Hi,
Now i solved this problem and share it. 
Problem:
   Hdfs fail to download policy from range admin in kerberos env.   In the 
namenode log:
2017-07-15 07:28:37,556 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. 
secureMode=true, user=nn/admin141.example....@example.com (auth:KERBEROS), 
response={"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication 
Failed"}, serviceName=hadooopdev. ret = null

Solved :
   In ranger admin node,  add the parameter --hadoop.security.authentication   
in ranger-admin-site.xml . 

 The config in my env as below: 

[root@admin141 conf]# pwd
/usr/local/ranger-0.7.0-admin/conf
[root@admin141 conf]# cat ranger-admin-site.xml 
<configuration>
    ... .... 
    <property>
        <name>hadoop.security.authorization</name>
        <value>true</value>
    </property>

    <property>
        <name>hadoop.security.authentication</name>
        <value>kerberos</value>
    </property>

</configuration>


Reason:
  When range admin receive the request message from hdfs, the function of 
RangerKRBAuthenticationFilter class will be invoked:

public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
String authtype = PropertiesUtil.getProperty(RANGER_AUTH_TYPE);
HttpServletRequest httpRequest = (HttpServletRequest)request;

if(isSpnegoEnable(authtype)){   ----------------  if the authtype is not 
kerberos, the else step will be run.
... ... 
}else{
filterChain.doFilter(request, response);  -- At here ,the   
RangerAuthenticationEntryPoint::commence() will be called. and the hdfs will 
receive  401 
}
}

And check the function  -- isSpnegoEnable(),   the system will get the value of 
 the parameter -- hadoop.security.authentication .  In my env, this parameter 
is not configured, so hdfs fail to download policy .  After i added this 
parameter, it is OK.



Thanks & Regards




luoch...@gdbigdata.com
 
From: luoch...@gdbigdata.com
Date: 2017-07-17 11:23
To: user
Subject: Re: Which file config policy.download.auth.users ?
Hi Ramesh,

Thanks for your reply.  I config this parameter in ranger UI, but the error is 
still exist.  I think i should not find the real reason.

I  read the code and find the error part .   It is in the   
RangerAuthenticationEntryPoint::commence()  ( Ranger version : 0.7.0 )

public void commence(HttpServletRequest request,
HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
String ajaxRequestHeader = request.getHeader("X-Requested-With");
  .... .... 
if ("XMLHttpRequest".equals(ajaxRequestHeader)) {  
... .... 
return;
} else {
try {
logger.info("KKKK --- In commence.... ajaxRequestHeader = " + 
ajaxRequestHeader);  ///  Add one log info.    the ajaxRequestHeader is null. 
so the ranger admin reply 401.
VXResponse vXResponse = new VXResponse();

vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
vXResponse.setMsgDesc("Authentication Failed");
                                ... .... 
} 
}

 With tcpdump,  this parameter is not exist in tcp message.  But in the hdfs 
plugin file, this parameter could not be configed.   


Thanks & Regards
Luochong



luoch...@gdbigdata.com
 
From: Ramesh Mani
Date: 2017-07-16 03:38
To: user@ranger.apache.org
Subject: Re: Which file config policy.download.auth.users ?
Luochong,

You can update this in the Ranger UI.
Open the HDFS service you created in ranger UI and in the config  you will find 
“ Add new configuration”. Add these properties there.

Refer this for Screen shots, 
https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide?preview=/https%3A%2F%2Flh3.googleusercontent.com%2FFH8RmMq1pIX8w-_L3jqGMt9RtvqLjUH4Ywf68wMapfPWxytFdK8fIVfU7QDelFqC-6vBIqIONkIujEE7OPql-FQgeFmsW3wZSLQiRn5TQGVJWJ2EpevB36gBtUmATNTD1i5_gng

Thanks,
Ramesh


From: "luoch...@gdbigdata.com" <luoch...@gdbigdata.com>
Reply-To: "user@ranger.apache.org" <user@ranger.apache.org>
Date: Saturday, July 15, 2017 at 12:24 AM
To: user <user@ranger.apache.org>
Subject: Which file config policy.download.auth.users ?

Hi
Env: 
Ranger version : 0.7.0
Hdfs : 2.7.0   with kerberos

After I installed hdfs\ ranger\ kerberos  manually,  i found the hdfs fail to 
download policy from Ranger.  
In the namenode Log:
2017-07-15 07:28:37,556 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. 
secureMode=true, user=nn/admin141.example....@example.com (auth:KERBEROS), 
response={"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication 
Failed"}, serviceName=hadooopdev. ret = null

Read this document:  
https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.5/bk_command-line-upgrade/content/upgrade-ranger_23.html
 
In this file, there is one step:
For Download Policy to be successful, use the Ranger UI to update the service 
configuration with the following custom properties for each supported component:
policy.download.auth.users=<Component service user>
tag.download.auth.users=<Component service user>(if tag download)
So i think it is the reason that hdfs fail to download policy.   I did not 
config this parameter  policy.download.auth.users   

But i did not know how to config this parameter -- policy.download.auth.users   
.   In the internet, this parameter should config in custom repo file.  But i 
did know the path the custom repo file? 


Thank & Regards



luoch...@gdbigdata.com
 

Reply via email to