[
https://issues.apache.org/jira/browse/RANGER-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17315645#comment-17315645
]
Jason-Morries Adam edited comment on RANGER-3099 at 4/6/21, 3:07 PM:
---------------------------------------------------------------------
I have the same issue on EMR 6.2 with Ranger. I have tried the following
configs in the ranger service conf, but it does not help:
{noformat}
policy.download.auth.users = hdfs
tag.download.auth.users = hdfs{noformat}
Authentication is set to Kerberos, but I don't have an idea how to activate or
force secureMode to test.
hadoop-hdfs-namenode-ip-xxx-xxx-xxx-xxx.eu-central-1.compute.internal.log
{noformat}
2021-04-06 16:44:12,982 WARN
org.apache.ranger.admin.client.RangerAdminRESTClient
(PolicyRefresher(serviceName=hadoopdev)-57): Error getting Roles.
secureMode=false,
user=hdfs/[email protected]
(auth:KERBEROS), response={"httpStatusCode":400,"statusCode":0},
serviceName=hadoopdev
2021-04-06 16:44:12,982 INFO
org.apache.ranger.admin.client.RangerAdminRESTClient
(PolicyRefresher(serviceName=hadoopdev)-57): Skip Secure: true
2021-04-06 16:44:13,001 WARN
org.apache.ranger.admin.client.RangerAdminRESTClient
(PolicyRefresher(serviceName=hadoopdev)-57): Error getting policies.
secureMode=false,
user=hdfs/[email protected]
(auth:KERBEROS), response={"httpStatusCode":400,"statusCode":0},
serviceName=hadoopdev{noformat}
Ranger Admin Logfile:
{noformat}
2021-04-06 14:57:42,989 [http-bio-6182-exec-8] INFO
org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:345) - Request
failed. loginId=null, logMessage=Unauthenticated access not allowed
javax.ws.rs.WebApplicationException
at
org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:337)
at
org.apache.ranger.rest.ServiceREST.getServicePoliciesIfUpdated(ServiceREST.java:3130)
at
org.apache.ranger.rest.ServiceREST$$FastClassBySpringCGLIB$$92dab672.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:737)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at
org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:283)
at
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:672)
at
org.apache.ranger.rest.ServiceREST$$EnhancerBySpringCGLIB$$5f5b5724.getServicePoliciesIfUpdated(<generated>)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
at
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
at
com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at
com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at
com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542)
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473)
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409)
at
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409)
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:558)
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:733)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:165)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1201)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:654)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:317)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748){noformat}
Restart of HDFS namenode and Ranger is not helping for me, the error persists.
If someone needs additional information, I will try to help.
was (Author: jasonmadam):
I have the same issue on EMR 6.2 with Ranger. I have tried the following
configs in the ranger service conf, but it does not help:
{noformat}
policy.download.auth.users = hdfs
tag.download.auth.users = hdfs{noformat}
hadoop-hdfs-namenode-ip-xxx-xxx-xxx-xxx.eu-central-1.compute.internal.log
{noformat}
2021-04-06 16:44:12,982 WARN
org.apache.ranger.admin.client.RangerAdminRESTClient
(PolicyRefresher(serviceName=hadoopdev)-57): Error getting Roles.
secureMode=false,
user=hdfs/[email protected]
(auth:KERBEROS), response={"httpStatusCode":400,"statusCode":0},
serviceName=hadoopdev
2021-04-06 16:44:12,982 INFO
org.apache.ranger.admin.client.RangerAdminRESTClient
(PolicyRefresher(serviceName=hadoopdev)-57): Skip Secure: true
2021-04-06 16:44:13,001 WARN
org.apache.ranger.admin.client.RangerAdminRESTClient
(PolicyRefresher(serviceName=hadoopdev)-57): Error getting policies.
secureMode=false,
user=hdfs/[email protected]
(auth:KERBEROS), response={"httpStatusCode":400,"statusCode":0},
serviceName=hadoopdev{noformat}
Ranger Admin Logfile:
{noformat}
2021-04-06 14:57:42,989 [http-bio-6182-exec-8] INFO
org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:345) - Request
failed. loginId=null, logMessage=Unauthenticated access not allowed
javax.ws.rs.WebApplicationException
at
org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:337)
at
org.apache.ranger.rest.ServiceREST.getServicePoliciesIfUpdated(ServiceREST.java:3130)
at
org.apache.ranger.rest.ServiceREST$$FastClassBySpringCGLIB$$92dab672.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:737)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at
org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:283)
at
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:672)
at
org.apache.ranger.rest.ServiceREST$$EnhancerBySpringCGLIB$$5f5b5724.getServicePoliciesIfUpdated(<generated>)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
at
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
at
com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at
com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at
com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542)
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473)
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409)
at
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409)
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:558)
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:733)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:165)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1201)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:654)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:317)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748){noformat}
Restart of HDFS namenode and Ranger is not helping for me, the error persists.
If someone needs additional information, I will try to help.
> Ranger hdfs policies not syncing automatically
> ----------------------------------------------
>
> Key: RANGER-3099
> URL: https://issues.apache.org/jira/browse/RANGER-3099
> Project: Ranger
> Issue Type: Bug
> Components: plugins, Ranger
> Affects Versions: 2.1.0
> Environment: AWS EMR, WIndows AD
> Reporter: Anoop Kumar K M
> Priority: Blocker
>
> Hi,
> We are trying to implement Ranger 2 .1.0 on top of AWS EMR 6.1.0.
> EMR 6.1.0 has hadoop 3. The cluster is Kerberos enabled.
> I have installed ranger in a separate ec2 machine and able to install hdfs
> plugin in EMR.
> But the problem is that for policies to be applied, both ranger server and
> hdfs namenode should be restarted . After I restart both the policies becomes
> effective
> Ranger admin logs shows below error.
> ==========
> 2020-11-30 10:57:42,397 [http-bio-6080-exec-9] INFO
> org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:345) - Request
> failed. loginId=null, logMessage=Unauthenticated access not allowed
> javax.ws.rs.WebApplicationException at
> org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:337)
> =========
>
> Namenode logs show below error.
> ==========
>
> 2020-12-02 13:32:53,863 ERROR
> org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Error
> getting Roles; service not found. secureMode=false,
> user=hdfs/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
> (auth:KERBEROS), response=404, serviceName=hadoopdev,
> lastKnownRoleVersion=-1, lastActivationTimeInMillis=1606746562885
>
> 2020-12-02 13:32:53,863 WARN
> org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Received
> 404 error code with body:[null], Ignoring
> 2020-12-02 13:32:53,863 INFO
> org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Skip
> Securetrue
> 2020-12-02 13:32:53,869 WARN
> org.apache.ranger.admin.client.RangerAdminRESTClient (Thread-29): Error
> getting policies. secureMode=false,
> user=hdfs/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
> (auth:KERBEROS), response=\{"httpStatusCode":400,"statusCode":0},
> serviceName=hadoopdev
> ==========
>
> Under kerberos config in install.properties of ranger I have the below
> settings
>
> --------------Kerberos Config -----------------
>
> spnego_principal=HTTP/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
> spnego_keytab=/etc/security/keytabs/spnego.keytab
> token_valid=30
> cookie_domain=ip-10-98-84-189.eu-west-1.compute.internal
> cookie_path=/
>
> admin_principal=rangeradmin/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
> admin_keytab=/etc/security/keytabs/rangeradmin.keytab
>
> lookup_principal=rangerlookup/ip-10-98-84-189.eu-west-1.compute.internal@EU-WEST-1.COMPUTE.INTERNAL
> lookup_keytab=/etc/security/keytabs/rangerlookup.keytab
> hadoop_conf=/etc/hadoop/conf
>
> In the ranger console for the service config I have given below property
>
> [policy.download.auth.users =
> [email protected]|mailto:[email protected]]
>
> Not sure what I am missing. Any input in this will be a great help
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
