Well, I am using Ambari, and it seems that the Agent did not copy the MySQL connector to the ext/ directory :-/ I will check if this happen again, and keep the community in touch if so.
Thanks a lot for your answers ! Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-06-19 11:47 GMT+02:00 Gautam Borad <[email protected]>: > Loïc, yes if you are using Ambari, the Ambari agent should copy the mysql > connector to the ext/ directory. > > >>Knox does not search for the connector in other directories > > It will look for connector only in the directories in the classpath. I > know that the ext is in the classpath, am not aware of other directories :-) > > > > On Fri, Jun 19, 2015 at 2:37 PM, Loïc Chanel <[email protected] > > wrote: > >> Hi Gautam, >> >> I did not have the connector jar in this directory, and the problem >> actually came from here : thanks a lot ! :-) >> >> Still, I'm a little surprised : Knox does not search for the connector in >> other directories ? Because as during the configuration we specify to the >> Ambari-server the location of mysql-java-connector, Knox should be able to >> pull this information, shouldn't it ? >> >> Thanks again, >> >> >> Loïc >> >> Loïc CHANEL >> Engineering student at TELECOM Nancy >> Trainee at Worldline - Villeurbanne >> >> 2015-06-19 10:51 GMT+02:00 Gautam Borad <[email protected]>: >> >>> Hi Loïc >>> Can you please check if the connector jar(*mysql-connector-java.jar*) >>> is present in the knox/ext/ dir? The jar should be present in the >>> classpath. Please check and let us know. >>> >>> >>> >>> On Fri, Jun 19, 2015 at 1:29 PM, Loïc Chanel < >>> [email protected]> wrote: >>> >>>> Alok, >>>> >>>> I already turned logging on, but it seems I can't see any plugin logs. >>>> I tried to add the following properties : >>>> log4j.logger.org.apache.ranger=DEBUG >>>> log4j.logger.org.apache.ranger.services.knox=DEBUG >>>> >>>> But all I can see in the logs are Knox gateway logs, and there is >>>> nothing wrong with them (the only think I see that is wrong come from >>>> gateway.out, and is the error I mentioned in my first e-Mail). How can I >>>> turn Ranger plugin logs on ? And where can I find these logs afterwards ? >>>> >>>> In addition, I turned on the property "Audit to HDFS", but as I can't >>>> find audit records in the cluster, I think the auditing problem is kind of >>>> a general one. >>>> >>>> As far as the policy manager is concerned, I can see audit records for >>>> HDFS repository, so I don't think the problem comes from there. >>>> >>>> Do you see a possible origin of the problem ? >>>> Thanks, >>>> >>>> >>>> Loïc >>>> >>>> Loïc CHANEL >>>> Engineering student at TELECOM Nancy >>>> Trainee at Worldline - Villeurbanne >>>> >>>> 2015-06-18 19:48 GMT+02:00 Alok Lal <[email protected]>: >>>> >>>>> I spoke too soon. I don’t think the following is true. We never >>>>> let the inability to audit >>>>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L202-L211> >>>>> prevent auth. My bad! >>>>> >>>>> Can you turn logging on (/etc/knox/conf/gateway-log4j.properties) >>>>> and paste relevant parts from it? >>>>> >>>>> >>>>> >>>>> From: Alok Lal <[email protected]> >>>>> Date: Thursday, June 18, 2015 at 10:42 AM >>>>> To: "[email protected]" < >>>>> [email protected]> >>>>> Subject: Re: Knox group policies not enforced >>>>> >>>>> I assume you are using ranger-0.4. >>>>> >>>>> - Do you see access audit records on the audit page of policy >>>>> manager? >>>>> - Writing audits to HDFS is not through JDBC driver. Only >>>>> writing to DB needs it. >>>>> - Further, only audits written to the DB are shown on the audit >>>>> page — which is why I asked the above question. >>>>> - It is possible that you have audit turned on to both DB and HDFS? >>>>> - The way code is today >>>>> >>>>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L124-L139> >>>>> inability to write audit, say, due to a misconfigured JDBC adaptor, >>>>> would >>>>> cause authorization to fail, too (because the auth call would throw an >>>>> unhandled exception). >>>>> - However, I don’t know why that should be related only >>>>> membership to a group. >>>>> - If inability to write to audit is in fact the issue then you >>>>> should not be able to connect as long as the policy granting you >>>>> access is >>>>> audited. Perhaps you can confirm that to be the case to help >>>>> narrow the >>>>> cause. >>>>> >>>>> Alok >>>>> >>>>> From: Loïc Chanel <[email protected]> >>>>> Reply-To: "[email protected]" < >>>>> [email protected]> >>>>> Date: Thursday, June 18, 2015 at 3:05 AM >>>>> To: "[email protected]" < >>>>> [email protected]> >>>>> Subject: Knox group policies not enforced >>>>> >>>>> Hi fellow Ranger users, >>>>> >>>>> As I am using Ranger plugin for Knox, I noticed that group policies >>>>> are not applied. For example, if I grant to the group "users" the right to >>>>> connect from anywhere, and I try to use WebHDFS with a user of this group, >>>>> I keep getting 403 responses from Knox. >>>>> >>>>> In addition, I can't find any audit logs from Knox in Ranger >>>>> interface, but I thinks this is linked to the error I get in gateway.out : >>>>> [EL Severe]: ejb: 2015-06-18 >>>>> 11:33:44.253--ServerSession(453422229)--Exception [EclipseLink-4003] >>>>> (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd): >>>>> org.eclipse.persistence.exceptions.DatabaseException >>>>> Exception Description: Configuration error. Class >>>>> [com.mysql.jdbc.Driver] not found. >>>>> >>>>> This error is actually weird too because the JDBC driver is properly >>>>> installed, as I can see audit logs from HDFS repository. >>>>> >>>>> Has anyone an idea of where these errors might come from ? >>>>> Thanks in advance for your help, >>>>> >>>>> >>>>> Loïc >>>>> >>>>> Loïc CHANEL >>>>> Engineering student at TELECOM Nancy >>>>> Trainee at Worldline - Villeurbanne >>>>> >>>> >>>> >>> >>> >>> -- >>> Regards, >>> Gautam. >>> >> >> > > > -- > Regards, > Gautam. >
