[jira] [Commented] (RANGER-3237) The Hive plugin cannot synchronize policy information after Kerberos is enabled

Mon, 13 Dec 2021 00:39:05 -0800 


    [ 
https://issues.apache.org/jira/browse/RANGER-3237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458210#comment-17458210
 ] 

Jiayi Liu commented on RANGER-3237:
-----------------------------------

For question 1. This is because the hive user in your original policy does not 
have permissions. You can ignore this failure first. After the policy is 
synchronized normally, add the corresponding permissions to the hive user, and 
then enter the service configuration page and click test.

> The Hive plugin cannot synchronize policy information after Kerberos is 
> enabled
> -------------------------------------------------------------------------------
>
>                 Key: RANGER-3237
>                 URL: https://issues.apache.org/jira/browse/RANGER-3237
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin, plugins
>    Affects Versions: 2.1.0
>         Environment: CDH6.3.1  
> CM 6.3.2
> Ranger 2.1.0
> Kerberos : FreeIPA
>            Reporter: kangkaixin
>            Priority: Blocker
>
> I have a question
> when  i  enable  kerberos , hive plugin can't sync info to hiveservice  ,i 
> see log ,But there was no useful information,  if no have kerberos  ,The 
> function is normal ,so ,who can help me?
> =============================================================
> h1. question1:
> in hive policy server config  ,i  click  test connection   show me  Error 
> detail :
> *Connection Failed.*
> Unable to retrieve any files using given parameters, You can still save the 
> repository and start creating policies, but you would not be able to use 
> autocomplete for resource names. Check ranger_admin.log for more info.
> org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [show 
> databases like "*"]..
> Error while compiling statement: FAILED: HiveAccessControlException 
> Permission denied: user [hive] does not have [USE] privilege on [*].
> Permission denied: user [hive] does not have [USE] privilege on [*].
>  
> h1. question2:
> hive plugin can't sync info to hiveservice   
> show me Error  401  from  hive log and rangeradmin log
> h1. some info
> h2. hostname : idc-bigdata-185-56.jdy.kd.internal
> h2. principal:   ranger.keytab
> Keytab name: FILE:ranger.keytab
>  KVNO Timestamp Principal
>  ---- ------------------- 
> ------------------------------------------------------
>  1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:12 
> rangeradmin/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:12 
> rangeradmin/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:12 
> rangeradmin/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:12 
> rangeradmin/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:12 
> rangeradmin/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:12 
> rangeradmin/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:23 
> rangerlookup/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:23 
> rangerlookup/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:23 
> rangerlookup/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:23 
> rangerlookup/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:23 
> rangerlookup/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
>  1 04/09/2021 13:52:23 
> rangerlookup/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
> ============================================================
> h2. ranger admin install.properties
> spnego_principal=HTTP/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
> spnego_keytab=/data/service/ranger/ranger.keytab
> token_valid=30
> cookie_domain=idc-bigdata-185-56.jdy.kd.internal
> cookie_path=/
> admin_principal=rangeradmin/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
> admin_keytab=/data/service/ranger/ranger.keytab
> lookup_principal=rangerlookup/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL
> lookup_keytab=/data/service/ranger/ranger.keytab
> hadoop_conf=/opt/cloudera/parcels/CDH/lib/hadoop/etc/hadoop
> h2. ranger hive install.properties
> POLICY_MGR_URL=[http://idc-bigdata-185-56.jdy.kd.internal:6080|http://idc-bigdata-185-56.jdy.kd.internal:6080/]
> REPOSITORY_NAME=HIVE_CDH
> COMPONENT_INSTALL_DIR_NAME=/opt/cloudera/parcels/CDH/lib/hive
> h2. ranger admin UI  hive policy service
> *Service Name* : HIVE_CDH
> *Username* :  h...@jdy.kd.INTERNAL
> *jdbc.driverClassName* :org.apache.hive.jdbc.HiveDriver
> *jdbc.url* : 
> jdbc:hive2://idc-bigdata-185-57.jdy.kd.internal:2181,idc-bigdata-185-58.jdy.kd.internal:2181,idc-bigdata-185-59.jdy.kd.internal:2181/;principal=hive/_h...@jdy.kd.INTERNA;serviceDiscoveryMode=zooKeeper;user=hive;zooKeeperNamespace=hiveserver2
>  
> h2. hive log info :
> stdout.log
> [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> Roles. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> policies. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> Roles. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> policies. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> Roles. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> policies. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> Roles. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> policies. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> Roles. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
>  [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting 
> policies. secureMode=true, 
> user=hive/idc-bigdata-185-56.jdy.kd.inter...@jdy.kd.INTERNAL (auth:KERBEROS), 
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> , serviceName=HIVE_CDH
> ============================================================
> h2. ranger access log
> access_log.2021-04-12.log
> 172.20.185.56 - - [12/Apr/2021:09:50:08 +0000] "GET 
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
>  HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>  172.20.185.56 - - [12/Apr/2021:09:50:38 +0000] "GET 
> /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
>  HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>  172.20.185.56 - - [12/Apr/2021:09:50:38 +0000] "GET 
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
>  HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>  172.20.185.56 - - [12/Apr/2021:09:51:08 +0000] "GET 
> /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
>  HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>  172.20.185.56 - - [12/Apr/2021:09:51:08 +0000] "GET 
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
>  HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>  172.20.185.56 - - [12/Apr/2021:09:51:38 +0000] "GET 
> /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=-1
>  HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>  172.20.185.56 - - [12/Apr/2021:09:51:38 +0000] "GET 
> /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=-1
>  HTTP/1.1" 401 52 "-" "Java/1.8.0_281"
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to