Re: Review Request 72577: 'show databases' gives permission denied error, even though the user has permissions on a few of the databases in security zone policies

2020-06-15 Thread Madhan Neethiraj

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72577/#review221006
---




agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Line 178 (original), 179 (patched)


It doesn't seem necessary to look at children zones. Please review.



security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
Line 158 (original), 159 (patched)


For consistency, consider having 'zoneName' argument next to 'resource' 
argument - see #83 above.



security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Line 1288 (original), 1288 (patched)


Grant/revoke clients may not know of the zone in which the resource belongs 
to. In such cases (zoneName == null), the grant/revoke API implementation 
should find the zone in which the resource resides in, and create/update the 
policy in that zone.

If multiple zones match for a given resource (for example, children of the 
resources are different zones), then grant/revoke should be applied on the 
unzoned policy - which will cover the parent resource as a whole.

Please review other places that use zoneName from grant/revoke request for 
above.


- Madhan Neethiraj


On June 15, 2020, 5:50 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72577/
> ---
> 
> (Updated June 15, 2020, 5:50 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2858
> https://issues.apache.org/jira/browse/RANGER-2858
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> When user has permissions on a few of the databases in security zone 
> policies, "show databases" command is expected to list databases on which the 
> user has some permission in any security zone(s). However, the command fails 
> authorization. Furthermore, command "use " where  is name 
> of the database where user has some access in any security zone, succeeds.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
>  e6de06fa7 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  fdec9caab 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  0930e2cf7 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
>  a6ea48d14 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
> 29c3604d1 
>   
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
> 1b5aa9e2d 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> 1bdee86d3 
> 
> 
> Diff: https://reviews.apache.org/r/72577/diff/2/
> 
> 
> Testing
> ---
> 
> Created two security zones containing different databases with one zone 
> having Ranger policy to provide access to a table contained in that zone.
> 
> Verified that 'show databases' command listed correct database which allowed 
> some access to the contained table.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>



Re: Review Request 72586: RANGER-2855 : import policy for ranger is not working properly if updateifexist parameter is passed

2020-06-15 Thread Abhay Kulkarni

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72586/#review221008
---


Ship it!




Ship It!

- Abhay Kulkarni


On June 12, 2020, 12:31 p.m., Dineshkumar Yadav wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72586/
> ---
> 
> (Updated June 12, 2020, 12:31 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, 
> Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Vishal 
> Suvagia, and Velmurugan Periasamy.
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Problem Statement:
> 
> Currently, Import Policy API provide option to updateIfExist all policies of 
> given service but it update the non matching policy.
> 
> Current Imlementation 
> 'updateIfExists' flag : API shall update existing policies with new policy 
> json based on either of the following conditions.
> a) existing and new policy guid is matching
> b) existing and new policy name, service and zone are matching
> c) existing and new policy name and service are matching.
> 
> If there is a policy which matches the resource, the policy should be updated 
> with the data provided.
> If there is no policy which matches the resource, a new policy should be 
> created with the data provided.
> 
> Proposed Solution :
> Patch shall compare resource signature of existing policy with new policy 
> provide if it matches then update otherwise create new policy.
> 
> Behaviour of the Import API shall be:
> 1) 'Override' flag : API shall delete all the policies of given target 
> service and shall create the new policies from the received json.
> 2) 'deleteIfExists' flag : API shall delete those existing policies which are 
> exactly matching after comparing with new policy based on their resources. 
> After deleting the existing policy, API shall create the new policy from the 
> given json file. 
> 3) 'updateIfExists' flag with polResource input : API shall delete all the 
> existing policies from target service of which resources are exactly matching 
> with given policies resources. 
> 4) 'updateIfExists' flag without resource input : API shall update existing 
> policies with new policy json based on following conditions.
>     a) existing and new policy should match by resource signature
> 5) 'mergeIfExists' flag : API shall merge the existing policy's policy-items 
> with the new policy of which resources will match exactly with available 
> policies.
> 6) 'deleteIfExists' flag and 'updateIfExists' : delete the policies of which 
> resources are exactly matching. update the policies which are matching else 
> will create the policy.
> If none of the cases are matching then API shall try to create the policy. 
> Policy creation validation will be done before creating the policy.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> 1bdee86d3 
> 
> 
> Diff: https://reviews.apache.org/r/72586/diff/1/
> 
> 
> Testing
> ---
> 
> Testing done 
> Without patch
> When we import policy policy in ranger it override the existing policy.
> 
> After applying patch 
> New policy is getting created when no matching policy is found.
> 
> 
> Thanks,
> 
> Dineshkumar Yadav
> 
>



[jira] [Created] (RANGER-2862) Ranger Client Libraries For REST Services

2020-06-15 Thread Abhishek Kumar (Jira)
Abhishek Kumar created RANGER-2862:
--

 Summary: Ranger Client Libraries For REST Services
 Key: RANGER-2862
 URL: https://issues.apache.org/jira/browse/RANGER-2862
 Project: Ranger
  Issue Type: New Feature
  Components: Ranger
Reporter: Abhishek Kumar
Assignee: Abhishek Kumar


Build library to be used by client applications in managing ranger policies and 
other entities. It will abstract communication with the Ranger REST API.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


Re: Review Request 72577: 'show databases' gives permission denied error, even though the user has permissions on a few of the databases in security zone policies

2020-06-15 Thread Abhay Kulkarni

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72577/
---

(Updated June 15, 2020, 5:50 p.m.)


Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, 
and Velmurugan Periasamy.


Changes
---

Addressed review comments


Bugs: RANGER-2858
https://issues.apache.org/jira/browse/RANGER-2858


Repository: ranger


Description
---

When user has permissions on a few of the databases in security zone policies, 
"show databases" command is expected to list databases on which the user has 
some permission in any security zone(s). However, the command fails 
authorization. Furthermore, command "use " where  is name 
of the database where user has some access in any security zone, succeeds.


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
 e6de06fa7 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 fdec9caab 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 0930e2cf7 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 a6ea48d14 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
29c3604d1 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
1b5aa9e2d 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
1bdee86d3 


Diff: https://reviews.apache.org/r/72577/diff/2/

Changes: https://reviews.apache.org/r/72577/diff/1-2/


Testing
---

Created two security zones containing different databases with one zone having 
Ranger policy to provide access to a table contained in that zone.

Verified that 'show databases' command listed correct database which allowed 
some access to the contained table.


Thanks,

Abhay Kulkarni



Re: Review Request 72577: 'show databases' gives permission denied error, even though the user has permissions on a few of the databases in security zone policies

2020-06-15 Thread Abhay Kulkarni

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72577/
---

(Updated June 15, 2020, 5:47 p.m.)


Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, 
and Velmurugan Periasamy.


Changes
---

Addressed review comments.


Summary (updated)
-

'show databases' gives permission denied error, even though the user has 
permissions on a few of the databases in security zone policies


Bugs: RANGER-2858
https://issues.apache.org/jira/browse/RANGER-2858


Repository: ranger


Description (updated)
---

When user has permissions on a few of the databases in security zone policies, 
"show databases" command is expected to list databases on which the user has 
some permission in any security zone(s). However, the command fails 
authorization. Furthermore, command "use " where  is name 
of the database where user has some access in any security zone, succeeds.


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
 e6de06fa7 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 0930e2cf7 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
29c3604d1 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
1b5aa9e2d 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
1bdee86d3 


Diff: https://reviews.apache.org/r/72577/diff/1/


Testing (updated)
---

Created two security zones containing different databases with one zone having 
Ranger policy to provide access to a table contained in that zone.

Verified that 'show databases' command listed correct database which allowed 
some access to the contained table.


Thanks,

Abhay Kulkarni



[jira] [Updated] (RANGER-2858) 'show databases' gives permission denied error, even though the user has permissions on a few of the databases in security zone policies

2020-06-15 Thread Abhay Kulkarni (Jira)


 [ 
https://issues.apache.org/jira/browse/RANGER-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhay Kulkarni updated RANGER-2858:
---
Summary: 'show databases' gives permission denied error, even though the 
user has permissions on a few of the databases in security zone policies  (was: 
"Show databases" gives permission denied error, even though the user has 
permissions on a few of the databases in security zone policies)

> 'show databases' gives permission denied error, even though the user has 
> permissions on a few of the databases in security zone policies
> 
>
> Key: RANGER-2858
> URL: https://issues.apache.org/jira/browse/RANGER-2858
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.0.0
>Reporter: Abhay Kulkarni
>Assignee: Abhay Kulkarni
>Priority: Major
> Fix For: 2.1.0
>
>
> When user has permissions on a few of the databases in security zone 
> policies, "show databases" command is expected to list databases on which the 
> user has some permission in any security zone(s). However, the command fails 
> with the following message.
> 
>  FAILED: HiveAccessControlException Permission denied: user [behemoth] does 
> not have [USE] privilege on [Unknown resource!!]
>  
> org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
>  Permission denied: user [behemoth] does not have [USE] privilege on [Unknown 
> resource!!]
>  at 
> org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:487)
> 
> Furthermore, command "use " where  is name of the 
> database where user has some access in any security zone, succeeds.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Updated] (RANGER-2858) "Show databases" gives permission denied error, even though the user has permissions on a few of the databases in security zone policies

2020-06-15 Thread Abhay Kulkarni (Jira)


 [ 
https://issues.apache.org/jira/browse/RANGER-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhay Kulkarni updated RANGER-2858:
---
Description: 
When user has permissions on a few of the databases in security zone policies, 
"show databases" command is expected to list databases on which the user has 
some permission in any security zone(s). However, the command fails with the 
following message.


 FAILED: HiveAccessControlException Permission denied: user [behemoth] does not 
have [USE] privilege on [Unknown resource!!]
 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
 Permission denied: user [behemoth] does not have [USE] privilege on [Unknown 
resource!!]
 at 
org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:487)



Furthermore, command "use " where  is name of the database 
where user has some access in any security zone, succeeds.

 

 

  was:
However, I have issues while performing -
 * show databases;

When user has permissions on a few of the databases in security zone policies, 
"show databases" command is expected to list databases on which the user has 
some permission in any security zone(s). However, the command fails with the 
following message.


FAILED: HiveAccessControlException Permission denied: user [behemoth] does not 
have [USE] privilege on [Unknown resource!!]
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
 Permission denied: user [behemoth] does not have [USE] privilege on [Unknown 
resource!!]
at 
org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:487)



Furthermore, command "use " where  is name of the database 
where user has some access in any security zone, succeeds.

 

 


> "Show databases" gives permission denied error, even though the user has 
> permissions on a few of the databases in security zone policies
> 
>
> Key: RANGER-2858
> URL: https://issues.apache.org/jira/browse/RANGER-2858
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.0.0
>Reporter: Abhay Kulkarni
>Assignee: Abhay Kulkarni
>Priority: Major
> Fix For: 2.1.0
>
>
> When user has permissions on a few of the databases in security zone 
> policies, "show databases" command is expected to list databases on which the 
> user has some permission in any security zone(s). However, the command fails 
> with the following message.
> 
>  FAILED: HiveAccessControlException Permission denied: user [behemoth] does 
> not have [USE] privilege on [Unknown resource!!]
>  
> org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
>  Permission denied: user [behemoth] does not have [USE] privilege on [Unknown 
> resource!!]
>  at 
> org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:487)
> 
> Furthermore, command "use " where  is name of the 
> database where user has some access in any security zone, succeeds.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


Review Request 72591: RANGER-2861 : Support username and keytab to authenticate ES service to use as an Ranger Audit Store

2020-06-15 Thread bhavik patel

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72591/
---

Review request for ranger, Attila Bukor, Ankita Sinha, Bolke de Bruin, Don 
Bosco Durai, bhavik patel, Colm O hEigeartaigh, Gautam Borad, Abhay Kulkarni, 
Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep Agrawal, 
Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-2861
https://issues.apache.org/jira/browse/RANGER-2861


Repository: ranger


Description
---

Currently, Ranger admin support only Basic Authentication for ES as an Audit 
Store, also required to support username and keytab.


Diffs
-

  
agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java
 bda582a 
  
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/CredentialsProviderUtil.java
 PRE-CREATION 
  
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/AbstractJaasConf.java
 PRE-CREATION 
  
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/KerberosCredentialsProvider.java
 PRE-CREATION 
  
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/KeytabJaasConf.java
 PRE-CREATION 
  distro/src/main/assembly/admin-web.xml a632011 
  
embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java
 886091e 
  
security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchMgr.java
 a060877 


Diff: https://reviews.apache.org/r/72591/diff/1/


Testing
---

After setting the ES username and passowrd(keytab) in install.properties ranger 
admin is able to read audit logs from ES also ranger plugins able to write the 
logs to ES.


Thanks,

bhavik patel



[jira] [Updated] (RANGER-2861) Support username and keytab to authenticate ES service to use as an Ranger Audit Store

2020-06-15 Thread Bhavik Patel (Jira)


 [ 
https://issues.apache.org/jira/browse/RANGER-2861?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel updated RANGER-2861:
-
Attachment: RANGER-2861-Support-username-and-keytab-to-authentic.patch

> Support username and keytab to authenticate ES service to use as an Ranger 
> Audit Store
> --
>
> Key: RANGER-2861
> URL: https://issues.apache.org/jira/browse/RANGER-2861
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Bhavik Patel
>Assignee: Bhavik Patel
>Priority: Major
> Attachments: 
> RANGER-2861-Support-username-and-keytab-to-authentic.patch
>
>
> Currently, Ranger admin support only Basic Authentication for ES as an Audit 
> Store, also required to support username and keytab.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Updated] (RANGER-2861) Support username and keytab to authenticate ES service to use as an Ranger Audit Store

2020-06-15 Thread Bhavik Patel (Jira)


 [ 
https://issues.apache.org/jira/browse/RANGER-2861?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel updated RANGER-2861:
-
Summary: Support username and keytab to authenticate ES service to use as 
an Ranger Audit Store  (was: Support username and keytab to authentic ES 
service to use as an Ranger Audit Store)

> Support username and keytab to authenticate ES service to use as an Ranger 
> Audit Store
> --
>
> Key: RANGER-2861
> URL: https://issues.apache.org/jira/browse/RANGER-2861
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Bhavik Patel
>Assignee: Bhavik Patel
>Priority: Major
>
> Currently, Ranger admin support only Basic Authentication for ES as an Audit 
> Store, also required to support username and keytab.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Created] (RANGER-2861) Support username and keytab to authentic ES service to use as an Ranger Audit Store

2020-06-15 Thread Bhavik Patel (Jira)
Bhavik Patel created RANGER-2861:


 Summary: Support username and keytab to authentic ES service to 
use as an Ranger Audit Store
 Key: RANGER-2861
 URL: https://issues.apache.org/jira/browse/RANGER-2861
 Project: Ranger
  Issue Type: Improvement
  Components: Ranger
Reporter: Bhavik Patel
Assignee: Bhavik Patel


Currently, Ranger admin support only Basic Authentication for ES as an Audit 
Store, also required to support username and keytab.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Commented] (RANGER-2810) Kafka with Ranger plugin will fail

2020-06-15 Thread F5 (Jira)


[ 
https://issues.apache.org/jira/browse/RANGER-2810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17135500#comment-17135500
 ] 

F5 commented on RANGER-2810:


Same problem.

I deploy zookeeper kafka ranger on k8s, without hadoop.

{{This bug produced after the first time kerberos ticket expired.}}
h2. Versions info: 

ranger 2.0.0

cloudera kafka-2.1.0-kafka4.0.0

zookeeper 3.14.13
h2. Error log (with desensitized):

 
{code:java}
[2020-06-11 03:25:31,476] DEBUG Set SASL server state to FAILED 
(org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
[2020-06-11 03:25:31,476] DEBUG [SocketServer brokerId=0] Connection with 
/10.11.12.13 disconnected due to authentication exception 
(org.apache.kafka.common.network.Selector)
org.apache.kafka.common.network.DelayedResponseAuthenticationException: 
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication 
failed due to invalid credentials with SASL mechanism GSSAPI
Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: 
Authentication failed due to invalid credentials with SASL mechanism GSSAPI
Caused by: javax.security.sasl.SaslException: GSS context targ name protocol 
error: kafka-cloud/kafka-cloud.xxx@xxx.com
at 
jdk.security.jgss/com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:188)
at 
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:375)
at 
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:256)
at 
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:132)
at 
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:532)
at org.apache.kafka.common.network.Selector.poll(Selector.java:467)
at kafka.network.Processor.poll(SocketServer.scala:689)
at kafka.network.Processor.run(SocketServer.scala:594)
at java.base/java.lang.Thread.run(Thread.java:835)

{code}
{code:java}
[2020-06-01 02:32:19,613] DEBUG Set SASL client state to INTERMEDIATE 
(org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
[2020-06-01 02:32:19,615] DEBUG Set SASL client state to FAILED 
(org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
[2020-06-01 02:32:19,615] DEBUG [ReplicaFetcher replicaId=0, leaderId=1, 
fetcherId=0] Connection with kafka-cloud.xxx.com/10.11.12.13 disconnected due 
to authentication exception (org.apache.kafka.common.network.Selector)
org.apache.kafka.common.network.DelayedResponseAuthenticationException: 
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication 
failed due to invalid credentials with SASL mechanism GSSAPI
Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: 
Authentication failed due to invalid credentials with SASL mechanism GSSAPI
[2020-06-01 02:32:19,615] DEBUG [ReplicaFetcher replicaId=0, leaderId=1, 
fetcherId=0] Node 1 disconnected. (org.apache.kafka.clients.NetworkClient)
[2020-06-01 02:32:19,615] DEBUG An authentication error occurred in 
broker-to-broker communication. (org.apache.kafka.clients.ManualMetadataUpdater)
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication 
failed due to invalid credentials with SASL mechanism GSSAPI
[2020-06-01 02:32:19,615] ERROR [ReplicaFetcher replicaId=0, leaderId=1, 
fetcherId=0] Connection to node 1 (kafka-cloud.xxx.com/10.11.12.13:32121) 
failed authentication due to: Authentication failed due to invalid credentials 
with SASL mechanism GSSAPI (org.apache.kafka.clients.NetworkClient)
[2020-06-01 02:32:19,615] INFO [ReplicaFetcher replicaId=0, leaderId=1, 
fetcherId=0] Error sending fetch request (sessionId=INVALID, epoch=INITIAL) to 
node 1: org.apache.kafka.common.errors.SaslAuthenticationException: 
Authentication failed due to invalid credentials with SASL mechanism GSSAPI. 
(org.apache.kafka.clients.FetchSessionHandler)
{code}
h2. Temporary solution

First, the user in kafka Dockerfile is [app].

I find this log:
{code:java}
[2020-06-15 02:26:09,704] DEBUG Creating SaslServer for app with mechanism 
GSSAPI 
(org.apache.kafka.common.security.authenticator.SaslServerAuthenticator){code}
My kafka principal is kafka-cloud/kafka-cloud.xxx@xxx.com.

*Solved by set* *kafka* *Dockerfile user same as principal name [kafka-cloud].*
h2. Analysis

I think it's still a bug of ranger-kafka-plugin, It can't reproduced when 
disable plugin.

Lookup kafka soource code:

/kafka/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.java

 The ranger plugin seems to modify the firstPrincipal in subject  caused the 
bug.

!image-2020-06-15-14-46-53-528.png!  

> Kafka with Ranger plugin will fail
> --
>
> Key: RANGER-2810
> URL: 

[jira] [Updated] (RANGER-2810) Kafka with Ranger plugin will fail

2020-06-15 Thread F5 (Jira)


 [ 
https://issues.apache.org/jira/browse/RANGER-2810?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

F5 updated RANGER-2810:
---
Attachment: image-2020-06-15-14-46-53-528.png

> Kafka with Ranger plugin will fail
> --
>
> Key: RANGER-2810
> URL: https://issues.apache.org/jira/browse/RANGER-2810
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: master, 2.0.0, 2.1.0
> Environment: CentOS Linux release 7.6.1810 (Core)
> Ranger 2.0.0
>Reporter: bright.zhou
>Assignee: Pradeep Agrawal
>Priority: Blocker
> Attachments: image-2020-06-15-14-46-53-528.png
>
>
> We use Ranger plugin to admin acls of Kafka cluster. At first , everything is 
> ok, but after 10h+ of kafka start, there is something wrong occured, we can 
> see error log in kafka-root.log, the error log is `Authentication failed 
> during authentication due to xxx with SASL mechanism GSSAPI: GSS context targ 
> name protocol error: x `。To solve this we had to restart Kafka, It's so 
> strange that if i change `authorizer.class.name` to 
> `kafka.security.auth.SimpleAclAuthorizer` it will be ok . In theory, ranger 
> is related with acls and not related with SASL authentication,so i want to 
> ask for help.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)