[email protected]
> ============================================================
> h2. ranger admin install.properties
> spnego_principal=HTTP/[email protected]
> spnego_keytab=/data/service/ranger/ranger.keytab
> token_valid=30
> cookie_domain=idc-bigdata-185-56.jdy.kd.internal
> cookie_path=/
> admin_principal=rangeradmin/[email protected]
> admin_keytab=/data/service/ranger/ranger.keytab
> lookup_principal=rangerlookup/[email protected]
> lookup_keytab=/data/service/ranger/ranger.keytab
> hadoop_conf=/opt/cloudera/parcels/CDH/lib/hadoop/etc/hadoop
> h2. ranger hive install.properties
> POLICY_MGR_URL=[http://idc-bigdata-185-56.jdy.kd.internal:6080|http://idc-bigdata-185-56.jdy.kd.internal:6080/]
> REPOSITORY_NAME=HIVE_CDH
> COMPONENT_INSTALL_DIR_NAME=/opt/cloudera/parcels/CDH/lib/hive
> h2. ranger admin UI hive policy service
> *Service Name* : HIVE_CDH
> *Username* : [email protected]
> *jdbc.driverClassName* :org.apache.hive.jdbc.HiveDriver
> *jdbc.url* :
> jdbc:hive2://idc-bigdata-185-57.jdy.kd.internal:2181,idc-bigdata-185-58.jdy.kd.internal:2181,idc-bigdata-185-59.jdy.kd.internal:2181/;principal=hive/[email protected];serviceDiscoveryMode=zooKeeper;user=hive;zooKeeperNamespace=hiveserver2
>
> h2. hive log info :
> stdout.log
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> Roles. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> policies. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> Roles. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> policies. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> Roles. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> policies. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> Roles. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> policies. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> Roles. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting
> policies. secureMode=true,
> user=hive/[email protected] (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> ============================================================
> h2. ranger access log
> access_log.2021-04-12.log
> 172.20.185.56 - - [12/Apr/2021:09:50:08 +0000] "GET
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
> HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
> 172.20.185.56 - - [12/Apr/2021:09:50:38 +0000] "GET
> /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
> HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
> 172.20.185.56 - - [12/Apr/2021:09:50:38 +0000] "GET
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
> HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
> 172.20.185.56 - - [12/Apr/2021:09:51:08 +0000] "GET
> /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
> HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
> 172.20.185.56 - - [12/Apr/2021:09:51:08 +0000] "GET
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
> HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
> 172.20.185.56 - - [12/Apr/2021:09:51:38 +0000] "GET
> /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
> HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
> 172.20.185.56 - - [12/Apr/2021:09:51:38 +0000] "GET
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
> HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
