Loïc, yes if you are using Ambari, the Ambari agent should copy the mysql connector to the ext/ directory.
>>Knox does not search for the connector in other directories It will look for connector only in the directories in the classpath. I know that the ext is in the classpath, am not aware of other directories :-) On Fri, Jun 19, 2015 at 2:37 PM, Loïc Chanel <[email protected]> wrote: > Hi Gautam, > > I did not have the connector jar in this directory, and the problem > actually came from here : thanks a lot ! :-) > > Still, I'm a little surprised : Knox does not search for the connector in > other directories ? Because as during the configuration we specify to the > Ambari-server the location of mysql-java-connector, Knox should be able to > pull this information, shouldn't it ? > > Thanks again, > > > Loïc > > Loïc CHANEL > Engineering student at TELECOM Nancy > Trainee at Worldline - Villeurbanne > > 2015-06-19 10:51 GMT+02:00 Gautam Borad <[email protected]>: > >> Hi Loïc >> Can you please check if the connector jar(*mysql-connector-java.jar*) >> is present in the knox/ext/ dir? The jar should be present in the >> classpath. Please check and let us know. >> >> >> >> On Fri, Jun 19, 2015 at 1:29 PM, Loïc Chanel < >> [email protected]> wrote: >> >>> Alok, >>> >>> I already turned logging on, but it seems I can't see any plugin logs. I >>> tried to add the following properties : >>> log4j.logger.org.apache.ranger=DEBUG >>> log4j.logger.org.apache.ranger.services.knox=DEBUG >>> >>> But all I can see in the logs are Knox gateway logs, and there is >>> nothing wrong with them (the only think I see that is wrong come from >>> gateway.out, and is the error I mentioned in my first e-Mail). How can I >>> turn Ranger plugin logs on ? And where can I find these logs afterwards ? >>> >>> In addition, I turned on the property "Audit to HDFS", but as I can't >>> find audit records in the cluster, I think the auditing problem is kind of >>> a general one. >>> >>> As far as the policy manager is concerned, I can see audit records for >>> HDFS repository, so I don't think the problem comes from there. >>> >>> Do you see a possible origin of the problem ? >>> Thanks, >>> >>> >>> Loïc >>> >>> Loïc CHANEL >>> Engineering student at TELECOM Nancy >>> Trainee at Worldline - Villeurbanne >>> >>> 2015-06-18 19:48 GMT+02:00 Alok Lal <[email protected]>: >>> >>>> I spoke too soon. I don’t think the following is true. We never let >>>> the inability to audit >>>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L202-L211> >>>> prevent auth. My bad! >>>> >>>> Can you turn logging on (/etc/knox/conf/gateway-log4j.properties) and >>>> paste relevant parts from it? >>>> >>>> >>>> >>>> From: Alok Lal <[email protected]> >>>> Date: Thursday, June 18, 2015 at 10:42 AM >>>> To: "[email protected]" < >>>> [email protected]> >>>> Subject: Re: Knox group policies not enforced >>>> >>>> I assume you are using ranger-0.4. >>>> >>>> - Do you see access audit records on the audit page of policy >>>> manager? >>>> - Writing audits to HDFS is not through JDBC driver. Only >>>> writing to DB needs it. >>>> - Further, only audits written to the DB are shown on the audit >>>> page — which is why I asked the above question. >>>> - It is possible that you have audit turned on to both DB and HDFS? >>>> - The way code is today >>>> >>>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L124-L139> >>>> inability to write audit, say, due to a misconfigured JDBC adaptor, >>>> would >>>> cause authorization to fail, too (because the auth call would throw an >>>> unhandled exception). >>>> - However, I don’t know why that should be related only >>>> membership to a group. >>>> - If inability to write to audit is in fact the issue then you >>>> should not be able to connect as long as the policy granting you >>>> access is >>>> audited. Perhaps you can confirm that to be the case to help narrow >>>> the >>>> cause. >>>> >>>> Alok >>>> >>>> From: Loïc Chanel <[email protected]> >>>> Reply-To: "[email protected]" < >>>> [email protected]> >>>> Date: Thursday, June 18, 2015 at 3:05 AM >>>> To: "[email protected]" < >>>> [email protected]> >>>> Subject: Knox group policies not enforced >>>> >>>> Hi fellow Ranger users, >>>> >>>> As I am using Ranger plugin for Knox, I noticed that group policies >>>> are not applied. For example, if I grant to the group "users" the right to >>>> connect from anywhere, and I try to use WebHDFS with a user of this group, >>>> I keep getting 403 responses from Knox. >>>> >>>> In addition, I can't find any audit logs from Knox in Ranger >>>> interface, but I thinks this is linked to the error I get in gateway.out : >>>> [EL Severe]: ejb: 2015-06-18 >>>> 11:33:44.253--ServerSession(453422229)--Exception [EclipseLink-4003] >>>> (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd): >>>> org.eclipse.persistence.exceptions.DatabaseException >>>> Exception Description: Configuration error. Class >>>> [com.mysql.jdbc.Driver] not found. >>>> >>>> This error is actually weird too because the JDBC driver is properly >>>> installed, as I can see audit logs from HDFS repository. >>>> >>>> Has anyone an idea of where these errors might come from ? >>>> Thanks in advance for your help, >>>> >>>> >>>> Loïc >>>> >>>> Loïc CHANEL >>>> Engineering student at TELECOM Nancy >>>> Trainee at Worldline - Villeurbanne >>>> >>> >>> >> >> >> -- >> Regards, >> Gautam. >> > > -- Regards, Gautam.
