[jira] [Commented] (RANGER-3237) The Hive plugin cannot synchronize policy information after Kerberos is enabled

Thu, 30 Sep 2021 05:27:09 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-3237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17422734#comment-17422734
 ] 

rawsummer commented on RANGER-3237:
-----------------------------------

[~kkx1100] hello ,have u solved the problem ? i met the same problem as u with 
the same environment.could u give me some advice to solve the problem? thank u. 
my email is 1263928...@qq.com.

> The Hive plugin cannot synchronize policy information after Kerberos is 
> enabled
> -------------------------------------------------------------------------------
>
>                 Key: RANGER-3237
>                 URL: https://issues.apache.org/jira/browse/RANGER-3237
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin, plugins
>    Affects Versions: 2.1.0
>         Environment: CDH6.3.1  
> CM 6.3.2
> Ranger 2.1.0
> Kerberos : FreeIPA
>            Reporter: kangkaixin
>            Priority: Blocker
>
> I have a question
> when  i  enable  kerberos , hive plugin can't sync info to hiveservice  ,i 
> see log ,But there was no useful information,  if no have kerberos  ,The 
> function is normal ,so ,who can help me?
> =============================================================
> h1. question1:
> in hive policy server config  ,i  click  test connection   show me  Error 
> detail :
> *Connection Failed.*
> Unable to retrieve any files using given parameters, You can still save the 
> repository and start creating policies, but you would not be able to use 
> autocomplete for resource names. Check ranger_admin.log for more info.
> org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [show 
> databases like "*"]..
> Error while compiling statement: FAILED: HiveAccessControlException 
> Permission denied: user [hive] does not have [USE] privilege on [*].
> Permission denied: user [hive] does not have [USE] privilege on [*].
>  
> h1. question2:
> hive plugin can't sync info to hiveservice   
> show me Error  401  from  hive log and rangeradmin log
> h1. some info
> h2. hostname : idc-bigdata-185-56.jdy.kd.internal
> h2. principal:   ranger.keytab
> Keytab name: FILE:ranger.keytab
>  KVNO Timestamp Principal
>  ---- ------------------- 
> ------------------------------------------------------
>  1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:12 
> rangeradmin/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:12 
> rangeradmin/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:12 
> rangeradmin/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:12 
> rangeradmin/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:12 
> rangeradmin/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:12 
> rangeradmin/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:23 
> rangerlookup/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:23 
> rangerlookup/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:23 
> rangerlookup/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:23 
> rangerlookup/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:23 
> rangerlookup/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:23 
> rangerlookup/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
> ============================================================
> h2. ranger admin install.properties
> spnego_principal=HTTP/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
> spnego_keytab=/data/service/ranger/ranger.keytab
> token_valid=30
> cookie_domain=idc-bigdata-185-56.jdy.kd.internal
> cookie_path=/
> admin_principal=rangeradmin/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
> admin_keytab=/data/service/ranger/ranger.keytab
> lookup_principal=rangerlookup/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
> lookup_keytab=/data/service/ranger/ranger.keytab
> hadoop_conf=/opt/cloudera/parcels/CDH/lib/hadoop/etc/hadoop
> h2. ranger hive install.properties
> POLICY_MGR_URL=[http://idc-bigdata-185-56.jdy.kd.internal:6080|http://idc-bigdata-185-56.jdy.kd.internal:6080/]
> REPOSITORY_NAME=HIVE_CDH
> COMPONENT_INSTALL_DIR_NAME=/opt/cloudera/parcels/CDH/lib/hive
> h2. ranger admin UI  hive policy service
> *Service Name* : HIVE_CDH
> *Username* :  h...@jdy.kd.INTERNAL
> *jdbc.driverClassName* :org.apache.hive.jdbc.HiveDriver
> *jdbc.url* : 
> jdbc:hive2://idc-bigdata-185-57.jdy.kd.internal:2181,idc-bigdata-185-58.jdy.kd.internal:2181,idc-bigdata-185-59.jdy.kd.internal:2181/;principal=hive/_h...@jdy.kd.INTERNA;serviceDiscoveryMode=zooKeeper;user=hive;zooKeeperNamespace=hiveserver2
>  
> h2. hive log info :
> stdout.log
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> Roles. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> policies. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> Roles. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> policies. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> Roles. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> policies. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> Roles. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> policies. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> Roles. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> policies. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> ============================================================
> h2. ranger access log
> access_log.2021-04-12.log
> 172.20.185.56 - - [12/Apr/2021:09:50:08 +0000] "GET 
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
>  HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>  172.20.185.56 - - [12/Apr/2021:09:50:38 +0000] "GET 
> /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
>  HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>  172.20.185.56 - - [12/Apr/2021:09:50:38 +0000] "GET 
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
>  HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>  172.20.185.56 - - [12/Apr/2021:09:51:08 +0000] "GET 
> /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
>  HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>  172.20.185.56 - - [12/Apr/2021:09:51:08 +0000] "GET 
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
>  HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>  172.20.185.56 - - [12/Apr/2021:09:51:38 +0000] "GET 
> /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
>  HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>  172.20.185.56 - - [12/Apr/2021:09:51:38 +0000] "GET 
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
>  HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to