Re: Knox group policies not enforced

[Alok Lal]

I assume you are using ranger-0.4.

  *   Do you see access audit records on the audit page of policy manager?
     *   Writing audits to HDFS is not through JDBC driver.  Only writing to DB 
needs it.
     *   Further, only audits written to the DB are shown on the audit page - 
which is why I asked the above question.
  *   It is possible that you have audit turned on to both DB and HDFS?
  *   The way code is 
today<https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L124-L139>
 inability to write audit, say, due to a misconfigured JDBC adaptor, would 
cause authorization to fail, too (because the auth call would throw an 
unhandled exception).
     *   However, I don't know why that should be related only membership to a 
group.
     *   If inability to write to audit is in fact the issue then you should 
not be able to connect as long as the policy granting you access is audited.  
Perhaps you can confirm that to be the case to help narrow the cause.

Alok

From: Loïc Chanel 
<loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>>
Reply-To: 
"user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" 
<user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>>
Date: Thursday, June 18, 2015 at 3:05 AM
To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" 
<user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>>
Subject: Knox group policies not enforced

Hi fellow Ranger users,

As I am using Ranger plugin for Knox, I noticed that group policies are not 
applied. For example, if I grant to the group "users" the right to connect from 
anywhere, and I try to use WebHDFS with a user of this group, I keep getting 
403 responses from Knox.

In addition, I can't find any audit logs from Knox in Ranger interface, but I 
thinks this is linked to the error I get in gateway.out :
[EL Severe]: ejb: 2015-06-18 11:33:44.253--ServerSession(453422229)--Exception 
[EclipseLink-4003] (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd): 
org.eclipse.persistence.exceptions.DatabaseException
Exception Description: Configuration error.  Class [com.mysql.jdbc.Driver] not 
found.

This error is actually weird too because the JDBC driver is properly installed, 
as I can see audit logs from HDFS repository.

Has anyone an idea of where these errors might come from ?
Thanks in advance for your help,


Loïc

Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne