Hi,
I have a Kerberised HDP (2.6.5) setup and I am using CDAP which is integrated
with Ranger for policy management. When I login to CDAP UI, I don’t see any
resources on UI even though Ranger policies are defined for allowing access to
my user. My CDAP ranger plugin is emitting authorization failed for all
requests.
On debugging the issue a bit, I found that the Ranger’s policy cache json file
for CDAP created on local file system has resources{}section empty for all my
CDAP policies. Though rest of the properties in policycache json file such as
accesses{}, users{} is present. CDAP has logs has messages like:
2019-01-16 19:06:25,421 INFO [leader-election-election-master.services]
util.PolicyRefresher:
PolicyRefresher(serviceName=platacc003-reflex-platform_cdap): found updated
version. lastKnownVersion=-1; newVersion=80
2019-01-16 19:06:25,501 WARN [leader-election-election-master.services]
policyresourcematcher.RangerDefaultPolicyResourceMatcher:
RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or
empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=,
validHierarchy=)
2019-01-16 19:06:25,514 WARN [leader-election-election-master.services]
policyresourcematcher.RangerDefaultPolicyResourceMatcher:
RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or
empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=,
validHierarchy=)
2019-01-16 19:06:25,514 WARN [leader-election-election-master.services]
policyresourcematcher.RangerDefaultPolicyResourceMatcher:
RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or
empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=,
validHierarchy=)
2019-01-16 19:06:25,514 WARN [leader-election-election-master.services]
policyresourcematcher.RangerDefaultPolicyResourceMatcher:
RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or
empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=,
validHierarchy=)
2019-01-16 19:06:25,515 WARN [leader-election-election-master.services]
policyresourcematcher.RangerDefaultPolicyResourceMatcher:
RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or
empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=,
validHierarchy=)
I checked Ranger Admin access.log file and saw that Ranger REST request from
CDAP to download policies was successful with 200 response code. If I manually
run the same REST request using curl with admin credentials it works fine and
emits json with valid resource{} section.
Can someone please help here in this regard?
Thanks & Regards,
Rajat
