Hi Gautam, I did not have the connector jar in this directory, and the problem actually came from here : thanks a lot ! :-)
Still, I'm a little surprised : Knox does not search for the connector in other directories ? Because as during the configuration we specify to the Ambari-server the location of mysql-java-connector, Knox should be able to pull this information, shouldn't it ? Thanks again, Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-06-19 10:51 GMT+02:00 Gautam Borad <[email protected]>: > Hi Loïc > Can you please check if the connector jar(*mysql-connector-java.jar*) > is present in the knox/ext/ dir? The jar should be present in the > classpath. Please check and let us know. > > > > On Fri, Jun 19, 2015 at 1:29 PM, Loïc Chanel <[email protected] > > wrote: > >> Alok, >> >> I already turned logging on, but it seems I can't see any plugin logs. I >> tried to add the following properties : >> log4j.logger.org.apache.ranger=DEBUG >> log4j.logger.org.apache.ranger.services.knox=DEBUG >> >> But all I can see in the logs are Knox gateway logs, and there is nothing >> wrong with them (the only think I see that is wrong come from gateway.out, >> and is the error I mentioned in my first e-Mail). How can I turn Ranger >> plugin logs on ? And where can I find these logs afterwards ? >> >> In addition, I turned on the property "Audit to HDFS", but as I can't >> find audit records in the cluster, I think the auditing problem is kind of >> a general one. >> >> As far as the policy manager is concerned, I can see audit records for >> HDFS repository, so I don't think the problem comes from there. >> >> Do you see a possible origin of the problem ? >> Thanks, >> >> >> Loïc >> >> Loïc CHANEL >> Engineering student at TELECOM Nancy >> Trainee at Worldline - Villeurbanne >> >> 2015-06-18 19:48 GMT+02:00 Alok Lal <[email protected]>: >> >>> I spoke too soon. I don’t think the following is true. We never let >>> the inability to audit >>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L202-L211> >>> prevent auth. My bad! >>> >>> Can you turn logging on (/etc/knox/conf/gateway-log4j.properties) and >>> paste relevant parts from it? >>> >>> >>> >>> From: Alok Lal <[email protected]> >>> Date: Thursday, June 18, 2015 at 10:42 AM >>> To: "[email protected]" <[email protected] >>> > >>> Subject: Re: Knox group policies not enforced >>> >>> I assume you are using ranger-0.4. >>> >>> - Do you see access audit records on the audit page of policy >>> manager? >>> - Writing audits to HDFS is not through JDBC driver. Only >>> writing to DB needs it. >>> - Further, only audits written to the DB are shown on the audit >>> page — which is why I asked the above question. >>> - It is possible that you have audit turned on to both DB and HDFS? >>> - The way code is today >>> >>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L124-L139> >>> inability to write audit, say, due to a misconfigured JDBC adaptor, would >>> cause authorization to fail, too (because the auth call would throw an >>> unhandled exception). >>> - However, I don’t know why that should be related only >>> membership to a group. >>> - If inability to write to audit is in fact the issue then you >>> should not be able to connect as long as the policy granting you >>> access is >>> audited. Perhaps you can confirm that to be the case to help narrow >>> the >>> cause. >>> >>> Alok >>> >>> From: Loïc Chanel <[email protected]> >>> Reply-To: "[email protected]" < >>> [email protected]> >>> Date: Thursday, June 18, 2015 at 3:05 AM >>> To: "[email protected]" <[email protected] >>> > >>> Subject: Knox group policies not enforced >>> >>> Hi fellow Ranger users, >>> >>> As I am using Ranger plugin for Knox, I noticed that group policies are >>> not applied. For example, if I grant to the group "users" the right to >>> connect from anywhere, and I try to use WebHDFS with a user of this group, >>> I keep getting 403 responses from Knox. >>> >>> In addition, I can't find any audit logs from Knox in Ranger interface, >>> but I thinks this is linked to the error I get in gateway.out : >>> [EL Severe]: ejb: 2015-06-18 >>> 11:33:44.253--ServerSession(453422229)--Exception [EclipseLink-4003] >>> (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd): >>> org.eclipse.persistence.exceptions.DatabaseException >>> Exception Description: Configuration error. Class >>> [com.mysql.jdbc.Driver] not found. >>> >>> This error is actually weird too because the JDBC driver is properly >>> installed, as I can see audit logs from HDFS repository. >>> >>> Has anyone an idea of where these errors might come from ? >>> Thanks in advance for your help, >>> >>> >>> Loïc >>> >>> Loïc CHANEL >>> Engineering student at TELECOM Nancy >>> Trainee at Worldline - Villeurbanne >>> >> >> > > > -- > Regards, > Gautam. >
