[
https://issues.apache.org/jira/browse/RANGER-3602?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17483127#comment-17483127
]
kirby zhou commented on RANGER-3602:
------------------------------------
Through debugger, I can see that:
RangerBizUtil.failUnauthenticatedIfNotAllowed throw a Exception at first.
Exception("Unauthenticated access not allowed")
But I do not know why ContextUtil.getCurrentUserSession() returns NULL when I
have already logged in with kerberos, and why such a exception finally get a
"404" instead of "400".
> Can not access RestAPI when Ranger authenticated with Kerberos.
> ---------------------------------------------------------------
>
> Key: RANGER-3602
> URL: https://issues.apache.org/jira/browse/RANGER-3602
> Project: Ranger
> Issue Type: Bug
> Components: admin
> Affects Versions: 2.2.0
> Reporter: kirby zhou
> Priority: Major
>
> When I configured Ranger with Kerberos. I can not access its Restful API with
> ranger.admin.allow.unauthenticated.access = false
>
> {code:java}
> # ranger.admin.allow.unauthenticated.access = false in ranger-admin-site.xml
> ]$ curl -v 'http://localhost:6080/service/plugins/policies/download/kmsdev'
> < HTTP/1.1 200 OK
> # ranger.admin.allow.unauthenticated.access = true in ranger-admin-site.xml
> ]$ kinit freeman@SA
> Password for freeman@SA:
> ]$ klist
> Ticket cache: KCM:1000
> Default principal: freeman@SA
> ]$ curl -v -u: --negotiate
> 'http://localhost:6080/service/plugins/policies/download/kmsdev'
> * Trying ::1...
> * TCP_NODELAY set
> * Connected to localhost (::1) port 6080 (#0)
> > GET /service/plugins/policies/download/kmsdev HTTP/1.1
> > Host: localhost:6080
> > User-Agent: curl/7.61.1
> > Accept: */*
> >
> < HTTP/1.1 404 Not Found
> < Content-Length: 0
> < Date: Thu, 27 Jan 2022 12:30:26 GMT
> < Server: Apache Ranger
> <
> * Connection #0 to host localhost left intact{code}
>
>
> CURL even do not have chance to do Authenticaion.
>
> My configurations:
> core-site.xml
>
> {code:java}
> <configuration>
> <property>
> <name>hadoop.security.authentication</name>
> <value>kerberos</value>
> </property>
> <property>
> <name>hadoop.security.authorization</name>
> <value>true</value>
> </property>
> <property>
> <name>hadoop.security.auth_to_local</name>
> <value>
> RULE:[1:$1@$0](^.*$)s/^(.*)@.*$/$1/
> RULE:[2:$1@$0](^.*$)s/^(.*)@.*$/$1/
> DEFAULT
> </value>
> </property>
> </configuration> {code}
>
>
> ranger-admin-kms.xml
>
> {code:java}
> <configuration>
> ...
> <property>
> <name>ranger.service.https.attrib.ssl.enabled</name>
> <value>false</value>
> </property>
> <property>
> <name>ranger.service.host</name>
> <value>localhost</value>
> </property>
> <property>
> <name>ranger.service.http.port</name>
> <value>6080</value>
> </property>
> <property>
> <name>ranger.admin.kerberos.keytab</name>
>
> <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
> </property>
> <property>
> <name>ranger.spnego.kerberos.principal</name>
> <value>HTTP/kirbytest01.sa@SA</value>
> </property>
> <property>
> <name>ranger.spnego.kerberos.keytab</name>
>
> <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
> </property>
> <property>
> <name>ranger.lookup.kerberos.principal</name>
> <value>rangerlookup/kirbytest01.sa@SA</value>
> </property>
> <property>
> <name>ranger.lookup.kerberos.keytab</name>
>
> <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
> </property>
> <property>
> <name>ranger.admin.allow.unauthenticated.access</name>
> <value>false</value>
> <!-- it is default -->
> </property>
> ...
> </configuration> {code}
>
> Workaround:
> set "ranger.admin.allow.unauthenticated.access" = "true" in
> ranger-admin-site.xml
>
> I have no idea now.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
