GitHub user sohurdc edited a discussion: Kyuubi, Kerberos, and Ranger yarn-cluster mode policy.download.auth.users must be *
With Kyuubi, Kerberos, and Ranger, when spark.submit.deployMode=cluster is used, does the policy.download.auth.users setting in the Ranger Admin UI have to be configured as *? Using * allows all users to download Ranger policies, which is very insecure. When policy.download.auth.users set to hive, I have log: 25/07/07 11:46:30 ERROR RangerAdminRESTClient: Error getting Roles; service not found. secureMode=true, [email protected] (auth:KERBEROS), response=404, serviceName=hadoop3_hive, lastKnownRoleVersion=-1, lastActivationTimeInMillis=0 25/07/07 11:46:30 WARN RangerAdminRESTClient: Received 404 error code with body:[null], Ignoring 25/07/07 11:46:30 WARN RangerAdminRESTClient: Error getting policies. secureMode=true, [email protected] (auth:KERBEROS), response={"httpStatusCode":403,"statusCode":0}, serviceName=hadoop3_hive When policy.download.auth.users set to *, it seems ok: 25/07/07 15:10:05 INFO RangerBasePlugin: Created PolicyRefresher Thread(PolicyRefresher(serviceName=hadoop3_hive)-85) 25/07/07 15:10:06 INFO RangerRolesProvider: RangerRolesProvider(serviceName=hadoop3_hive): found updated version. lastKnownRoleVersion=-1; newVersion=2 25/07/07 15:10:06 INFO PolicyRefresher: PolicyRefresher(serviceName=hadoop3_hive): found updated version. lastKnownVersion=-1; newVersion=33 But * means everyone can download the ranger policy,which is very insecure. GitHub link: https://github.com/apache/kyuubi/discussions/7128 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
