Hello,
I can reach ranger admin with curl for the server where Hiveserver2 is running
and ranger admin is running.
Fabien
________________________________
De : Madhan Neethiraj <mneethi...@hortonworks.com> de la part de Madhan
Neethiraj <mad...@apache.org>
Envoyé : vendredi 9 juin 2017 18:10
À : user@ranger.apache.org
Objet : Re: Tag based policy doesn't work
Fabien,
Both RangerTagRefresher and RangerPolicyRefresher failed to contact Ranger
Admin, with error “java.net.ConnectException: Connection refused (Connection
refused)”. Can you ensure that Ranger Admin is up and is reachable from the
host where HiveServer2 runs?
Madhan
From: fabien VIROT <fabienfo...@hotmail.fr>
Reply-To: "user@ranger.apache.org" <user@ranger.apache.org>
Date: Friday, June 9, 2017 at 2:24 AM
To: "user@ranger.apache.org" <user@ranger.apache.org>
Subject: RE: Tag based policy doesn't work
Hello,
I got the following error on hive server2 log :
ERROR [Thread-75]: contextenricher.RangerTagEnricher$RangerTagRefresher
(RangerTagEnricher.java:populateTags(516)) - Encountered unexpected exception.
Ignoring
com.sun.jersey.api.client.ClientHandlerException: java.net.ConnectException:
Connection refused (Connection refused)
at
com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149)
at com.sun.jersey.api.client.Client.handle(Client.java:648)
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:670)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at
com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:503)
at
org.apache.ranger.admin.client.RangerAdminRESTClient.getServiceTagsIfUpdated(RangerAdminRESTClient.java:303)
at
org.apache.ranger.plugin.contextenricher.RangerAdminTagRetriever.retrieveTags(RangerAdminTagRetriever.java:57)
at
org.apache.ranger.plugin.contextenricher.RangerTagEnricher$RangerTagRefresher.populateTags(RangerTagEnricher.java:481)
at
org.apache.ranger.plugin.contextenricher.RangerTagEnricher$RangerTagRefresher.run(RangerTagEnricher.java:460)
Caused by: java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
at
sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1138)
at
sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1032)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
at
java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at
com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:240)
at
com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:147)
... 8 more
2017-06-09 08:57:38,032 ERROR [Thread-13]: util.PolicyRefresher
(PolicyRefresher.java:loadPolicyfromPolicyAdmin(282)) -
PolicyRefresher(serviceName=cluster_crm_hive): failed to refresh policies. Will
continue to use last known version of policies (201)
com.sun.jersey.api.client.ClientHandlerException: java.net.ConnectException:
Connection refused (Connection refused)
at
com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149)
at com.sun.jersey.api.client.Client.handle(Client.java:648)
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:670)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at
com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:503)
at
org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:123)
at
org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:258)
at
org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:202)
at
org.apache.ranger.plugin.util.PolicyRefresher.run(PolicyRefresher.java:171)
Caused by: java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
at
sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1138)
at
sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1032)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
at
java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at
com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:240)
at
com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:147)
... 8 more
I also ot an error with ranger kms but I don't konw if it's link.
Fabien
________________________________
De : Madhan Neethiraj <mneethi...@hortonworks.com> de la part de Madhan
Neethiraj <mad...@apache.org>
Envoyé : vendredi 9 juin 2017 02:28
À : user@ranger.apache.org
Objet : Re: Tag based policy doesn't work
Fabien,
Empty hiveServicer2_dev1_hive_tag.json file is likely caused by Ranger not
having any tags associated with dev1_hive service. Next step will be to look at
the following logs for any error:
- Atlas logs – if there are any errors in sending notifications to
Kafka
- Ranger tag-sync logs – if there are any errors in receiving
notifications from Kafka
- Ranger admin – if there are any errors in processing tags sent by
tag-sync
- HiveServer2 logs – if there are any errors in downloading tags from
Ranger admin
If no issues are seen in above log files, please send these log files to this
mailing list (or upload to a JIRA); I will look into them.
Hope this helps.
Madhan
From: fabien VIROT <fabienfo...@hotmail.fr>
Reply-To: "user@ranger.apache.org" <user@ranger.apache.org>
Date: Wednesday, June 7, 2017 at 2:28 AM
To: "user@ranger.apache.org" <user@ranger.apache.org>
Subject: RE: Tag based policy doesn't work
Hello,
The two first check are OK but the third file is empty and I still have no
error on tagsync log.
Have you any other idea ?
Thanks for your help
Fabien
________________________________
De : Madhan Neethiraj <mneethi...@hortonworks.com> de la part de Madhan
Neethiraj <mad...@apache.org>
Envoyé : mardi 6 juin 2017 17:43
À : user@ranger.apache.org
Objet : Re: Tag based policy doesn't work
To troubleshoot this issue, try the following:
- Verify that Hive service (in Ranger – like dev_hive) is linked to
Tag service (like dev_tag)
- Verify whether tag-policies are present in local cache file in
HiveServer2 host, typically at
/etc/ranger/dev_hive/policycache/hiveServicer2_dev1_hive.json (replace dev_hive
with service name)
- Verify whether tags are present in local cache file in HiveServer2
host, typically at
/etc/ranger/dev_hive/policycache/hiveServicer2_dev1_hive_tag.json (replace
dev_hive with service name)
Hope this helps.
Madhan
From: Loïc Chanel <loic.cha...@telecomnancy.net>
Reply-To: "user@ranger.apache.org" <user@ranger.apache.org>
Date: Tuesday, June 6, 2017 at 5:58 AM
To: "user@ranger.apache.org" <user@ranger.apache.org>
Subject: Re: Tag based policy doesn't work
Hi Fabien,
Can you provide more details on waht doesn't work ? I mean, you create a
policy, but it is not enforced, right ?
Can you see in HiveServer logs that Hive asks Ranger for an authorization to
execute your request ?
Thanks,
Loïc
Loïc CHANEL
System Big Data engineer
MS&T - Worldline Analytics Platform - Worldline (Villeurbanne, France)
2017-06-06 14:51 GMT+02:00 fabien VIROT
<fabienfo...@hotmail.fr<mailto:fabienfo...@hotmail.fr>>:
Hello,
I got problems with tag based policy on ranger, when I create policy based on
Atlas tag they doesn't work on Hive.
I have no log error (in Debug mode) on ranger tagsync and in Atlas.
I'm using beeline to send request to Hive.
Have you any idea of where the problem is ??
Thanks for your help
Fabien VIROT
