[
https://issues.apache.org/jira/browse/RANGER-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Anoop Kumar K M updated RANGER-3099:
------------------------------------
Description:
Hi,
We are trying to implement Ranger 2 .1.0 on top of AWS EMR 6.1.0.
EMR 6.1.0 has hadoop 3. The cluster is Kerberos enabled.
I have installed ranger in a separate ec2 machine and able to install hdfs
plugin in EMR.
But the problem is that for policies to be applied, both ranger server and hdfs
namenode should be restarted . After I restart both the policies becomes
effective
Ranger admin logs shows below error.
==========
2020-11-30 10:57:42,397 [http-bio-6080-exec-9] INFO
org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:345) - Request
failed. loginId=null, logMessage=Unauthenticated access not allowed
javax.ws.rs.WebApplicationException at
org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:337)
=========
Namenode logs show below error.
==========
2020-12-02 13:32:53,863 ERROR
org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Error getting
Roles; service not found. secureMode=false,
user=hdfs/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
(auth:KERBEROS), response=404, serviceName=hadoopdev, lastKnownRoleVersion=-1,
lastActivationTimeInMillis=1606746562885
2020-12-02 13:32:53,863 WARN
org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Received 404
error code with body:[null], Ignoring
2020-12-02 13:32:53,863 INFO
org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Skip
Securetrue
2020-12-02 13:32:53,869 WARN
org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Error getting
policies. secureMode=false,
user=hdfs/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
(auth:KERBEROS), response=\{"httpStatusCode":400,"statusCode":0},
serviceName=hadoopdev
==========
Under kerberos config in install.properties of ranger I have the below settings
--------------Kerberos Config -----------------
spnego_principal=HTTP/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
spnego_keytab=/etc/security/keytabs/spnego.keytab
token_valid=30
cookie_domain=ip-10-98-84-189.eu-west-1.compute.internal
cookie_path=/
admin_principal=rangeradmin/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
admin_keytab=/etc/security/keytabs/rangeradmin.keytab
lookup_principal=rangerlookup/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
lookup_keytab=/etc/security/keytabs/rangerlookup.keytab
hadoop_conf=/etc/hadoop/conf
In the ranger console for the service config I have given below property
[policy.download.auth.users =
hdfs@EU-WEST-1.COMPUTE.INTERNAL|mailto:policy.download.auth.users=hdfs@EU-WEST-1.COMPUTE.INTERNAL]
Not sure what I am missing. Any input in this will be a great help
was:
Hi,
We are trying to implement Ranger 2 .1.0 on top of AWS EMR 6.1.0.
EMR 6.1.0 has hadoop 3. The cluster is Kerberos enabled.
I have installed ranger in a separate ec2 machine and able to install hdfs
plugin in EMR.
But the problem is that for policies to be applied, both ranger server and hdfs
namenode should be restarted . After I restart both the policies becomes
effective
Ranger admin logs shows below error.
==========
2020-11-30 10:57:42,397 [http-bio-6080-exec-9] INFO
org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:345) - Request
failed. loginId=null, logMessage=Unauthenticated access not allowed
javax.ws.rs.WebApplicationException at
org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:337)
=========
Namenode logs show below error.
==========
2020-12-02 13:32:53,863 ERROR
org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Error getting
Roles; service not found. secureMode=false,
user=hdfs/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
(auth:KERBEROS), response=404, serviceName=hadoopdev, lastKnownRoleVersion=-1,
lastActivationTimeInMillis=1606746562885
2020-12-02 13:32:53,863 WARN
org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Received 404
error code with body:[null], Ignoring
2020-12-02 13:32:53,863 INFO
org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Skip
Securetrue
2020-12-02 13:32:53,869 WARN
org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Error getting
policies. secureMode=false,
user=hdfs/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
(auth:KERBEROS), response=\{"httpStatusCode":400,"statusCode":0},
serviceName=hadoopdev
==========
Under kerberos config in install.properties of ranger I have the below settings
#------------ Kerberos Config -----------------
spnego_principal=HTTP/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
spnego_keytab=/etc/security/keytabs/spnego.keytab
token_valid=30
cookie_domain=ip-10-98-84-189.eu-west-1.compute.internal
cookie_path=/
admin_principal=rangeradmin/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
admin_keytab=/etc/security/keytabs/rangeradmin.keytab
lookup_principal=rangerlookup/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
lookup_keytab=/etc/security/keytabs/rangerlookup.keytab
hadoop_conf=/etc/hadoop/conf
In the ranger console for the service config I have given below property
[policy.download.auth.users =
hdfs@EU-WEST-1.COMPUTE.INTERNAL|mailto:policy.download.auth.users=hdfs@EU-WEST-1.COMPUTE.INTERNAL]
Not sure what I am missing. Any input in this will be a great help
> Ranger hdfs policies not syncing automatically
> ----------------------------------------------
>
> Key: RANGER-3099
> URL: https://issues.apache.org/jira/browse/RANGER-3099
> Project: Ranger
> Issue Type: Bug
> Components: plugins, Ranger
> Affects Versions: 2.1.0
> Environment: AWS EMR, WIndows AD
> Reporter: Anoop Kumar K M
> Priority: Blocker
>
> Hi,
> We are trying to implement Ranger 2 .1.0 on top of AWS EMR 6.1.0.
> EMR 6.1.0 has hadoop 3. The cluster is Kerberos enabled.
> I have installed ranger in a separate ec2 machine and able to install hdfs
> plugin in EMR.
> But the problem is that for policies to be applied, both ranger server and
> hdfs namenode should be restarted . After I restart both the policies becomes
> effective
> Ranger admin logs shows below error.
> ==========
> 2020-11-30 10:57:42,397 [http-bio-6080-exec-9] INFO
> org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:345) - Request
> failed. loginId=null, logMessage=Unauthenticated access not allowed
> javax.ws.rs.WebApplicationException at
> org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:337)
> =========
>
> Namenode logs show below error.
> ==========
>
> 2020-12-02 13:32:53,863 ERROR
> org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Error
> getting Roles; service not found. secureMode=false,
> user=hdfs/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
> (auth:KERBEROS), response=404, serviceName=hadoopdev,
> lastKnownRoleVersion=-1, lastActivationTimeInMillis=1606746562885
>
> 2020-12-02 13:32:53,863 WARN
> org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Received
> 404 error code with body:[null], Ignoring
> 2020-12-02 13:32:53,863 INFO
> org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Skip
> Securetrue
> 2020-12-02 13:32:53,869 WARN
> org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Error
> getting policies. secureMode=false,
> user=hdfs/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
> (auth:KERBEROS), response=\{"httpStatusCode":400,"statusCode":0},
> serviceName=hadoopdev
> ==========
>
> Under kerberos config in install.properties of ranger I have the below
> settings
>
> --------------Kerberos Config -----------------
>
> spnego_principal=HTTP/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
> spnego_keytab=/etc/security/keytabs/spnego.keytab
> token_valid=30
> cookie_domain=ip-10-98-84-189.eu-west-1.compute.internal
> cookie_path=/
>
> admin_principal=rangeradmin/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
> admin_keytab=/etc/security/keytabs/rangeradmin.keytab
>
> lookup_principal=rangerlookup/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
> lookup_keytab=/etc/security/keytabs/rangerlookup.keytab
> hadoop_conf=/etc/hadoop/conf
>
> In the ranger console for the service config I have given below property
>
> [policy.download.auth.users =
> hdfs@EU-WEST-1.COMPUTE.INTERNAL|mailto:policy.download.auth.users=hdfs@EU-WEST-1.COMPUTE.INTERNAL]
>
> Not sure what I am missing. Any input in this will be a great help
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
