That's correct. In Aurora DB the master user doesn't have "WITH GRANT" privileges. So any user we create, will not have WITH GRANT .
Here is the document that provides Master user privileges http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.MasterAccounts.html. These are the error we were getting before giving privileges. After we gave privileges explicitly using master user , installation ran successfully. 2017-01-04 21:41:39,463 [I] ---------------Granting privileges TO 'rangerloggerdb' on 'rangerdb_audit'------------- 2017-01-04 21:41:39,463 [JISQL] /usr/java/default/bin/java -cp /usr/share/java/mysql-connector-java.jar:/usr/hdp/current/ranger-admin/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://dpdevcluster.cluster-czvrt6ojpbos.us-west-2.rds.amazonaws.com/rangerdb_audit -u 'rangeradmindb' -p '********' -noheader -trim -c \; -query "GRANT INSERT ON rangerdb_audit.xa_access_audit TO 'rangerloggerdb'@'dpdevcluster.cluster-czvrt6ojpbos.us-west-2.rds.amazonaws.com';" SQLException : SQL state: 42000 com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You are not allowed to create a user with GRANT ErrorCode: 1410 SQLException : SQL state: 42000 com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You are not allowed to create a user with GRANT ErrorCode: 1410 2017-01-04 21:41:39,949 [E] Granting privileges to 'rangerloggerdb' failed on 'rangerdb_audit' 2017-01-04 20:38:24,517 [JISQL] /usr/java/default/bin/java -cp /usr/share/java/mysql-connector-java.jar:/usr/hdp/current/ranger-admin/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://dpdevcluster.cluster-czvrt6ojpbos.us-west-2.rds.amazonaws.com/rangerdb_audit -u 'rangeradmindb' -p '********' -noheader -trim -c \; -query "GRANT INSERT ON rangerdb_audit.xa_access_audit TO 'rangerloggerdb'@'%';" SQLException : SQL state: 42000 com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: GRANT command denied to user 'rangeradmindb'@'172.17.209.159' for table 'xa_access_audit' ErrorCode: 1142 SQLException : SQL state: 42000 com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: GRANT command denied to user 'rangeradmindb'@'172.17.209.159' for table 'xa_access_audit' ErrorCode: 1142 2017-01-04 20:38:25,016 [E] Granting privileges to 'rangerloggerdb' failed on 'rangerdb_audit' Thanks for your help and Ranger setup is resolved in our "dev" cluster. On Thu, Jan 5, 2017 at 1:09 PM, Selvamohan Neethiraj <sneet...@apache.org> wrote: > I believe, the admin user used here 'dbm'@‘%’ did not have > permission ‘WITH GRANT OPTION’ … So, the admin user will be able to do > everything except he/she will not be able to GRANT permission to other > users. > Let me know if this is not the actual issue here in AWS Aurora db …. > > Thanks, > Selva > > From: Don Bosco Durai <bo...@apache.org> > Reply-To: "user@ranger.incubator.apache.org" < > user@ranger.incubator.apache.org> > Date: Thursday, January 5, 2017 at 4:02 PM > To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> > > Subject: Re: Ranger database setup in AWS Aurora database. > > You are providing explicit permission for the database, which I think is > the right thing. > > > > You might want to keep the host consistent for all privileges. In MySQL, > @localhost and @% is generally enough. But I am not familiar with Aurora. > > > > Bosco > > > > > > *From: *Anandha L Ranganathan <analog.s...@gmail.com> > *Reply-To: *<user@ranger.incubator.apache.org> > *Date: *Thursday, January 5, 2017 at 12:15 PM > *To: *<user@ranger.incubator.apache.org> > *Subject: *Re: Ranger database setup in AWS Aurora database. > > > > Don, > > Yes, I am able to create user(s) in that database. We fixed that problem > with these grants. Please confirm is the right way to do it. > > > > *GRANT ALL PRIVILEGES ON rangerdb.* TO 'rangeradmindb'@'localhost' WITH > GRANT OPTION;* > > * GRANT ALL PRIVILEGES ON rangerdb.* TO 'rangeradmindb'@'%' WITH > GRANT OPTION;* > > > > * GRANT ALL PRIVILEGES ON rangerdb.* TO 'rangeradmindb’@'FQDN' > WITH GRANT OPTION;* > > *GRANT ALL PRIVILEGES ON rangerdb_audit.* TO 'rangeradmindb'@'%' > WITH GRANT OPTION;* > > * GRANT ALL PRIVILEGES ON rangerdb_audit.* TO > 'rangeradmindb'@'localhost' WITH GRANT OPTION;* > > * GRANT INSERT ON rangerdb_audit.xa_access_audit TO > 'rangerloggerdb'@'FQDN';* > > *GRANT INSERT ON rangerdb_audit.xa_access_audit TO > 'rangerloggerdb'@'localhost'* > > > > > > > > > > On Wed, Jan 4, 2017 at 12:08 PM Don Bosco Durai <bo...@apache.org> wrote: > > Also, Anandha, were you able to create any other user in your database? If > so, what was the syntax and DB user you used? > > > > Thanks > > > > Bosco > > > > > > *From: *Pradeep Agrawal <pradeep.agra...@freestoneinfotech.com> > *Reply-To: *<user@ranger.incubator.apache.org> > *Date: *Tuesday, January 3, 2017 at 7:27 PM > *To: *<user@ranger.incubator.apache.org> > *Subject: *Re: Ranger database setup in AWS Aurora database. > > > > Hi, > > > > For that, you need to refer Aurora DB docs provided by amazon. > > > > For MySQL please refer below text. > > > > *MySQL/MariaDB Prerequisite :* > > Server variable *log_bin_trust_function_creators *should be set to 1. > > MySQL Server variable in RDS can be changed by Parameter group feature > provided in RDS Dashboard at the left side of the page. > > For details please refer > > · https://www.stratalux.com/blog/always-use-custom-db- > parameter-group-creating-rds-instance/ > > · http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/ > USER_WorkingWithParamGroups.html > > - https://dev.mysql.com/doc/refman/5.7/en/stored-programs-logging.html > > On Wed, Jan 4, 2017 at 8:07 AM, Anandha L Ranganathan < > analog.s...@gmail.com> wrote: > > I am using "Aurora" database in AWS. Aurora is MySQL compatible RDBMS > database. > > I am unable to grant privileges to the user "rangeradmindb". > > 1. CREATE USER 'rangeradmindb'@'localhost' IDENTIFIED BY 'xxxxx'; > > 2. GRANT ALL PRIVILEGES ON *.* TO 'rangeradmindb'@'localhost'; > > 3. Error Code: 1045. Access denied for user 'dbm'@'%' (using password: YES) > 0.034 sec > > 4. > > Whereas superuser has these privileges. > > 1. show grants > > 2. GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, > REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK > TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW > VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER > > How do I grant all privileges to the the user "rangeradmindb" > >
