kirby zhou created RANGER-3602:
----------------------------------
Summary: Can not access RestAPI when Ranger authenticated with
Kerberos.
Key: RANGER-3602
URL: https://issues.apache.org/jira/browse/RANGER-3602
Project: Ranger
Issue Type: Bug
Components: admin
Affects Versions: 2.2.0
Reporter: kirby zhou
When I configured Ranger with Kerberos. I can not access its Restful API with
ranger.admin.allow.unauthenticated.access = false
{code:java}
# ranger.admin.allow.unauthenticated.access = false in ranger-admin-site.xml
]$ curl -v 'http://localhost:6080/service/plugins/policies/download/kmsdev'
< HTTP/1.1 200 OK
# ranger.admin.allow.unauthenticated.access = true in ranger-admin-site.xml
]$ kinit freeman@SA
Password for freeman@SA:
]$ klist
Ticket cache: KCM:1000
Default principal: freeman@SA
]$ curl -v -u: --negotiate
'http://localhost:6080/service/plugins/policies/download/kmsdev'
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 6080 (#0)
> GET /service/plugins/policies/download/kmsdev HTTP/1.1
> Host: localhost:6080
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Content-Length: 0
< Date: Thu, 27 Jan 2022 12:30:26 GMT
< Server: Apache Ranger
<
* Connection #0 to host localhost left intact{code}
CURL even do not have chance to do Authenticaion.
My configurations:
core-site.xml
{code:java}
<configuration>
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[1:$1@$0](^.*$)s/^(.*)@.*$/$1/
RULE:[2:$1@$0](^.*$)s/^(.*)@.*$/$1/
DEFAULT
</value>
</property>
</configuration> {code}
ranger-admin-kms.xml
{code:java}
<configuration>
...
<property>
<name>ranger.service.https.attrib.ssl.enabled</name>
<value>false</value>
</property>
<property>
<name>ranger.service.host</name>
<value>localhost</value>
</property>
<property>
<name>ranger.service.http.port</name>
<value>6080</value>
</property>
<property>
<name>ranger.admin.kerberos.keytab</name>
<value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
</property>
<property>
<name>ranger.spnego.kerberos.principal</name>
<value>HTTP/kirbytest01.sa@SA</value>
</property>
<property>
<name>ranger.spnego.kerberos.keytab</name>
<value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
</property>
<property>
<name>ranger.lookup.kerberos.principal</name>
<value>rangerlookup/kirbytest01.sa@SA</value>
</property>
<property>
<name>ranger.lookup.kerberos.keytab</name>
<value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
</property>
<property>
<name>ranger.admin.allow.unauthenticated.access</name>
<value>false</value>
<!-- it is default -->
</property>
...
</configuration> {code}
Workaround:
set "ranger.admin.allow.unauthenticated.access" = "true" in
ranger-admin-site.xml
I have no idea now.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
