ok, seems "service/plugins/policies/download/" has public access, so confirms what we have been discussing, no authorization is required to download the policies. Good to know, thanks guys. The question know is how to know the plugin is calling this endpoint, and working properly, because the UI doesn't display this plugin. Any tip on this?
On Fri, 11 Jan 2019 at 13:08, Odon Copon <odonco...@gmail.com> wrote: > Yes, makes sense to have a 2-way SSL between the plugin and Ranger Admin, > but: > - 1. Does it mean there's no authentication at all between them? > - 2. If there's no authentication, shouldn't a simple CURL work? At the > moment if no user/pass is provided the API returns 401, or is there another > different endpoint? If so, which one is it? > - 3. What is the best way to debug the plugin is communicating or trying > to communicate with Ranger admin? > > Thanks. > > > On Fri, 11 Jan 2019 at 12:53, Velmurugan Periasamy < > vperias...@hortonworks.com> wrote: > >> If there is no kerberos HDFS plugin uses the open Download policies API, >> so it is recommended to use 2-way SSL between HDFS plugin and Ranger Admin. >> >> On Jan 11, 2019, at 5:26 AM, Odon Copon <odonco...@gmail.com> wrote: >> >> I cannot perform a CURL to the API from the namenode without >> user/password, I get a 401 when doing that. So it might required >> credentials to do that. If I use the admin/password credentials or >> rangerusersync credentials the CURL works. So wondering if those >> credentials need to be setup somewhere. >> >> On Fri, 11 Jan 2019 at 10:15, Don Bosco Durai <bo...@apache.org> wrote: >> >>> > In terms of "no authentication", is the HDFS plugin using Policy >>> Manager API with no credentials at all? >>> >>> No credentials, because there is no user/password for HDFS service user. >>> It’s been a while, I think we used to have admin/password before, but it >>> was taken out eventually. The code might be still there… >>> >>> >>> >>> > What's the first action the plugin is performing to be detected by the >>> UI as active and 200 response? >>> >>> Abhay or Madhan might be able to give you more specifics. Since the >>> plugins are polling and it knows the previous version number, if there are >>> no changes, then it is not registered in the UI. The plugins primarily pull >>> the policies and tags from Ranger Admin. Rest everything is done by the >>> plugin within the component. >>> >>> >>> >>> Bosco >>> >>> >>> >>> >>> >>> *From: *Odon Copon <odonco...@gmail.com> >>> *Reply-To: *<user@ranger.apache.org> >>> *Date: *Friday, January 11, 2019 at 2:03 AM >>> *To: *<user@ranger.apache.org> >>> *Subject: *Re: Accessing Ranger Policy Manager API from HDFS plugin >>> >>> >>> >>> Indeed, I know that at the moment without something like Kerberos, users >>> can impersonate others, but I'm currently building a POC with the basic >>> security to evaluate Ranger, and once is ready, start improving the >>> security and scalability. But thank you for pointing that out. >>> >>> In terms of "no authentication", is the HDFS plugin using Policy Manager >>> API with no credentials at all? or default ones? >>> >>> What's the first action the plugin is performing to be detected by the >>> UI as active and 200 response? Some king of ping/heartbeat? or just a rest >>> petition to download the policies? >>> >>> Is there anywhere where I can see in the logs what kind of actions the >>> plugin is doing? I don't find any log information coming from the plugin. >>> >>> >>> >>> Thanks! >>> >>> >>> >>> On Fri, 11 Jan 2019 at 09:53, Don Bosco Durai <bo...@apache.org> wrote: >>> >>> If there is no Kerberos, then you have 2 options: >>> >>> 1. No authentication (default) >>> 2. Two way SSL to authenticate the request from the plugin. >>> >>> >>> >>> Note, if it is non-Kerberos environment, then authorization cannot be >>> enforced, because users can impersonate anyone. >>> >>> >>> >>> Bosco >>> >>> >>> >>> >>> >>> *From: *Odon Copon <odonco...@gmail.com> >>> *Reply-To: *<user@ranger.apache.org> >>> *Date: *Friday, January 11, 2019 at 1:22 AM >>> *To: *<user@ranger.apache.org> >>> *Subject: *Re: Accessing Ranger Policy Manager API from HDFS plugin >>> >>> >>> >>> Mmm, but what if the system is not using Kerberos? >>> >>> >>> >>> On Fri, 11 Jan 2019, 04:21 Velmurugan Periasamy < >>> vperias...@hortonworks.com wrote: >>> >>> Yes, that's what I referred to. >>> >>> >>> ------------------------------ >>> >>> *From:* Odon Copon <odonco...@gmail.com> >>> *Sent:* Thursday, January 10, 2019 5:07 PM >>> *To:* user@ranger.apache.org >>> *Subject:* Re: Accessing Ranger Policy Manager API from HDFS plugin >>> >>> >>> >>> Are we talking about principal in Kerberos or any other principal I'm >>> not understanding? >>> >>> >>> >>> On Thu, 10 Jan 2019 at 18:05, Odon Copon <odonco...@gmail.com> wrote: >>> >>> What do you mean by *HDFS plugin uses service (Namenode) user's >>> principal *? >>> >>> Could you provide an example? >>> Thanks. >>> >>> >>> >>> On Thu, 10 Jan 2019 at 17:08, Velmurugan Periasamy < >>> vperias...@hortonworks.com> wrote: >>> >>> HDFS plugin uses service (Namenode) user's principal. >>> >>> >>> ------------------------------ >>> >>> *From:* Odon Copon <odonco...@gmail.com> >>> *Sent:* Thursday, January 10, 2019 8:59 AM >>> *To:* user@ranger.apache.org >>> *Subject:* Accessing Ranger Policy Manager API from HDFS plugin >>> >>> >>> >>> Hi, >>> >>> How does the Ranger HDFS plugin communicates with the Policy Manager >>> API? Is it using a specific user/password combination? >>> >>> I know the User Sync has rangerusersync user and pass, and all that >>> information is stored in rangerusersync.jceks, but what about the HDFS >>> plugin or any other plugin? >>> I'm having issues with that, my plugin once enabled doesn't get >>> displayed in the UI and would like to check the credentials the plugin is >>> using to use the API. >>> >>> For the User Sync - Policy Manager communication works fine. >>> >>> >>> >>> Thanks. >>> >>>
