Yes, makes sense to have a 2-way SSL between the plugin and Ranger Admin, but: - 1. Does it mean there's no authentication at all between them? - 2. If there's no authentication, shouldn't a simple CURL work? At the moment if no user/pass is provided the API returns 401, or is there another different endpoint? If so, which one is it? - 3. What is the best way to debug the plugin is communicating or trying to communicate with Ranger admin?
Thanks. On Fri, 11 Jan 2019 at 12:53, Velmurugan Periasamy < vperias...@hortonworks.com> wrote: > If there is no kerberos HDFS plugin uses the open Download policies API, > so it is recommended to use 2-way SSL between HDFS plugin and Ranger Admin. > > On Jan 11, 2019, at 5:26 AM, Odon Copon <odonco...@gmail.com> wrote: > > I cannot perform a CURL to the API from the namenode without > user/password, I get a 401 when doing that. So it might required > credentials to do that. If I use the admin/password credentials or > rangerusersync credentials the CURL works. So wondering if those > credentials need to be setup somewhere. > > On Fri, 11 Jan 2019 at 10:15, Don Bosco Durai <bo...@apache.org> wrote: > >> > In terms of "no authentication", is the HDFS plugin using Policy >> Manager API with no credentials at all? >> >> No credentials, because there is no user/password for HDFS service user. >> It’s been a while, I think we used to have admin/password before, but it >> was taken out eventually. The code might be still there… >> >> >> >> > What's the first action the plugin is performing to be detected by the >> UI as active and 200 response? >> >> Abhay or Madhan might be able to give you more specifics. Since the >> plugins are polling and it knows the previous version number, if there are >> no changes, then it is not registered in the UI. The plugins primarily pull >> the policies and tags from Ranger Admin. Rest everything is done by the >> plugin within the component. >> >> >> >> Bosco >> >> >> >> >> >> *From: *Odon Copon <odonco...@gmail.com> >> *Reply-To: *<user@ranger.apache.org> >> *Date: *Friday, January 11, 2019 at 2:03 AM >> *To: *<user@ranger.apache.org> >> *Subject: *Re: Accessing Ranger Policy Manager API from HDFS plugin >> >> >> >> Indeed, I know that at the moment without something like Kerberos, users >> can impersonate others, but I'm currently building a POC with the basic >> security to evaluate Ranger, and once is ready, start improving the >> security and scalability. But thank you for pointing that out. >> >> In terms of "no authentication", is the HDFS plugin using Policy Manager >> API with no credentials at all? or default ones? >> >> What's the first action the plugin is performing to be detected by the UI >> as active and 200 response? Some king of ping/heartbeat? or just a rest >> petition to download the policies? >> >> Is there anywhere where I can see in the logs what kind of actions the >> plugin is doing? I don't find any log information coming from the plugin. >> >> >> >> Thanks! >> >> >> >> On Fri, 11 Jan 2019 at 09:53, Don Bosco Durai <bo...@apache.org> wrote: >> >> If there is no Kerberos, then you have 2 options: >> >> 1. No authentication (default) >> 2. Two way SSL to authenticate the request from the plugin. >> >> >> >> Note, if it is non-Kerberos environment, then authorization cannot be >> enforced, because users can impersonate anyone. >> >> >> >> Bosco >> >> >> >> >> >> *From: *Odon Copon <odonco...@gmail.com> >> *Reply-To: *<user@ranger.apache.org> >> *Date: *Friday, January 11, 2019 at 1:22 AM >> *To: *<user@ranger.apache.org> >> *Subject: *Re: Accessing Ranger Policy Manager API from HDFS plugin >> >> >> >> Mmm, but what if the system is not using Kerberos? >> >> >> >> On Fri, 11 Jan 2019, 04:21 Velmurugan Periasamy < >> vperias...@hortonworks.com wrote: >> >> Yes, that's what I referred to. >> >> >> ------------------------------ >> >> *From:* Odon Copon <odonco...@gmail.com> >> *Sent:* Thursday, January 10, 2019 5:07 PM >> *To:* user@ranger.apache.org >> *Subject:* Re: Accessing Ranger Policy Manager API from HDFS plugin >> >> >> >> Are we talking about principal in Kerberos or any other principal I'm not >> understanding? >> >> >> >> On Thu, 10 Jan 2019 at 18:05, Odon Copon <odonco...@gmail.com> wrote: >> >> What do you mean by *HDFS plugin uses service (Namenode) user's >> principal *? >> >> Could you provide an example? >> Thanks. >> >> >> >> On Thu, 10 Jan 2019 at 17:08, Velmurugan Periasamy < >> vperias...@hortonworks.com> wrote: >> >> HDFS plugin uses service (Namenode) user's principal. >> >> >> ------------------------------ >> >> *From:* Odon Copon <odonco...@gmail.com> >> *Sent:* Thursday, January 10, 2019 8:59 AM >> *To:* user@ranger.apache.org >> *Subject:* Accessing Ranger Policy Manager API from HDFS plugin >> >> >> >> Hi, >> >> How does the Ranger HDFS plugin communicates with the Policy Manager API? >> Is it using a specific user/password combination? >> >> I know the User Sync has rangerusersync user and pass, and all that >> information is stored in rangerusersync.jceks, but what about the HDFS >> plugin or any other plugin? >> I'm having issues with that, my plugin once enabled doesn't get displayed >> in the UI and would like to check the credentials the plugin is using to >> use the API. >> >> For the User Sync - Policy Manager communication works fine. >> >> >> >> Thanks. >> >>
