Re: [ANNOUNCE] Apache Ranger 2.3.0 released

[Madhan Neethiraj]

Ramesh - thank you for driving this release.

 

Rangers - thank you all for your contributions to this release!

 

This release includes several important improvements:

  - Ranger KMS integration with Google cloud HSM, Tencent KMS

  - added support for Amazon CloudWatch as audit store

  - ability to scope delegated-admin to specific permissions

  - ability to use macros in conditions, like:

    - IS_IN_GROUP('hr') && IS_IN_GROUP('finance')

    - TAG.piiType == 'email'

  - attribute-based access control (ABAC) enhancements, with ability to refer 
user/group/tag attributes

    - resource names, like: /dept/${{USER.dept}},  db_${{USER._name}}

    - row-filters, like country = ${{USER.country}}, store_id in 
(${{GET_UG_ATTR _CSV('managesStore')}})

    - conditions, like: HAS_UG_ATTR('managesStore')

  - removal of log4j-1 dependency

  - performance improvements in multiple areas

  - improvements in Docker setup

 

Madhan

 

On 7/9/22, 8:42 PM, "Ramesh Mani"  wrote:

 

    Dear all,

 

    Apache Ranger team is happy to announce the release of Apache Ranger 2.3.0.

    Apache Ranger is a framework to enable, monitor and manage comprehensive

    data security across the Hadoop platform and beyond. Apache Ranger 2.3.0

    contains a number of new features, improvements and bug fixes. Details can

    be found in the release notes at

    
https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.3.0+-+Release+Notes

 

    The release artifacts are available at:

    https://ranger.apache.org/download.html The binary artifacts are available

    from Maven central and its mirrors. In the initial 48 hours, the release

    may not be available on all mirrors. When downloading from a mirror site,

    please remember to verify the downloads using signatures found at:

    https://www.apache.org/dist/ranger/KEYS More details on Apache Ranger can

    be found at: https://ranger.apache.org We thank everyone who made this

    release possible. Thanks, Apache Ranger team

Re: Planning for Apache Ranger 2.3.0 release

[Madhan Neethiraj]

+1 for Ranger 2.3 release. It has been ~6 months since 2.2 release, and a 
number of good enhancements were added since then.

Ramesh - thanks for the initiative.

Madhan





On 4/26/22, 11:49 PM, "Ramesh Mani"  wrote:

Dear Ranger Community members,

There are various features and critical bug fixes done in the Apache Ranger
project since the release of Apache Ranger 2.2.0.
Around 55 improvements, 45 bug fixes and a total of 527 commits were made
from the last release.
Now with that Ranger community is expecting a release to adapt those
changes and hence planning this release.

Please review and provide your opinion.

Thanks,
Ramesh

*Improvements:*

RANGER-3687 Password Policy Best Practices for Strong Security
RANGER-3667 Improve feedback in policy creation UI when resource does
not exist
RANGER-3659 Ranger Admin goes to OOM when usersync is trying to delete
existing group mappings from ranger DB
RANGER-3459 Upgrade Ranger's Kafka dependency to 2.8
RANGER-3551 Analyze & optimize module permissions related API
RANGER-3539 Add jacoco-maven-plugin for code coverage
RANGER-3562 Redesign post commit tasks for updating ref-tables when
policy/role is updated
RANGER-3540 Add support to read audit logs from Amazon CloudWatch
RANGER-3030 Replace Findbugs with Spotbugs maven plugin
RANGER-3538 Reduce the granularity of locking when building/retrieving
a policy-engine within Ranger admin service
RANGER-3518 Limit the query size stored in Audit logs
RANGER-3276 Remove duplicate code from buildks.java
RANGER-3515 Enhance Ranger Java client SSL config to be configured
using serviceType and AppId
RANGER-3504 Create framework to execute DB patch dependent on Java
patch.
RANGER-3023 Permission tab takes longer time to load with large number
of users and group_users data
RANGER-3487 Update underscore js with latest version.
RANGER-3548 Update performance engine test scripts
RANGER-3556 Ranger tagsync logs unnecessary messages
RANGER-3573 Add vim in docker base image
RANGER-3578 Simplify code for policy label creation
RANGER-3675 Upgrade tomcat due to intermittent READ TIMEOUT
RANGER-3686 Docker setup to run Ranger with MySQL database
RANGER-3628 Support fine grain authorization for different solr objects
RANGER-3629 RANGER -  Handle solr permissions during upgrade
RANGER-3665 "No Data Found !!" messages in Ranger admin UI alarm users
RANGER-3662 There should be pause button for error popup
RANGER-3660 [Ranger Admin UI] Improvements in tooltip hints for better
user experience
RANGER-3649 Represent the Solr admin object types on the Ranger UI
RANGER-3658 Docker: Ranger containers to run as user=ranger
RANGER-3603 HDFS audit files rollover improvement to trigger rollover
in monitoring thread
RANGER-3651 Remove jersey 1.x version dependency for knox plugin
RANGER-3621 Optimise Tag/Policy iterator
RANGER-3521 Ranger KMS IS NOT ENFORCING HSTS ON SSL PORT DEFINED BY RFC
6797
RANGER-3455 [Logout-Ranger] Should either be disabled/ should redirect
to knox logout page
RANGER-3630 Support wildcards, group short names, and list of memberof
attribute DNs for computing user search filter
RANGER-3597 User role should not be able to modify the Policy
RANGER-3512 Create Java patch to update policy guid to unique value.
RANGER-3511 Create Java patch to update policy resource-signature to
unique value.
RANGER-3493 Add unique index on service and resource_signature column
of x_policy table
RANGER-3435 Add unique index on guid, service and zone_id column of
x_policy table
RANGER-3439 Add rest api to get or delete ranger policy based on guid
RANGER-3498 RANGER : Remove log4j1 dependencies.
RANGER-3475 Promote TagRest endpoints to /public/v2
RANGER-3698 Ranger - Upgrade kylin to 3.1.3
RANGER-3699 Ranger - Upgrade poi to 5.2.1+
RANGER-3533 Provide sorting on columns throughout the audits result set
and policy listing page.
RANGER-3693 Ranger - Upgrade tomcat to 8.5.78
RANGER-3689 Ranger : ranger-2.3 Port missing commits.
RANGER-3620 Ranger - Upgrade tomcat to 8.5.75
RANGER-3577 RANGER : Upgrade POI version to 5.1.0
RANGER-3566 Update version in ranger-2.3 to 2.3.0-SNAPSHOT
RANGER-3553 Unit test coverage for XUserMgr and UserMgr class
RANGER-3653 Replace aws java sdk bom dependencies with bundled
dependencies
RANGER-3561 Upgrade Storm version to 1.2.4
RANGER-3704 remove semicolon from c3P0 preferredTestQuery

*Bug Fixes:*

RANGER-3544 Security zones listing will be in alphabetical order.

[Blog] Introduction to Apache Ranger Policy Model

[Madhan Neethiraj]

Ranger community,

 

Please take few minutes to read this blog on Apache Ranger Policy Model, the 
core of Apache Ranger - 
https://blogs.apache.org/ranger/entry/apache-ranger-policy-model.

 

This is the first of many blogs to come. If you would like specific topics to 
be covered, please send your suggestions.

 

Hope you find this useful.

 

Madhan

 

[ANNOUNCE] Apache Ranger response to incorrect analyst report on Cloud data security

[Madhan Neethiraj]

Apache Ranger community,

A recent industry analyst report by GigaOm and sponsored by Immuta comparing 
Apache Ranger to Immuta paints an incorrect picture on the complexities of 
using Apache Ranger. We believe the report contains a number of errors and 
inconsistencies. Unfortunately, the Apache Ranger Project Management Committee 
(PMC) was not contacted by the analyst firm during preparation of the report.

We have attempted to contact the authors and members of the research team 
several times, requesting the opportunity to review the inaccuracies and have 
them corrected. Despite our many attempts to rectify the misinformation, no-one 
from the analyst firm responded.

For the benefit of existing and potential users of Apache Ranger, it is 
important for Apache Ranger PMC to respond to this report with facts.

Our complete response, along with links to the analyst report and other data, 
are available at 
https://blogs.apache.org/foundation/entry/apache-ranger-response-to-incorrect .

Madhan Neethiraj
for the Apache Ranger PMC

Apache Ranger™ is a framework to enable, monitor and manage comprehensive data 
security across the Hadoop platform and beyond. For more information, visit 
http://ranger.apache.org/

Re: Disable audit logging for some users

[Madhan Neethiraj]

Sai Sandeep,

Audit-filter feature implemented in RANGER-3000/RANGER-3191 allows an 
administrator to setup more fine grained controls on what accesses get 
audited/skipped. For example, an administrator can setup following rules:
 1. audit all denied accesses
 2. exclude audit for access to paths under /hbase by user hbase
 3. audit all delete operations
 4. exclude audit for metadata-read operations

This feature will be part of upcoming Apache Ranger 2.2 release.

Hope this helps.

Madhan

On 2021/07/21 15:04:06, Sai Sandeep Rangisetti  
wrote: 
> I found
> https://cwiki.apache.org/confluence/display/RANGER/Blacklist+for+Ranger+Audits
> which is exactly what we wanted. I think this feature is available since
> ranger 2.1.0.
> 
> On Fri, 25 Jun 2021 at 19:58, Sai Sandeep Rangisetti <
> sandeep@flipkart.com> wrote:
> 
> > Hi,
> >
> > We have a requirement where we have to disable audit logging for some of
> > the users. Currently it is not possible because audit logging is at policy
> > level instead of user level.
> >
> > Is there any way we can achieve the same?
> >
> > Thanks,
> > Sai Sandeep
> >
> 
> -- 
> 
> 
> *-*
> 
> *This email and any files transmitted with it are confidential and 
> intended solely for the use of the individual or entity to whom they are 
> addressed. If you have received this email in error, please notify the 
> system manager. This message contains confidential information and is 
> intended only for the individual named. If you are not the named addressee, 
> you should not disseminate, distribute or copy this email. Please notify 
> the sender immediately by email if you have received this email by mistake 
> and delete this email from your system. If you are not the intended 
> recipient, you are notified that disclosing, copying, distributing or 
> taking any action in reliance on the contents of this information is 
> strictly prohibited.*
> 
>  
> 
> *Any views or opinions presented in this 
> email are solely those of the author and do not necessarily represent those 
> of the organization. Any information on shares, debentures or similar 
> instruments, recommended product pricing, valuations and the like are for 
> information purposes only. It is not meant to be an instruction or 
> recommendation, as the case may be, to buy or to sell securities, products, 
> services nor an offer to buy or sell securities, products or services 
> unless specifically stated to be so on behalf of the Flipkart group. 
> Employees of the Flipkart group of companies are expressly required not to 
> make defamatory statements and not to infringe or authorise any 
> infringement of copyright or any other legal right by email communications. 
> Any such communication is contrary to organizational policy and outside the 
> scope of the employment of the individual concerned. The organization will 
> not accept any liability in respect of such communication, and the employee 
> responsible will be personally liable for any damages or other liability 
> arising.*
> 
>  
> 
> *Our organization accepts no liability for the 
> content of this email, or for the consequences of any actions taken on the 
> basis of the information *provided,* unless that information is 
> subsequently confirmed in writing. If you are not the intended recipient, 
> you are notified that disclosing, copying, distributing or taking any 
> action in reliance on the contents of this information is strictly 
> prohibited.*
> 
> _-_
> 

Re: unspecified zone shows all service names

[Madhan Neethiraj]

Hi,

Users can see all available services in the selected zone; when no zone is 
selected, all services will be visible to users. Though a service is visible, a 
non-admin user can only create policies for resources on which they were 
granted delegated-admin privileges. There is no control to hide/show services 
for specific users.

Can you please file a JIRA with details of specific use cases you are 
interested in?

Thanks,
Madhan

On 2021/08/12 13:13:11, Egor Ryashin  wrote: 
> Hi,
> 
> I use Ranger 2.1.0 and use security zones to allow management of specific 
> services to a user, I see when the user specifies no zones the user can see 
> all service names while I need to hide service names the user cannot manage. 
> I wonder if service names can be hidden from the user that doesn’t have them 
> in security zone? 
> 
> Thanks

Re: [ANNOUNCE] Apache Ranger - Python client

[Madhan Neethiraj]

Thibault,

 

Yes. Currently Python client only supports basic auth. However, adding support 
for Kerberos should be straight forward. Will look into this shortly.

 

Thanks,

Madhan

 

 

 

 

From: Thibault Godouet 
Reply-To: 
Date: Monday, December 7, 2020 at 11:57 AM
To: 
Subject: Re: [ANNOUNCE] Apache Ranger - Python client

 

Hi Madhan,

 

Indeed, looking good and we'd be interested in replacing the internal code we 
have by your code.

However it only seems to support basic auth... Is this right?  If so, do you 
have plans to add Kerberos by any chance?

 

Thank you,

Thibault

On Sun, 6 Dec 2020, 00:37 Don Bosco Durai,  wrote:

Madhan, this is very useful.

Thanks again

Regards

Bosco

On 12/4/20, 11:35 PM, "Madhan Neethiraj"  wrote:

Bosco,

Yes. Python APIs support  CRUD operations on 
service-defs/services/policies/security-zones/roles - like:
  - create_policy()
  - update_policy()
  - update_policy_by_id()
  - apply_policy()
  - delete_policy()
  - delete_policy_by_id()
  - get_policy()
  - get_policy_by_id()
  - get_policies_in_service()
  - find_policies()

Until documentation is in place, complete list of APIs can be found from 
RangerClient class here:  
https://github.com/apache/ranger/blob/master/intg/src/main/python/apache_ranger/client/ranger_client.py#L245.
 

Hope this helps.

Madhan


On 12/4/20, 10:48 PM, "Don Bosco Durai"  wrote:

Madhan, this is very good.

Does the script also supports deleting or modifying of Ranger Policies?

Regards

Bosco


On 12/4/20, 9:09 AM, "Madhan Neethiraj"  wrote:

All,

Official Python client for Apache Ranger is now available at 
https://pypi.org/project/apache-ranger/. Python client APIs mirror Apache 
Ranger REST APIs, and enable administration of Apache Ranger using Python.

Here is a sample usage to create a service and a policy using 
Python client:

from apache_ranger.model.ranger_service import RangerService
from apache_ranger.client.ranger_client import RangerClient
from apache_ranger.model.ranger_policy  import RangerPolicy, 
RangerPolicyResource, RangerPolicyItem, RangerPolicyItemAccess

service_name = 'dev_hive'

service = RangerService(name=service_name, type='hive')
service.configs = {'username':'hive', 'password':'hive', 
'jdbc.driverClassName': 'org.apache.hive.jdbc.HiveDriver', 'jdbc.url': 
'jdfb:hive2://ranger-hadoop:1', 'hadoop.security.authorization': 'true'}

policy = RangerPolicy(service=service_name, name='test policy')
policy.resources = {'database': 
RangerPolicyResource(['test_db']), 'table': RangerPolicyResource(['test_tbl']), 
'column': RangerPolicyResource(['*'])}
policy.policyItems.append(RangerPolicyItem(users=['admin'], 
accesses=[RangerPolicyItemAccess('create'), RangerPolicyItemAccess('alter'), 
RangerPolicyItemAccess('drop')], delegateAdmin=True))
policy.denyPolicyItems.append(RangerPolicyItem(users=['admin'], 
accesses=[RangerPolicyItemAccess('select')]))


ranger_client   = RangerClient('http://localhost:6080', 
'admin', 'rangerR0cks!')
created_service = ranger_client.create_service(service)
created_policy  = ranger_client.create_policy(policy)

Apache Ranger team is updating the documentation to include details 
of Python APIs.

Your feedback and suggestions are welcome.

Thanks,
Madhan

Re: [ANNOUNCE] Apache Ranger - Python client

[Madhan Neethiraj]

Bosco,

Yes. Python APIs support  CRUD operations on 
service-defs/services/policies/security-zones/roles - like:
  - create_policy()
  - update_policy()
  - update_policy_by_id()
  - apply_policy()
  - delete_policy()
  - delete_policy_by_id()
  - get_policy()
  - get_policy_by_id()
  - get_policies_in_service()
  - find_policies()

Until documentation is in place, complete list of APIs can be found from 
RangerClient class here:  
https://github.com/apache/ranger/blob/master/intg/src/main/python/apache_ranger/client/ranger_client.py#L245.
 

Hope this helps.

Madhan


On 12/4/20, 10:48 PM, "Don Bosco Durai"  wrote:

Madhan, this is very good.

Does the script also supports deleting or modifying of Ranger Policies?

Regards

Bosco


On 12/4/20, 9:09 AM, "Madhan Neethiraj"  wrote:

All,

Official Python client for Apache Ranger is now available at 
https://pypi.org/project/apache-ranger/. Python client APIs mirror Apache 
Ranger REST APIs, and enable administration of Apache Ranger using Python.

Here is a sample usage to create a service and a policy using Python 
client:

from apache_ranger.model.ranger_service import RangerService
from apache_ranger.client.ranger_client import RangerClient
from apache_ranger.model.ranger_policy  import RangerPolicy, 
RangerPolicyResource, RangerPolicyItem, RangerPolicyItemAccess

service_name = 'dev_hive'

service = RangerService(name=service_name, type='hive')
service.configs = {'username':'hive', 'password':'hive', 
'jdbc.driverClassName': 'org.apache.hive.jdbc.HiveDriver', 'jdbc.url': 
'jdfb:hive2://ranger-hadoop:1', 'hadoop.security.authorization': 'true'}

policy = RangerPolicy(service=service_name, name='test policy')
policy.resources = {'database': RangerPolicyResource(['test_db']), 
'table': RangerPolicyResource(['test_tbl']), 'column': 
RangerPolicyResource(['*'])}
policy.policyItems.append(RangerPolicyItem(users=['admin'], 
accesses=[RangerPolicyItemAccess('create'), RangerPolicyItemAccess('alter'), 
RangerPolicyItemAccess('drop')], delegateAdmin=True))
policy.denyPolicyItems.append(RangerPolicyItem(users=['admin'], 
accesses=[RangerPolicyItemAccess('select')]))


ranger_client   = RangerClient('http://localhost:6080', 'admin', 
'rangerR0cks!')
created_service = ranger_client.create_service(service)
created_policy  = ranger_client.create_policy(policy)

Apache Ranger team is updating the documentation to include details of 
Python APIs.

Your feedback and suggestions are welcome.

Thanks,
Madhan

[ANNOUNCE] Apache Ranger - Python client

[Madhan Neethiraj]

All,

Official Python client for Apache Ranger is now available at 
https://pypi.org/project/apache-ranger/. Python client APIs mirror Apache 
Ranger REST APIs, and enable administration of Apache Ranger using Python.

Here is a sample usage to create a service and a policy using Python client:

from apache_ranger.model.ranger_service import RangerService
from apache_ranger.client.ranger_client import RangerClient
from apache_ranger.model.ranger_policy  import RangerPolicy, 
RangerPolicyResource, RangerPolicyItem, RangerPolicyItemAccess

service_name = 'dev_hive'

service = RangerService(name=service_name, type='hive')
service.configs = {'username':'hive', 'password':'hive', 
'jdbc.driverClassName': 'org.apache.hive.jdbc.HiveDriver', 'jdbc.url': 
'jdfb:hive2://ranger-hadoop:1', 'hadoop.security.authorization': 'true'}

policy = RangerPolicy(service=service_name, name='test policy')
policy.resources = {'database': RangerPolicyResource(['test_db']), 'table': 
RangerPolicyResource(['test_tbl']), 'column': RangerPolicyResource(['*'])}
policy.policyItems.append(RangerPolicyItem(users=['admin'], 
accesses=[RangerPolicyItemAccess('create'), RangerPolicyItemAccess('alter'), 
RangerPolicyItemAccess('drop')], delegateAdmin=True))
policy.denyPolicyItems.append(RangerPolicyItem(users=['admin'], 
accesses=[RangerPolicyItemAccess('select')]))


ranger_client   = RangerClient('http://localhost:6080', 'admin', 
'rangerR0cks!')
created_service = ranger_client.create_service(service)
created_policy  = ranger_client.create_policy(policy)

Apache Ranger team is updating the documentation to include details of Python 
APIs.

Your feedback and suggestions are welcome.

Thanks,
Madhan

[ANNOUNCE] Apache Ranger - Python client

[Madhan Neethiraj]

All,

 

Official Python client for Apache Ranger is now available at PyPi.org here. 
Python client APIs mirror Apache Ranger REST APIs, and enable administration of 
Apache Ranger using Python.

 

Here is a sample usage to create a service and a policy using Python client:

 

from apache_ranger.model.ranger_service import RangerService

from apache_ranger.client.ranger_client import RangerClient

from apache_ranger.model.ranger_policy  import RangerPolicy, 
RangerPolicyResource, RangerPolicyItem, RangerPolicyItemAccess

 

service_name = 'dev_hive'

 

service = RangerService(name=service_name, type='hive')

service.configs = {'username':'hive', 'password':'hive', 
'jdbc.driverClassName': 'org.apache.hive.jdbc.HiveDriver', 'jdbc.url': 
'jdfb:hive2://ranger-hadoop:1', 'hadoop.security.authorization': 'true'}

 

policy = RangerPolicy(service=service_name, name='test policy')

policy.resources = {'database': RangerPolicyResource(['test_db']), 'table': 
RangerPolicyResource(['test_tbl']), 'column': RangerPolicyResource(['*'])}

policy.policyItems.append(RangerPolicyItem(users=['admin'], 
accesses=[RangerPolicyItemAccess('create'), RangerPolicyItemAccess('alter'), 
RangerPolicyItemAccess('drop')], delegateAdmin=True))

policy.denyPolicyItems.append(RangerPolicyItem(users=['admin'], 
accesses=[RangerPolicyItemAccess('select')]))

 

 

ranger_client   = RangerClient('http://localhost:6080', 'admin', 'rangerR0cks!')

created_service = ranger_client.create_service(service)

created_policy  = ranger_client.create_policy(policy)

 

Apache Ranger team is updating the documentation to include details of Python 
APIs.

 

Your feedback and suggestions are welcome.

 

Thanks,

Madhan

 

 

 

 

Re: RangerBaseService contract

[Madhan Neethiraj]

RangerBaseService.lookupResource() is called within Ranger Admin to provide 
auto-complete values as the user enters a resource name in policy UI – for 
example a Hive table name.

  Input:

    - ResourceLookupContext.userInput: value currently being entered in UI

    - ResourceLookupContext.resourceName: name of the resource, as defined in 
service-def, like database/table/column/path

    - ResourceLookupContext.resources: values already present in policy UI. 
This can be useful for example 1) to scope the search for table names within 
the database already entered in the policy 2) to avoid returning values that 
are already present in the policy

 

  Return:

    - list of auto-complete values to show in the UI

 

RangerBaseService.validateConfig() is called to validate service-config values. 
For example url/username/password entered in service-config that are used to 
connect to the service (like HiveServer2, NameNode). Following entries are 
expected in the returned map:

- connectivityStatus: true/false

- description: any other information on validation success/failure

 

Hope this helps.

 

Madhan

 

 

 

From: Elliot West 
Reply-To: 
Date: Monday, October 5, 2020 at 10:52 AM
To: 
Subject: RangerBaseService contract

 

Hello, I'm implementing my own service and was wondering if anyone can point me 
in the direction of the contract for the abstract methods in RangerBaseService. 
In particular I'm keen to know what behaviour and return values I should 
provide for:

List lookupResource(ResourceLookupContext)
Map validateConfig()
And what can I expect to find in:

ResourceLookupContext.userInput
ResourceLookupContext.resourceName
ResourceLookupContext.resources - Map>
Many thanks,

 

Elliot.

[ANNOUNCE] Apache Ranger 2.1.0 released

[Madhan Neethiraj]

All,

Apache Ranger team is happy to announce the release of Apache Ranger 2.1.0.

Apache Ranger is a framework to enable, monitor and manage comprehensive data 
security across the Hadoop platform and beyond.

Apache Ranger 2.1.0 contains a number of new features, improvements and bug 
fixes. Details can be found in the release notes at 
https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.1.0+-+Release+Notes.

The release artifacts are available at: 
https://ranger.apache.org/download.html. The binary artifacts are available 
from Maven central and its mirrors.

In the initial 48 hours, the release may not be available on all mirrors. When 
downloading from a mirror site, please remember to verify the downloads using 
signatures found at: https://www.apache.org/dist/ranger/KEYS

More details on Apache Ranger can be found at: https://ranger.apache.org

We thank everyone who made this release possible.

Thanks,
Apache Ranger team

Re: Question on Ranger Hive Row filtering and Column Masking

[Madhan Neethiraj]

Reetika,

 

Policy priority/override was introduced in Ranger 1.1.0, via RANGER-2000 
(Policy effective dates to support time-bound and temporary authorization).

 

While determining column-mask/row-filter to apply, Ranger policy engine 
evaluates the policy-items in the order they appear in the policy, and picks 
the first match. In your example, row-filter name=’NA’ will be applied since 
that is the first match for user=admin.

 

Hope this helps.

 

Regards,

Madhan

 

 

From: reetika agrawal 
Reply-To: "user@ranger.apache.org" 
Date: Wednesday, May 27, 2020 at 12:11 AM
To: "user@ranger.apache.org" 
Subject: Re: Question on Ranger Hive Row filtering and Column Masking

 

Hi Madhan,

Thank you for your reply.

 

As you mentioned, when I tried creating multiple policies for the same 
table/column I got the same error-

Error Code : 3010 Another policy already exists for matching resource: 
policy-name=[testdb.testtable.col1], service=[test_hive]

 

I don't see this option of overriding the policy though in my ranger, Is it 
something which comes with the latest version of Ranger? I am using 0.7.1 
version of the ranger.

 

Another question on Rowfiltering policy creation, If I have some policy created 
something like below,

Here in this case how WHERE clause restriction will be applied on custKey 
column for user admin? Will it have custKey>300 AND custKey>100 or something 
else?

 

 

 

Thanks & Regards,

Reetika

 

On Tue, May 26, 2020 at 10:39 PM Madhan Neethiraj  wrote:

It should not be possible to create multiple column-masking policies for a 
column. Attempt to create a second policy for a column should result in 
following error: 

Error Code : 3010 Another policy already exists for matching resource: 
policy-name=[testdb.testtable.col1], service=[test_hive]

 

Assuming you managed to create multiple such policies (perhaps by updating the 
default Hive service-def – which is not recommended),  policy priority can be 
used to order the evaluation i.e. policies with ‘Override’ priority will be 
evaluated before policies with ‘Normal’ priority. However, the order of 
evaluation within a given priority cannot be controlled by the user.

 

 

 

The same applies for row-filtering policies as well.

 

Hope this helps.

 

Madhan

 

From: reetika agrawal 
Reply-To: "user@ranger.apache.org" 
Date: Tuesday, May 26, 2020 at 6:54 AM
To: "user@ranger.apache.org" 
Subject: Question on Ranger Hive Row filtering and Column Masking

 

Hi,

I would like to know how ranger evaluates and apply column Masking policy if 
there is more than one type of column masking policy defined for a given column 
of a table?

 

Ex- 

Policy1 -> testable -> col1 -> Nulllify (Column masking) -> User1

Policy2 -> testable -> col1 -> Nulllify (Hash) -> User1
 

Same question, for Row filtering as well,

Ex-

Policy1 -> testable  -> No-filter appplied (Row filtering) -> User1

Policy2 -> testable  -> col1='A' (Row filtering) -> User1

 

In the above cases which policy will be honored in both the case of Column 
masking and Row filtering?

If there is any document around it, could you please point to me that also.

 

-- 

Thanks,

Reetika Agrawal


 

-- 

Thanks,

Reetika Agrawal

Re: Question on Ranger Hive Row filtering and Column Masking

[Madhan Neethiraj]

It should not be possible to create multiple column-masking policies for a 
column. Attempt to create a second policy for a column should result in 
following error: 

Error Code : 3010 Another policy already exists for matching resource: 
policy-name=[testdb.testtable.col1], service=[test_hive]

 

Assuming you managed to create multiple such policies (perhaps by updating the 
default Hive service-def – which is not recommended),  policy priority can be 
used to order the evaluation i.e. policies with ‘Override’ priority will be 
evaluated before policies with ‘Normal’ priority. However, the order of 
evaluation within a given priority cannot be controlled by the user.

 

 

 

The same applies for row-filtering policies as well.

 

Hope this helps.

 

Madhan

 

From: reetika agrawal 
Reply-To: "user@ranger.apache.org" 
Date: Tuesday, May 26, 2020 at 6:54 AM
To: "user@ranger.apache.org" 
Subject: Question on Ranger Hive Row filtering and Column Masking

 

Hi,

I would like to know how ranger evaluates and apply column Masking policy if 
there is more than one type of column masking policy defined for a given column 
of a table?

 

Ex- 

Policy1 -> testable -> col1 -> Nulllify (Column masking) -> User1

Policy2 -> testable -> col1 -> Nulllify (Hash) -> User1
 

Same question, for Row filtering as well,

Ex-

Policy1 -> testable  -> No-filter appplied (Row filtering) -> User1

Policy2 -> testable  -> col1='A' (Row filtering) -> User1

 

In the above cases which policy will be honored in both the case of Column 
masking and Row filtering?

If there is any document around it, could you please point to me that also.

 

-- 

Thanks,

Reetika Agrawal

Re: Ranger policies best practices

[Madhan Neethiraj]

Lars,

 

The enhancement in RANGER-2507 introduced the notion of “DenyAllElse”, which 
denies access to specified resources unless explicitly allowed by the policy. 
This should help address your usecase. Please review.

 

Madhan

 

 

From: Lars Francke 
Reply-To: "user@ranger.apache.org" 
Date: Thursday, January 23, 2020 at 11:43 PM
To: "user@ranger.apache.org" 
Subject: Re: Ranger policies best practices

 

Hi Bosco and thanks for the quick response!

 

Ranger policy definitions have evolved over time to address more complex use 
cases. Can you come with some real world use cases? We can try to come policies 
for them.

 

Relatively simple:

* If we have a policy for a resource (talking about HDFS) then we want to ALLOW 
only based on the Ranger policy and _not_ fall back on HDFS

* If we do not have a policy for a resource we want the fallback

 

At high level, here are key points;

 
Deny policy anywhere (tag/resource level) trumps. Exception would be 
conditional policies in Ranger 2.0
Allow policy is needed for providing access to resource. Allow policies are 
processed after all DENY policies are processed.
 

In the flow you gave, you only need “ALLOW” policy.

* add a ALLOW  policy

* add a DENY public group

* add a DENY EXCLUDE  policy

 

I believe that's not correct but would be happy to be wrong myself ;-)

But I think this was due to my earlier mail not being clear on what our 
requirements are (see above).

 

If we only have ALLOW that does not mean DENY for people that have not been 
explicitly allowed, it means NOT_SPECIFIED (or similar is what it's called in 
the code) and the HDFS ACLs are checked.

So to prevent HDFS checking we need the DENY "public" group but because that is 
checked before ALLOW we _also_ need DENY EXCLUDE.

 

To sum it up: We want the fallback to HDFS be configurable not just globally 
but per policy and until yesterday I always assumed this was already the case.

 

One example for DENY will be:

Your company is hosting interns over the summer and they will be doing some 
machine learning projects. The interns will need access to your dataset, but 
your company policy doesn’t allow them to view PII data. However, there is one 
intern name Julia as an exception and could access PII data.

 
Tag based policy: “DENY” all resources tagged as “PII” for group “INTERN”
Exclude user “Julia”
Now for PII resources you want Julia to access, you give “ALLOW” access to user 
“julia”
 

Note, Exclude from DENY doesn’t mean the user will get the permission. There 
should be explicit ALLOW for the excluded user/group to access the resource.

 

Cheers,

Lars

 

 

 

Bosco

 

 

From: Lars Francke 
Reply-To: 
Date: Thursday, January 23, 2020 at 4:49 AM
To: 
Subject: Ranger policies best practices

 

Hi,

 

I'm wondering what the best practices for policies in Ranger are?

With Deny policies I'm not sure anymore.

 

The way I understand it I now need to

 

* add a ALLOW  policy

* add a DENY public group

* add a DENY EXCLUDE  policy

 

so that  I can allow access for people from the . Those would be three 
rules for one ALLOW.

 

We can disable the HDFS fallback but it's global.

What I had assumed so far (wrongly) is that as soon as there is a policy that 
matches a resource it is authoritative i.e. if this policy doesn't allow access 
it'll not fall through and deny.

 

Is there anything I misunderstood and/or what are the best practices for 
policies in Ranger these days?

 

I know this Wiki page 
()
 but that misses just those corner cases.

 

I assume (from my experience with customers) that quite a few people are 
actually using Ranger wrong if my understanding is correct.

 

Thanks for your help!

 

Cheers,

Lars

Re: Programmatically invalidate cache of Ranger plugins

[Madhan Neethiraj]

Matteo,

 

Enhancements in RANGER-2349 introduced method 
RangerBasePlugin.refreshPoliciesAndTags(), which can be called by a plugin 
implementation to force-sync policies and tags from Ranger Admin (i.e. 
invalidate cache). This should help address your requirements. Please review.

 

Hope this helps.

 

Madhan 

 

 

 

 

From: Matteo Alessandroni 
Reply-To: "user@ranger.apache.org" 
Date: Wednesday, June 26, 2019 at 5:37 AM
To: "user@ranger.apache.org" 
Subject: Re: Programmatically invalidate cache of Ranger plugins

 

Hi Bosco,

well in general my flow is the following:
push policies to Ranger via REST API
those policies should be synced via the plugin (e.g. HIVE) right after the push
So I don't want the Ranger plugin cache to act in this case, so I want to 
invalidate it right "before" pushing new policies so that those new policies 
will be soon synced to plugin and so be valid for the resource (e.g. HIVE).

Matteo

 

On 26/06/19 13:22, Don Bosco Durai wrote:

Shouldn’t you be first making the REST API call and then invalidate the cache, 
so that you get the latest?

 

I feel, Abhay’s API should solve your use case, unless I got it wrong.

 

Bosco

 

 

From: Matteo Alessandroni 
Reply-To: 
Date: Wednesday, June 26, 2019 at 12:58 PM
To: 
Subject: Re: Programmatically invalidate cache of Ranger plugins

 

Hi Abhay,

thanks for the info!
That logic just downloads the latest policies and tags but it does not 
invalidate cache, right? My problem is that when I try to push new policies via 
REST API the plugin keeps previous cached policies and does not replace those 
with new ones so in that case I need to first invalidate cache and then push 
new policies.

Regards,
Matteo

On 25/06/19 23:11, Abhay Kulkarni wrote:

https://issues.apache.org/jira/browse/RANGER-2349 provides a way to download 
policies (and tags) on demand. Ranger plugin code may call 
RangerBasePlugin.refreshPoliciesAndTags() API to get the latest policies and 
tags. 

 

Thanks,

-Abhay

 

On Tue, Jun 25, 2019 at 9:11 AM Don Bosco Durai  wrote:

You want to shorten the refresh time or explicitly trigger cache invalidate? 
The former is easy and there is a property to do it. 

 

Bosco

 

 

From: Matteo Alessandroni 
Reply-To: 
Date: Tuesday, June 25, 2019 at 8:45 PM
To: "user@ranger.apache.org" 
Subject: Programmatically invalidate cache of Ranger plugins

 

Hi,

is there a way to programmatically refresh cache of a Ranger plugin?
I'm talking about the part related to [1].

Thanks.
Best regards,
Matteo


[1] http://community.hortonworks.com/answers/66604/view.html

 

Re: Accessing Ranger Policy Manager API from HDFS plugin

[Madhan Neethiraj]

> The question know is how to know the plugin is calling this endpoint, and 
> working properly, because the UI doesn't display this plugin.

- if the plugin runs in a kerberized component (i.e. 
UserGroupInformation.isSecurityEnabled() == true) , it downloads policies using 
endpoint /service/plugins/secure/policies/download/, which requires 
authentication

- else it uses endpoint /service/plugins/policies/download/ - which doesn’t 
require authentication

 

Hope this helps.

 

Madhan

 

 

 

From: Velmurugan Periasamy 
Reply-To: "user@ranger.apache.org" 
Date: Friday, January 11, 2019 at 6:32 AM
To: "user@ranger.apache.org" 
Subject: Re: Accessing Ranger Policy Manager API from HDFS plugin

 

You can check namenode log for any errors from HDFS plugin.  

 

From: Odon Copon 
Sent: Friday, January 11, 2019 9:21 AM
To: user@ranger.apache.org
Subject: Re: Accessing Ranger Policy Manager API from HDFS plugin 

 

I fired manually a CURL request to 
"/service/plugins/policies/download/" and now the UI is 
displaying some information in plugin tab. 

1. Is Ranger Admin thinking the call was made from the plugin and is trying to 
list it?

2. If plugin would have executed this request, the UI should have displayed 
this information earlier, right?

3. Any specific log to check for more information?

 

On Fri, 11 Jan 2019 at 14:07, Velmurugan Periasamy  
wrote:

​You should see plugin sync'ing policies in plugin tab. If it is not showing 
up, you need to check the logs for any error messages. 

From: Odon Copon 
Sent: Friday, January 11, 2019 8:47 AM
To: user@ranger.apache.org
Subject: Re: Accessing Ranger Policy Manager API from HDFS plugin 

 

ok, seems "service/plugins/policies/download/" has public access, so confirms 
what we have been discussing, no authorization is required to download the 
policies. Good to know, thanks guys.

The question know is how to know the plugin is calling this endpoint, and 
working properly, because the UI doesn't display this plugin. Any tip on this?

 

On Fri, 11 Jan 2019 at 13:08, Odon Copon  wrote:

Yes, makes sense to have a 2-way SSL between the plugin and Ranger Admin, but: 

 - 1. Does it mean there's no authentication at all between them?

 - 2. If there's no authentication, shouldn't a simple CURL work? At the moment 
if no user/pass is provided the API returns 401, or is there another different 
endpoint? If so, which one is it?

 - 3. What is the best way to debug the plugin is communicating or trying to 
communicate with Ranger admin?

 

Thanks.

 

 

On Fri, 11 Jan 2019 at 12:53, Velmurugan Periasamy  
wrote:

If there is no kerberos HDFS plugin uses the open Download policies API, so it 
is recommended to use 2-way SSL between HDFS plugin and Ranger Admin. 


On Jan 11, 2019, at 5:26 AM, Odon Copon  wrote:

I cannot perform a CURL to the API from the namenode without user/password, I 
get a 401 when doing that. So it might required credentials to do that. If I 
use the admin/password credentials or rangerusersync credentials the CURL 
works. So wondering if those credentials need to be setup somewhere.

 

On Fri, 11 Jan 2019 at 10:15, Don Bosco Durai  wrote:

> In terms of "no authentication", is the HDFS plugin using Policy Manager API 
> with no credentials at all?

No credentials, because there is no user/password for HDFS service user. It’s 
been a while, I think we used to have admin/password before, but it was taken 
out eventually. The code might be still there…

 

> What's the first action the plugin is performing to be detected by the UI as 
> active and 200 response?

Abhay or Madhan might be able to give you more specifics. Since the plugins are 
polling and it knows the previous version number, if there are no changes, then 
it is not registered in the UI. The plugins primarily pull the policies and 
tags from Ranger Admin. Rest everything is done by the plugin within the 
component.

 

Bosco

 

 

From: Odon Copon 
Reply-To: 
Date: Friday, January 11, 2019 at 2:03 AM
To: 
Subject: Re: Accessing Ranger Policy Manager API from HDFS plugin

 

Indeed, I know that at the moment without something like Kerberos, users can 
impersonate others, but I'm currently building a POC with the basic security to 
evaluate Ranger, and once is ready, start improving the security and 
scalability. But thank you for pointing that out.

In terms of "no authentication", is the HDFS plugin using Policy Manager API 
with no credentials at all? or default ones?

What's the first action the plugin is performing to be detected by the UI as 
active and 200 response? Some king of ping/heartbeat? or just a rest petition 
to download the policies?

Is there anywhere where I can see in the logs what kind of actions the plugin 
is doing? I don't find any log information coming from the plugin.

 

Thanks!

 

On Fri, 11 Jan 2019 at 09:53, Don Bosco Durai  wrote:

If there is no Kerberos, then you have 2 options:
No authentication (default)
Two way SSL to authenticate 

Re: Release of tool for automate deployment of policies and tags

[Madhan Neethiraj]

Magnus,

Thank you for sharing your excellent work with Apache Atlas and Apache Ranger 
communities. The presentation is detailed and very well compiled. This will be 
of immense value for organizations - in designing and setting up authorization 
policies for data in Hadoop.

We value your feedback on better API documentation and tag-based row-filter 
policies. We will plan to address these shortly.

Thanks again.

Madhan



On 9/13/18, 12:04 PM, "Magnus Runesson"  wrote:

Hi!

Me and my employer Svenska Spel have open sourced a command line tool we 
call cobra-policytool. It is an add-on for Atlas and Ranger to make it 
easy to integrate deployment of Ranger policies and Atlas tags in a 
CI/CD pipeline.

Our primary usage have been with Hive but we are extending other areas. 
Beside just tagging hive tables and setting Ranger policies 
Cobra-policytool can do row based filtering based on tags. These 
policies are at deploy time expanded to normal Ranger policies.

Find out more in this medium post 

https://medium.com/@mrunesson/managing-data-access-policies-in-hive-bba60943b7b4
 
or my presentation at DataWorks Summit Europe 
https://www.youtube.com/watch?v=MlDQqj5aYOg=129s

Project is found at Github https://github.com/SvenskaSpel/cobra-policytool

I think this can interest many here. Contributions and comments are welcome.

Cheers,

/Magnus

Re: Unable to get ranger policies to work

[Madhan Neethiraj]

Roberta,

 

Can you please add details of the policy you created and the query executed? 
Also, it will help to look at the contents of the audit log that shows ‘Deny’ 
for the query.

 

Madhan

 

 

 

From: Roberta Marton 
Reply-To: "user@ranger.apache.org" 
Date: Wednesday, May 9, 2018 at 2:44 PM
To: "user@ranger.apache.org" 
Subject: Unable to get ranger policies to work

 

I installed Hortonworks 2.6.2 with Ranger and the Hive plugin using Ambari (no 
Kerberos/LDAP)

I created a Linux user called Henry and assigned him some groups.

Created several Hive tables using Beeline as a sudo user that installed the 
software.

 

Connected to beeline as “henry” and perform “show databases”. I get back a “no 
permissions” error as expected.

 

I created a policy in Ranger and granted Henry “select” privilege on a table in 
one of the Hive databases.

 

Henry connects to beeline.  

“show databases” return the database that contains the table that Henry now has 
select privilege.

“show tables” return the table that Henry has been granted select privilege.

However, when Henry tries to select, it gets a no SELECT privilege error.

 

I have tried the same exercise with different users, tables, and privileges and 
the DML operations never succeed.

 

I checked the logs and it looks like Hive is contacting Ranger to get 
privileges as expected:

 

2018-04-27 23:48:19,349 ERROR [HiveServer2-Handler-Pool: Thread-91]: ql.Driver 
(SessionState.java:printError(993)) - FAILED: HiveAccessControlException 
Permission denied: user [henry] does not have [SELECT] privilege on 
[default/customer]

org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
 Permission denied: user [henry] does not have [SELECT] privilege on 
[default/customer]

at 
org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:460)

at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:856)

at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:644)

at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:511)

at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:321)

at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1221)

at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1215)

at 
org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:146)

at 
org.apache.hive.service.cli.operation.SQLOperation.runInternal(SQLOperation.java:226)

at 
org.apache.hive.service.cli.operation.Operation.run(Operation.java:264)

at 
org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:470)

at 
org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementAsync(HiveSessionImpl.java:457)

at 
org.apache.hive.service.cli.CLIService.executeStatementAsync(CLIService.java:313)

at 
org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:509)

at 
org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1317)

at 
org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1302)

at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)

at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)

at 
org.apache.hive.service.auth.TSetIpAddressProcessor.process(TSetIpAddressProcessor.java:56)

at 
org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)

at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

 

I am at a loss on how to proceed.  Any suggestions?

 

   Bert

Re: Ranger HBase plugin doesn't work

[Madhan Neethiraj]

To troubleshoot further, consider setting log level to debug for the following 
packages and trace the policy evaluation details in HBase log files:

    org.apache.ranger.plugin.policyevaluator

    org.apache.ranger.plugin.policyengine

 

Madhan

 

 

From: "luoch...@gdbigdata.com" 
Reply-To: "user@ranger.apache.org" 
Date: Wednesday, June 21, 2017 at 11:17 PM
To: user 
Subject: Re: Ranger HBase plugin doesn't work

 

Hi

Maybe I did not know your question clearly.   you login the hbase system with 
the user -- hdfs,  , the system will check the access when you execute the 
command.  And it found there is no right of hdfs, it throw exception. 

 

It is corret ,  i think.  Maybe  you login with another user, it will be ok. 

 

Regards

 

luoch...@gdbigdata.com

 

From: wenxing zheng

Date: 2017-06-21 16:23

To: user

Subject: Ranger HBase plugin doesn't work

Dear all,

 

I am using the Ranger 0.7.1 against my HBASE 1.2.4. From the log files, I can 
see HBase got the policy file correctly. But when I executed the "scan" command 
from the "hbase shell", we got "Insufficient permissions".


ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
permissions for user 'hdfs' (table=users, action=READ)

 

Appreciated for any hints on how to determine the root cause

Regards, Wenxing

Re: Tag based policy doesn't work

[Madhan Neethiraj]

omPolicyAdmin(PolicyRefresher.java:258)

at 
org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:202)

at 
org.apache.ranger.plugin.util.PolicyRefresher.run(PolicyRefresher.java:171)

Caused by: java.net.ConnectException: Connection refused (Connection refused)

at java.net.PlainSocketImpl.socketConnect(Native Method)

at 
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)

at 
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)

at 
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)

at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)

at java.net.Socket.connect(Socket.java:589)

at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)

at sun.net.NetworkClient.doConnect(NetworkClient.java:175)

at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)

at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)

at sun.net.www.protocol.https.HttpsClient.(HttpsClient.java:264)

at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)

at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)

at 
sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1138)

at 
sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1032)

at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)

at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)

at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)

at 
java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)

at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)

at 
com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:240)

at 
com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:147)

... 8 more

 

I also ot an error with ranger kms but I don't konw if it's link.

 

Fabien

 

De : Madhan Neethiraj <mneethi...@hortonworks.com> de la part de Madhan 
Neethiraj <mad...@apache.org>
Envoyé : vendredi 9 juin 2017 02:28
À : user@ranger.apache.org
Objet : Re: Tag based policy doesn't work 

 

Fabien,

 

Empty hiveServicer2_dev1_hive_tag.json file is likely caused by Ranger not 
having any tags associated with dev1_hive service. Next step will be to look at 
the following logs for any error:

-  Atlas logs – if there are any errors in sending notifications to 
Kafka

-  Ranger tag-sync logs – if there are any errors in receiving 
notifications from Kafka

-  Ranger admin – if there are any errors in processing tags sent by 
tag-sync

-  HiveServer2 logs – if there are any errors in downloading tags from 
Ranger admin

 

If no issues are seen in above log files, please send these log files to this 
mailing list (or upload to a JIRA); I will look into them.

 

Hope this helps.

 

Madhan

 

 

From: fabien VIROT <fabienfo...@hotmail.fr>
Reply-To: "user@ranger.apache.org" <user@ranger.apache.org>
Date: Wednesday, June 7, 2017 at 2:28 AM
To: "user@ranger.apache.org" <user@ranger.apache.org>
Subject: RE: Tag based policy doesn't work

 

Hello,

 

The two first check are OK but the third file is empty and I still have no 
error on tagsync log.

Have you any other idea ?

 

Thanks for your help

 

Fabien 

 

De : Madhan Neethiraj <mneethi...@hortonworks.com> de la part de Madhan 
Neethiraj <mad...@apache.org>
Envoyé : mardi 6 juin 2017 17:43
À : user@ranger.apache.org
Objet : Re: Tag based policy doesn't work 

 

To troubleshoot this issue, try the following:

-  Verify that Hive service (in Ranger – like dev_hive) is linked to 
Tag service (like dev_tag)

-  Verify whether tag-policies are present in local cache file in 
HiveServer2 host, typically at 
/etc/ranger/dev_hive/policycache/hiveServicer2_dev1_hive.json (replace dev_hive 
with service name)

-  Verify whether tags are present in local cache file in HiveServer2 
host, typically at 
/etc/ranger/dev_hive/policycache/hiveServicer2_dev1_hive_tag.json (replace 
dev_hive with service name)

 

Hope this helps.

 

Madhan

 

 

 

From: Loïc Chanel <loic.cha...@telecomnancy.net>
Reply-To: "user@ranger.apache.org" <user@ranger.apache.org>
Date: Tuesday, June 6, 2017 at 5:58 AM
To: "user@ranger.apache.org" <user@ranger.apache.org>
Subject: Re: Tag based policy doesn't work

 

Hi Fabien, 

 

Can you provide more details