If there is no kerberos HDFS plugin uses the open Download policies API, so it is recommended to use 2-way SSL between HDFS plugin and Ranger Admin.
On Jan 11, 2019, at 5:26 AM, Odon Copon <odonco...@gmail.com<mailto:odonco...@gmail.com>> wrote: I cannot perform a CURL to the API from the namenode without user/password, I get a 401 when doing that. So it might required credentials to do that. If I use the admin/password credentials or rangerusersync credentials the CURL works. So wondering if those credentials need to be setup somewhere. On Fri, 11 Jan 2019 at 10:15, Don Bosco Durai <bo...@apache.org<mailto:bo...@apache.org>> wrote: > In terms of "no authentication", is the HDFS plugin using Policy Manager API > with no credentials at all? No credentials, because there is no user/password for HDFS service user. It’s been a while, I think we used to have admin/password before, but it was taken out eventually. The code might be still there… > What's the first action the plugin is performing to be detected by the UI as > active and 200 response? Abhay or Madhan might be able to give you more specifics. Since the plugins are polling and it knows the previous version number, if there are no changes, then it is not registered in the UI. The plugins primarily pull the policies and tags from Ranger Admin. Rest everything is done by the plugin within the component. Bosco From: Odon Copon <odonco...@gmail.com<mailto:odonco...@gmail.com>> Reply-To: <user@ranger.apache.org<mailto:user@ranger.apache.org>> Date: Friday, January 11, 2019 at 2:03 AM To: <user@ranger.apache.org<mailto:user@ranger.apache.org>> Subject: Re: Accessing Ranger Policy Manager API from HDFS plugin Indeed, I know that at the moment without something like Kerberos, users can impersonate others, but I'm currently building a POC with the basic security to evaluate Ranger, and once is ready, start improving the security and scalability. But thank you for pointing that out. In terms of "no authentication", is the HDFS plugin using Policy Manager API with no credentials at all? or default ones? What's the first action the plugin is performing to be detected by the UI as active and 200 response? Some king of ping/heartbeat? or just a rest petition to download the policies? Is there anywhere where I can see in the logs what kind of actions the plugin is doing? I don't find any log information coming from the plugin. Thanks! On Fri, 11 Jan 2019 at 09:53, Don Bosco Durai <bo...@apache.org<mailto:bo...@apache.org>> wrote: If there is no Kerberos, then you have 2 options: 1. No authentication (default) 2. Two way SSL to authenticate the request from the plugin. Note, if it is non-Kerberos environment, then authorization cannot be enforced, because users can impersonate anyone. Bosco From: Odon Copon <odonco...@gmail.com<mailto:odonco...@gmail.com>> Reply-To: <user@ranger.apache.org<mailto:user@ranger.apache.org>> Date: Friday, January 11, 2019 at 1:22 AM To: <user@ranger.apache.org<mailto:user@ranger.apache.org>> Subject: Re: Accessing Ranger Policy Manager API from HDFS plugin Mmm, but what if the system is not using Kerberos? On Fri, 11 Jan 2019, 04:21 Velmurugan Periasamy <vperias...@hortonworks.com<mailto:vperias...@hortonworks.com> wrote: Yes, that's what I referred to. ________________________________ From: Odon Copon <odonco...@gmail.com<mailto:odonco...@gmail.com>> Sent: Thursday, January 10, 2019 5:07 PM To: user@ranger.apache.org<mailto:user@ranger.apache.org> Subject: Re: Accessing Ranger Policy Manager API from HDFS plugin Are we talking about principal in Kerberos or any other principal I'm not understanding? On Thu, 10 Jan 2019 at 18:05, Odon Copon <odonco...@gmail.com<mailto:odonco...@gmail.com>> wrote: What do you mean by HDFS plugin uses service (Namenode) user's principal ? Could you provide an example? Thanks. On Thu, 10 Jan 2019 at 17:08, Velmurugan Periasamy <vperias...@hortonworks.com<mailto:vperias...@hortonworks.com>> wrote: HDFS plugin uses service (Namenode) user's principal. ________________________________ From: Odon Copon <odonco...@gmail.com<mailto:odonco...@gmail.com>> Sent: Thursday, January 10, 2019 8:59 AM To: user@ranger.apache.org<mailto:user@ranger.apache.org> Subject: Accessing Ranger Policy Manager API from HDFS plugin Hi, How does the Ranger HDFS plugin communicates with the Policy Manager API? Is it using a specific user/password combination? I know the User Sync has rangerusersync user and pass, and all that information is stored in rangerusersync.jceks, but what about the HDFS plugin or any other plugin? I'm having issues with that, my plugin once enabled doesn't get displayed in the UI and would like to check the credentials the plugin is using to use the API. For the User Sync - Policy Manager communication works fine. Thanks.
