> The question know is how to know the plugin is calling this endpoint, and > working properly, because the UI doesn't display this plugin.
- if the plugin runs in a kerberized component (i.e. UserGroupInformation.isSecurityEnabled() == true) , it downloads policies using endpoint /service/plugins/secure/policies/download/, which requires authentication - else it uses endpoint /service/plugins/policies/download/ - which doesn’t require authentication Hope this helps. Madhan From: Velmurugan Periasamy <vperias...@hortonworks.com> Reply-To: "user@ranger.apache.org" <user@ranger.apache.org> Date: Friday, January 11, 2019 at 6:32 AM To: "user@ranger.apache.org" <user@ranger.apache.org> Subject: Re: Accessing Ranger Policy Manager API from HDFS plugin You can check namenode log for any errors from HDFS plugin. From: Odon Copon <odonco...@gmail.com> Sent: Friday, January 11, 2019 9:21 AM To: user@ranger.apache.org Subject: Re: Accessing Ranger Policy Manager API from HDFS plugin I fired manually a CURL request to "/service/plugins/policies/download/<service_name>" and now the UI is displaying some information in plugin tab. 1. Is Ranger Admin thinking the call was made from the plugin and is trying to list it? 2. If plugin would have executed this request, the UI should have displayed this information earlier, right? 3. Any specific log to check for more information? On Fri, 11 Jan 2019 at 14:07, Velmurugan Periasamy <vperias...@hortonworks.com> wrote: You should see plugin sync'ing policies in plugin tab. If it is not showing up, you need to check the logs for any error messages. From: Odon Copon <odonco...@gmail.com> Sent: Friday, January 11, 2019 8:47 AM To: user@ranger.apache.org Subject: Re: Accessing Ranger Policy Manager API from HDFS plugin ok, seems "service/plugins/policies/download/" has public access, so confirms what we have been discussing, no authorization is required to download the policies. Good to know, thanks guys. The question know is how to know the plugin is calling this endpoint, and working properly, because the UI doesn't display this plugin. Any tip on this? On Fri, 11 Jan 2019 at 13:08, Odon Copon <odonco...@gmail.com> wrote: Yes, makes sense to have a 2-way SSL between the plugin and Ranger Admin, but: - 1. Does it mean there's no authentication at all between them? - 2. If there's no authentication, shouldn't a simple CURL work? At the moment if no user/pass is provided the API returns 401, or is there another different endpoint? If so, which one is it? - 3. What is the best way to debug the plugin is communicating or trying to communicate with Ranger admin? Thanks. On Fri, 11 Jan 2019 at 12:53, Velmurugan Periasamy <vperias...@hortonworks.com> wrote: If there is no kerberos HDFS plugin uses the open Download policies API, so it is recommended to use 2-way SSL between HDFS plugin and Ranger Admin. On Jan 11, 2019, at 5:26 AM, Odon Copon <odonco...@gmail.com> wrote: I cannot perform a CURL to the API from the namenode without user/password, I get a 401 when doing that. So it might required credentials to do that. If I use the admin/password credentials or rangerusersync credentials the CURL works. So wondering if those credentials need to be setup somewhere. On Fri, 11 Jan 2019 at 10:15, Don Bosco Durai <bo...@apache.org> wrote: > In terms of "no authentication", is the HDFS plugin using Policy Manager API > with no credentials at all? No credentials, because there is no user/password for HDFS service user. It’s been a while, I think we used to have admin/password before, but it was taken out eventually. The code might be still there… > What's the first action the plugin is performing to be detected by the UI as > active and 200 response? Abhay or Madhan might be able to give you more specifics. Since the plugins are polling and it knows the previous version number, if there are no changes, then it is not registered in the UI. The plugins primarily pull the policies and tags from Ranger Admin. Rest everything is done by the plugin within the component. Bosco From: Odon Copon <odonco...@gmail.com> Reply-To: <user@ranger.apache.org> Date: Friday, January 11, 2019 at 2:03 AM To: <user@ranger.apache.org> Subject: Re: Accessing Ranger Policy Manager API from HDFS plugin Indeed, I know that at the moment without something like Kerberos, users can impersonate others, but I'm currently building a POC with the basic security to evaluate Ranger, and once is ready, start improving the security and scalability. But thank you for pointing that out. In terms of "no authentication", is the HDFS plugin using Policy Manager API with no credentials at all? or default ones? What's the first action the plugin is performing to be detected by the UI as active and 200 response? Some king of ping/heartbeat? or just a rest petition to download the policies? Is there anywhere where I can see in the logs what kind of actions the plugin is doing? I don't find any log information coming from the plugin. Thanks! On Fri, 11 Jan 2019 at 09:53, Don Bosco Durai <bo...@apache.org> wrote: If there is no Kerberos, then you have 2 options: No authentication (default) Two way SSL to authenticate the request from the plugin. Note, if it is non-Kerberos environment, then authorization cannot be enforced, because users can impersonate anyone. Bosco From: Odon Copon <odonco...@gmail.com> Reply-To: <user@ranger.apache.org> Date: Friday, January 11, 2019 at 1:22 AM To: <user@ranger.apache.org> Subject: Re: Accessing Ranger Policy Manager API from HDFS plugin Mmm, but what if the system is not using Kerberos? On Fri, 11 Jan 2019, 04:21 Velmurugan Periasamy <vperias...@hortonworks.com wrote: Yes, that's what I referred to. From: Odon Copon <odonco...@gmail.com> Sent: Thursday, January 10, 2019 5:07 PM To: user@ranger.apache.org Subject: Re: Accessing Ranger Policy Manager API from HDFS plugin Are we talking about principal in Kerberos or any other principal I'm not understanding? On Thu, 10 Jan 2019 at 18:05, Odon Copon <odonco...@gmail.com> wrote: What do you mean by HDFS plugin uses service (Namenode) user's principal ? Could you provide an example? Thanks. On Thu, 10 Jan 2019 at 17:08, Velmurugan Periasamy <vperias...@hortonworks.com> wrote: HDFS plugin uses service (Namenode) user's principal. From: Odon Copon <odonco...@gmail.com> Sent: Thursday, January 10, 2019 8:59 AM To: user@ranger.apache.org Subject: Accessing Ranger Policy Manager API from HDFS plugin Hi, How does the Ranger HDFS plugin communicates with the Policy Manager API? Is it using a specific user/password combination? I know the User Sync has rangerusersync user and pass, and all that information is stored in rangerusersync.jceks, but what about the HDFS plugin or any other plugin? I'm having issues with that, my plugin once enabled doesn't get displayed in the UI and would like to check the credentials the plugin is using to use the API. For the User Sync - Policy Manager communication works fine. Thanks.
