[
https://issues.apache.org/jira/browse/RANGER-2621?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16956207#comment-16956207
]
Susi Dev commented on RANGER-2621:
----------------------------------
[~vel]
Thank you for giving some insights..
1) Yes, we tried different combinations... We created local users with the
principal name given here, changed it to hive principal as well. Yet, it won't
go through. The crucial information here is that ... *Ranger* is installed on a
*standalone EC2* whereas *Kerberos* server is present in *EMR Master Node*. If
Ranger server is also installed on EMR Master Node, then the policy download
works just fine. Only if we place the *Ranger Server* on a *different host*
than the *Kerberos* server, we are running into this issue. So I assume that
it is trying to authenticate with some user account but not sure which one it
is using and how to configure that.. Perhaps, that is the only missing piece in
getting this work. Please throw some light if there are any pre-reqs here.
2) Yes, We are running latest Ranger version that was built recently from the
git master branch. I hope it has all the latest break-fixes.
h2. {color:#4c9aff}Your timely help is very much appreciated. Thanks again.
{color}
CC [~rmani] / [~mehul] / [~abhayk]
> Ranger Policy Update fails on Kerberized Cluster
> ------------------------------------------------
>
> Key: RANGER-2621
> URL: https://issues.apache.org/jira/browse/RANGER-2621
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 2.0.0
> Reporter: Susi Dev
> Priority: Major
>
> {color:#4c9aff}Can someone help configuring RANGER for KERBERIZED cluster
> ??{color}
> We have Ranger 2.0 installed on separate EC2 node, while trying to integrate
> with EMR cluster.
> When the EMR cluster is not kerberized, the policy sync works just fine..
> When EMR is kerberized, policy download does not work anymore...
>
> We see below error:
> +*Access Log:*+
> 10.23.123.150 - - [14/Oct/2019:20:07:09 +0000] "GET
> /service/plugins/secure/policies/download/hadoopdev?supportsPolicyDeltas=false
> HTTP/1.1" 401 52 "-" "curl/7.61.1"
>
> +*Hive Server 2 log:*+
> 2019-10-14T20:03:34,353 WARN [Thread-8([])]: client.RangerAdminRESTClient
> (RangerAdminRESTClient.java:getServicePoliciesIfUpdated(186)) - Error getting
> policies. secureMode=true, user=hive/i...@domain.net (auth:KERBEROS),
> response=\{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication
> Failed"}, serviceName=hivedev
>
> +*Plugin Error(Test Connection):*+
> org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [show
> databases like "*"]..
> Unable to execute SQL [show databases like "*"]..
> Error running query: java.lang.NoSuchFieldError: REPLLOAD.
> REPLLOAD.
>
>
> {color:#FF0000}Plugin Config:{color}
> Service Name : hivedev
> Active Status: Enabled
>
> {color:#FF0000}Config Properties :{color}
> Username : Rangeradmin/_hostn...@domain.net
> Password : ********
> jdbc.driverClassName: org.apache.hive.jdbc.HiveDriver
> jdbc.url: jdbc:hive2://hostname:10000/;principal=hive/hostn...@domain.net
> Common Name for Certificate:
> Add New Configurations
> ||Name||Value||
> |policy.download.auth.users | rangeradmin/hostn...@domain.net | |
>
>
> {color:#FF0000}*Ranger 2.0 looks great but with not enough documentation
> around the installation and configuration, we are all handicapped when it
> comes to using. Appreciate if some of you add good documentation, it helps us
> appreciate the amount of work done by you ... Right now, we are only shooting
> in the DARK.*{color}
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
