I spoke too soon. I don't think the following is true. We never let the inability to audit<https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L202-L211> prevent auth. My bad!
Can you turn logging on (/etc/knox/conf/gateway-log4j.properties) and paste relevant parts from it? From: Alok Lal <[email protected]<mailto:[email protected]>> Date: Thursday, June 18, 2015 at 10:42 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Knox group policies not enforced I assume you are using ranger-0.4. * Do you see access audit records on the audit page of policy manager? * Writing audits to HDFS is not through JDBC driver. Only writing to DB needs it. * Further, only audits written to the DB are shown on the audit page - which is why I asked the above question. * It is possible that you have audit turned on to both DB and HDFS? * The way code is today<https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L124-L139> inability to write audit, say, due to a misconfigured JDBC adaptor, would cause authorization to fail, too (because the auth call would throw an unhandled exception). * However, I don't know why that should be related only membership to a group. * If inability to write to audit is in fact the issue then you should not be able to connect as long as the policy granting you access is audited. Perhaps you can confirm that to be the case to help narrow the cause. Alok From: Loïc Chanel <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, June 18, 2015 at 3:05 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Knox group policies not enforced Hi fellow Ranger users, As I am using Ranger plugin for Knox, I noticed that group policies are not applied. For example, if I grant to the group "users" the right to connect from anywhere, and I try to use WebHDFS with a user of this group, I keep getting 403 responses from Knox. In addition, I can't find any audit logs from Knox in Ranger interface, but I thinks this is linked to the error I get in gateway.out : [EL Severe]: ejb: 2015-06-18 11:33:44.253--ServerSession(453422229)--Exception [EclipseLink-4003] (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd): org.eclipse.persistence.exceptions.DatabaseException Exception Description: Configuration error. Class [com.mysql.jdbc.Driver] not found. This error is actually weird too because the JDBC driver is properly installed, as I can see audit logs from HDFS repository. Has anyone an idea of where these errors might come from ? Thanks in advance for your help, Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne
