Alok, I already turned logging on, but it seems I can't see any plugin logs. I tried to add the following properties : log4j.logger.org.apache.ranger=DEBUG log4j.logger.org.apache.ranger.services.knox=DEBUG
But all I can see in the logs are Knox gateway logs, and there is nothing wrong with them (the only think I see that is wrong come from gateway.out, and is the error I mentioned in my first e-Mail). How can I turn Ranger plugin logs on ? And where can I find these logs afterwards ? In addition, I turned on the property "Audit to HDFS", but as I can't find audit records in the cluster, I think the auditing problem is kind of a general one. As far as the policy manager is concerned, I can see audit records for HDFS repository, so I don't think the problem comes from there. Do you see a possible origin of the problem ? Thanks, Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-06-18 19:48 GMT+02:00 Alok Lal <[email protected]>: > I spoke too soon. I don’t think the following is true. We never let > the inability to audit > <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L202-L211> > prevent auth. My bad! > > Can you turn logging on (/etc/knox/conf/gateway-log4j.properties) and > paste relevant parts from it? > > > > From: Alok Lal <[email protected]> > Date: Thursday, June 18, 2015 at 10:42 AM > To: "[email protected]" <[email protected]> > Subject: Re: Knox group policies not enforced > > I assume you are using ranger-0.4. > > - Do you see access audit records on the audit page of policy manager? > - Writing audits to HDFS is not through JDBC driver. Only writing > to DB needs it. > - Further, only audits written to the DB are shown on the audit > page — which is why I asked the above question. > - It is possible that you have audit turned on to both DB and HDFS? > - The way code is today > > <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L124-L139> > inability to write audit, say, due to a misconfigured JDBC adaptor, would > cause authorization to fail, too (because the auth call would throw an > unhandled exception). > - However, I don’t know why that should be related only membership > to a group. > - If inability to write to audit is in fact the issue then you > should not be able to connect as long as the policy granting you access > is > audited. Perhaps you can confirm that to be the case to help narrow the > cause. > > Alok > > From: Loïc Chanel <[email protected]> > Reply-To: "[email protected]" < > [email protected]> > Date: Thursday, June 18, 2015 at 3:05 AM > To: "[email protected]" <[email protected]> > Subject: Knox group policies not enforced > > Hi fellow Ranger users, > > As I am using Ranger plugin for Knox, I noticed that group policies are > not applied. For example, if I grant to the group "users" the right to > connect from anywhere, and I try to use WebHDFS with a user of this group, > I keep getting 403 responses from Knox. > > In addition, I can't find any audit logs from Knox in Ranger interface, > but I thinks this is linked to the error I get in gateway.out : > [EL Severe]: ejb: 2015-06-18 > 11:33:44.253--ServerSession(453422229)--Exception [EclipseLink-4003] > (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd): > org.eclipse.persistence.exceptions.DatabaseException > Exception Description: Configuration error. Class [com.mysql.jdbc.Driver] > not found. > > This error is actually weird too because the JDBC driver is properly > installed, as I can see audit logs from HDFS repository. > > Has anyone an idea of where these errors might come from ? > Thanks in advance for your help, > > > Loïc > > Loïc CHANEL > Engineering student at TELECOM Nancy > Trainee at Worldline - Villeurbanne >
