Re: Ranger Authorization fails for storm kerberos, after disabling HTTP authentication

Mon, 15 Jan 2018 17:57:50 -0800 

Hello All,

Any suggestion on how to disable HTTP authentication for Kerberosed storm
cluster, thanks

Regards,
Prakash R

On Fri, Jan 12, 2018 at 8:51 AM, prakash r <rprakashd...@gmail.com> wrote:

> Hello All,
>
> We have configured Ranger plugin for Storm authorization and its kerberos
> cluster.
>
> We have disabled by HTTP authentication, by changing the configuration
> ui.filter as null
>
> We can able to view the UI, but if we send any request request like
> getTopology, its failing (as the user is considered as null)
>
> *Curl Output :*
>
> HTTP/1.1 500 Server Error
> Date: Thu, 11 Jan 2018 21:42:45 GMT
> Cache-Control: no-cache, no-store
> Content-Type: application/json;charset=utf-8
> Content-Length: 5459
> Server: Jetty(7.x.y-SNAPSHOT)
>
> {"error":"Internal Server Error","errorMessage":"AuthorizationException(msg:UI
> request 'getTopology' for 'unknown' user is not authorized)\n\tat
> org.apache.storm.ui.core$assert_authorized_user.invoke(core.clj:109)\n\tat
> org.apache.storm.ui.core$fn__10090.invoke(core.clj:1060)
>
>
> *Storm Log :*
>
> 2018-01-12 08:42:45.723 o.a.r.a.s.a.RangerStormAuthorizer qtp192318053-37
> [INFO] NULL User found from principal [null]: Skipping authorization;
> allowedFlag => [false], Audit Enabled:false
> 2018-01-12 08:42:45.723 o.a.r.a.s.a.RangerStormAuthorizer qtp192318053-37
> [DEBUG] [req 4] Access  from: [null] user: [null], op:
>  [getTopology],topology: [crowdstrike] => returns [false], Audit
> Enabled:false
> 2018-01-12 08:42:45.723 o.a.r.p.c.RangerPluginClassLoader qtp192318053-37
> [DEBUG] ==> RangerPluginClassLoader.deactivate()
> 2018-01-12 08:42:45.723 o.a.r.p.c.RangerPluginClassLoader qtp192318053-37
> [DEBUG] <== RangerPluginClassLoader.deactivate()
> 2018-01-12 08:42:45.723 o.a.r.a.s.a.RangerStormAuthorizer qtp192318053-37
> [DEBUG] <== RangerStormAuthorizer.permit()
> 2018-01-12 08:42:45.724 o.a.s.s.o.e.j.s.Server qtp192318053-37 [DEBUG]
> RESPONSE /api/v1/topology/crowdstrike-2-1508896804  500 handled=true
>
>
>
> If we configure ui.filter: "org.apache.hadoop.security.
> authentication.server.AuthenticationFilter"
>
> The curl output is as expected, we dont get any authorization failure.
>
> We want to disable UI authentication.
>
> Are we doing any mistake over here, is there anyway to avoid this issue,
> please suggest, thanks
>
>
> Regards,
> Prakash R
>

Reply via email to