Indeed, I know that at the moment without something like Kerberos, users can impersonate others, but I'm currently building a POC with the basic security to evaluate Ranger, and once is ready, start improving the security and scalability. But thank you for pointing that out. In terms of "no authentication", is the HDFS plugin using Policy Manager API with no credentials at all? or default ones? What's the first action the plugin is performing to be detected by the UI as active and 200 response? Some king of ping/heartbeat? or just a rest petition to download the policies? Is there anywhere where I can see in the logs what kind of actions the plugin is doing? I don't find any log information coming from the plugin.
Thanks! On Fri, 11 Jan 2019 at 09:53, Don Bosco Durai <bo...@apache.org> wrote: > If there is no Kerberos, then you have 2 options: > > 1. No authentication (default) > 2. Two way SSL to authenticate the request from the plugin. > > > > Note, if it is non-Kerberos environment, then authorization cannot be > enforced, because users can impersonate anyone. > > > > Bosco > > > > > > *From: *Odon Copon <odonco...@gmail.com> > *Reply-To: *<user@ranger.apache.org> > *Date: *Friday, January 11, 2019 at 1:22 AM > *To: *<user@ranger.apache.org> > *Subject: *Re: Accessing Ranger Policy Manager API from HDFS plugin > > > > Mmm, but what if the system is not using Kerberos? > > > > On Fri, 11 Jan 2019, 04:21 Velmurugan Periasamy < > vperias...@hortonworks.com wrote: > > Yes, that's what I referred to. > > > ------------------------------ > > *From:* Odon Copon <odonco...@gmail.com> > *Sent:* Thursday, January 10, 2019 5:07 PM > *To:* user@ranger.apache.org > *Subject:* Re: Accessing Ranger Policy Manager API from HDFS plugin > > > > Are we talking about principal in Kerberos or any other principal I'm not > understanding? > > > > On Thu, 10 Jan 2019 at 18:05, Odon Copon <odonco...@gmail.com> wrote: > > What do you mean by *HDFS plugin uses service (Namenode) user's principal > *? > > Could you provide an example? > Thanks. > > > > On Thu, 10 Jan 2019 at 17:08, Velmurugan Periasamy < > vperias...@hortonworks.com> wrote: > > HDFS plugin uses service (Namenode) user's principal. > > > ------------------------------ > > *From:* Odon Copon <odonco...@gmail.com> > *Sent:* Thursday, January 10, 2019 8:59 AM > *To:* user@ranger.apache.org > *Subject:* Accessing Ranger Policy Manager API from HDFS plugin > > > > Hi, > > How does the Ranger HDFS plugin communicates with the Policy Manager API? > Is it using a specific user/password combination? > > I know the User Sync has rangerusersync user and pass, and all that > information is stored in rangerusersync.jceks, but what about the HDFS > plugin or any other plugin? > I'm having issues with that, my plugin once enabled doesn't get displayed > in the UI and would like to check the credentials the plugin is using to > use the API. > > For the User Sync - Policy Manager communication works fine. > > > > Thanks. > >
