I cannot perform a CURL to the API from the namenode without user/password, I get a 401 when doing that. So it might required credentials to do that. If I use the admin/password credentials or rangerusersync credentials the CURL works. So wondering if those credentials need to be setup somewhere.
On Fri, 11 Jan 2019 at 10:15, Don Bosco Durai <bo...@apache.org> wrote: > > In terms of "no authentication", is the HDFS plugin using Policy Manager > API with no credentials at all? > > No credentials, because there is no user/password for HDFS service user. > It’s been a while, I think we used to have admin/password before, but it > was taken out eventually. The code might be still there… > > > > > What's the first action the plugin is performing to be detected by the > UI as active and 200 response? > > Abhay or Madhan might be able to give you more specifics. Since the > plugins are polling and it knows the previous version number, if there are > no changes, then it is not registered in the UI. The plugins primarily pull > the policies and tags from Ranger Admin. Rest everything is done by the > plugin within the component. > > > > Bosco > > > > > > *From: *Odon Copon <odonco...@gmail.com> > *Reply-To: *<user@ranger.apache.org> > *Date: *Friday, January 11, 2019 at 2:03 AM > *To: *<user@ranger.apache.org> > *Subject: *Re: Accessing Ranger Policy Manager API from HDFS plugin > > > > Indeed, I know that at the moment without something like Kerberos, users > can impersonate others, but I'm currently building a POC with the basic > security to evaluate Ranger, and once is ready, start improving the > security and scalability. But thank you for pointing that out. > > In terms of "no authentication", is the HDFS plugin using Policy Manager > API with no credentials at all? or default ones? > > What's the first action the plugin is performing to be detected by the UI > as active and 200 response? Some king of ping/heartbeat? or just a rest > petition to download the policies? > > Is there anywhere where I can see in the logs what kind of actions the > plugin is doing? I don't find any log information coming from the plugin. > > > > Thanks! > > > > On Fri, 11 Jan 2019 at 09:53, Don Bosco Durai <bo...@apache.org> wrote: > > If there is no Kerberos, then you have 2 options: > > 1. No authentication (default) > 2. Two way SSL to authenticate the request from the plugin. > > > > Note, if it is non-Kerberos environment, then authorization cannot be > enforced, because users can impersonate anyone. > > > > Bosco > > > > > > *From: *Odon Copon <odonco...@gmail.com> > *Reply-To: *<user@ranger.apache.org> > *Date: *Friday, January 11, 2019 at 1:22 AM > *To: *<user@ranger.apache.org> > *Subject: *Re: Accessing Ranger Policy Manager API from HDFS plugin > > > > Mmm, but what if the system is not using Kerberos? > > > > On Fri, 11 Jan 2019, 04:21 Velmurugan Periasamy < > vperias...@hortonworks.com wrote: > > Yes, that's what I referred to. > > > ------------------------------ > > *From:* Odon Copon <odonco...@gmail.com> > *Sent:* Thursday, January 10, 2019 5:07 PM > *To:* user@ranger.apache.org > *Subject:* Re: Accessing Ranger Policy Manager API from HDFS plugin > > > > Are we talking about principal in Kerberos or any other principal I'm not > understanding? > > > > On Thu, 10 Jan 2019 at 18:05, Odon Copon <odonco...@gmail.com> wrote: > > What do you mean by *HDFS plugin uses service (Namenode) user's principal > *? > > Could you provide an example? > Thanks. > > > > On Thu, 10 Jan 2019 at 17:08, Velmurugan Periasamy < > vperias...@hortonworks.com> wrote: > > HDFS plugin uses service (Namenode) user's principal. > > > ------------------------------ > > *From:* Odon Copon <odonco...@gmail.com> > *Sent:* Thursday, January 10, 2019 8:59 AM > *To:* user@ranger.apache.org > *Subject:* Accessing Ranger Policy Manager API from HDFS plugin > > > > Hi, > > How does the Ranger HDFS plugin communicates with the Policy Manager API? > Is it using a specific user/password combination? > > I know the User Sync has rangerusersync user and pass, and all that > information is stored in rangerusersync.jceks, but what about the HDFS > plugin or any other plugin? > I'm having issues with that, my plugin once enabled doesn't get displayed > in the UI and would like to check the credentials the plugin is using to > use the API. > > For the User Sync - Policy Manager communication works fine. > > > > Thanks. > >
