Hello Ranger community, I have a question to ask. In Ranger version 1.x,when Kerberos is enabled and Ranger plugin is subsequently activated, HDP uses the component's own principal, such as the HDFS user's principal, to communicate with Ranger to create HDFS service and policy.
However, in Ranger 2.3 and Ranger 2.4, this action no longer works and an error is reported: "rangerlookup specified in policy does not exist in ranger admin”. To reproduce this issue, one can install Ranger after enabling Kerberos in the cluster, activate the plugin, and then restart the component. After restarting, it can be observed in the Ranger UI that the service and policy have not been created. The error message can be found in the service start log in Ambari UI and in the Ranger admin log. Manually creating a rangerlookup user in the Ranger UI and then restarting the component will automatically create the corresponding service and policy. Here is the command to create the service and policy after Ranger is enabled ``` /var/lib/ambari-agent/ambari-sudo.sh su hbase -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/227537ab-6202-444d-b908-b64a4e2c8e64 -c /var/lib/ambari-agent/tmp/cookies/227537ab-6202-444d-b908-b64a4e2c8e64 http://gs-server-13481:6080/service/public/v2/api/service --connect-timeout 10 --max-time 12 -H '"'"'Content-Type: application/json'"'"' -X POST -d '"'"'{"isEnabled": "true", "type": "hbase", "configs": {"username": "hbase", "policy.grantrevoke.auth.users": "hbase", "hadoop.security.authentication": "kerberos", "default-policy.1.policyItem.1.users": "ambari-qa", "default-policy.1.name": "Service Check User Policy for Hbase", "default-policy.1.policyItem.1.accessTypes": "read,write,create", "hbase.security.authentication": "kerberos", "setup.additional.default.policies": "true", "tag.download.auth.users": "hbase", "commonNameForCertificate": "", "hbase.zookeeper.property.clientPort": "2181", "hbase.zookeeper.quorum": "gs-server-13481,gs-server-13482,gs-server-13806", "default-policy.1.resource.table": "ambarismoketest", "zookeeper.znode.parent": "/hbase-secure", "password": "hbase", "policy.download.auth.users": "hbase", "hbase.master.kerberos.principal": "hbase/_h...@gdhthreetwo.com", "default-policy.1.resource.column": "*", "default-policy.1.resource.column-family": "*"}, "name": "GdhThreeTwo_hbase", "description": "hbase repo"}'"'"' 1>/tmp/tmpP7nnJT 2>/tmp/tmp3kBHCP' ```
