Hi Loïc
Can you please check if the connector jar(*mysql-connector-java.jar*)
is present in the knox/ext/ dir? The jar should be present in the
classpath. Please check and let us know.
On Fri, Jun 19, 2015 at 1:29 PM, Loïc Chanel <[email protected]>
wrote:
> Alok,
>
> I already turned logging on, but it seems I can't see any plugin logs. I
> tried to add the following properties :
> log4j.logger.org.apache.ranger=DEBUG
> log4j.logger.org.apache.ranger.services.knox=DEBUG
>
> But all I can see in the logs are Knox gateway logs, and there is nothing
> wrong with them (the only think I see that is wrong come from gateway.out,
> and is the error I mentioned in my first e-Mail). How can I turn Ranger
> plugin logs on ? And where can I find these logs afterwards ?
>
> In addition, I turned on the property "Audit to HDFS", but as I can't find
> audit records in the cluster, I think the auditing problem is kind of a
> general one.
>
> As far as the policy manager is concerned, I can see audit records for
> HDFS repository, so I don't think the problem comes from there.
>
> Do you see a possible origin of the problem ?
> Thanks,
>
>
> Loïc
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-06-18 19:48 GMT+02:00 Alok Lal <[email protected]>:
>
>> I spoke too soon. I don’t think the following is true. We never let
>> the inability to audit
>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L202-L211>
>> prevent auth. My bad!
>>
>> Can you turn logging on (/etc/knox/conf/gateway-log4j.properties) and
>> paste relevant parts from it?
>>
>>
>>
>> From: Alok Lal <[email protected]>
>> Date: Thursday, June 18, 2015 at 10:42 AM
>> To: "[email protected]" <[email protected]>
>> Subject: Re: Knox group policies not enforced
>>
>> I assume you are using ranger-0.4.
>>
>> - Do you see access audit records on the audit page of policy
>> manager?
>> - Writing audits to HDFS is not through JDBC driver. Only writing
>> to DB needs it.
>> - Further, only audits written to the DB are shown on the audit
>> page — which is why I asked the above question.
>> - It is possible that you have audit turned on to both DB and HDFS?
>> - The way code is today
>>
>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L124-L139>
>> inability to write audit, say, due to a misconfigured JDBC adaptor, would
>> cause authorization to fail, too (because the auth call would throw an
>> unhandled exception).
>> - However, I don’t know why that should be related only membership
>> to a group.
>> - If inability to write to audit is in fact the issue then you
>> should not be able to connect as long as the policy granting you
>> access is
>> audited. Perhaps you can confirm that to be the case to help narrow
>> the
>> cause.
>>
>> Alok
>>
>> From: Loïc Chanel <[email protected]>
>> Reply-To: "[email protected]" <
>> [email protected]>
>> Date: Thursday, June 18, 2015 at 3:05 AM
>> To: "[email protected]" <[email protected]>
>> Subject: Knox group policies not enforced
>>
>> Hi fellow Ranger users,
>>
>> As I am using Ranger plugin for Knox, I noticed that group policies are
>> not applied. For example, if I grant to the group "users" the right to
>> connect from anywhere, and I try to use WebHDFS with a user of this group,
>> I keep getting 403 responses from Knox.
>>
>> In addition, I can't find any audit logs from Knox in Ranger interface,
>> but I thinks this is linked to the error I get in gateway.out :
>> [EL Severe]: ejb: 2015-06-18
>> 11:33:44.253--ServerSession(453422229)--Exception [EclipseLink-4003]
>> (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd):
>> org.eclipse.persistence.exceptions.DatabaseException
>> Exception Description: Configuration error. Class
>> [com.mysql.jdbc.Driver] not found.
>>
>> This error is actually weird too because the JDBC driver is properly
>> installed, as I can see audit logs from HDFS repository.
>>
>> Has anyone an idea of where these errors might come from ?
>> Thanks in advance for your help,
>>
>>
>> Loïc
>>
>> Loïc CHANEL
>> Engineering student at TELECOM Nancy
>> Trainee at Worldline - Villeurbanne
>>
>
>
--
Regards,
Gautam.
