You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Sanket Gaykar <sa...@gmail.com> on 2019/01/04 12:12:12 UTC
ranger fails to connect with hive metastore
Hi,
We have a dedicate instance for Apache Ranger, where we run the
ranger-admin service, also we have installed the Ranger hive plugin on the
instance where HiveServer2 is running. Below are the configurations we have:
1. Ranger(Ranger-Admin) running on SSL and Kerberos.
2. HiveServer2 running on SSL and Kerberos.
3. Hive Metastore (mysql) runs only SSL.
Web Ui has the following configurations:
Service name : hive
Active status: enabled
Username: admin
Password: ***
Extra configurations:
hive.site.file.path: /etc/hive/conf/hive-site.xml
policy.auth.download.users: hive
tag.auth.download.users:hive
enable.hive.metastore.lookup: true
However when ranger tries to connect to Hive Metastore when using auto
suggest while creating policies we get the following error:
SASL negotiation failure. No common protection layer between client and
server.
Re: ranger fails to connect with hive metastore
Posted by Taher Koitawala <ta...@gslab.com>.
Can you please share the whole exception?
On Fri 4 Jan, 2019, 5:42 PM Sanket Gaykar <sanketgaykar.333@gmail.com wrote:
> Hi,
> We have a dedicate instance for Apache Ranger, where we run the
> ranger-admin service, also we have installed the Ranger hive plugin on the
> instance where HiveServer2 is running. Below are the configurations we have:
>
>
> 1. Ranger(Ranger-Admin) running on SSL and Kerberos.
> 2. HiveServer2 running on SSL and Kerberos.
> 3. Hive Metastore (mysql) runs only SSL.
>
> Web Ui has the following configurations:
>
> Service name : hive
>
> Active status: enabled
> Username: admin
> Password: ***
>
> Extra configurations:
>
> hive.site.file.path: /etc/hive/conf/hive-site.xml
> policy.auth.download.users: hive
> tag.auth.download.users:hive
> enable.hive.metastore.lookup: true
>
> However when ranger tries to connect to Hive Metastore when using auto
> suggest while creating policies we get the following error:
>
> SASL negotiation failure. No common protection layer between client and
> server.
>
>
>
>
>
>
Re: ranger fails to connect with hive metastore
Posted by Sanket Gaykar <sa...@gmail.com>.
Hi Ramesh,
Thanks for reply.
Yes, auto lookup is not a compulsory for hive plugin to work, it's an
additional part. Hive plugin is able to fetch policies from ranger.
We'll definitely try with 2 way ssl and let you know. Just another little
doubt was that we are using 1 way ssl between ranger-admin and ranger-db
and that works fine. Is 2 way ssl must for auto lookup to work ?
On Thu, 10 Jan 2019 at 00:00, Ramesh Mani <rm...@hortonworks.com> wrote:
> Hi Sanket,
>
> Since the issue is just auto lookup of the ranger tables / columns in SSL
> environment, it might be mostly the configuration. Note that its not
> necessary that the auto lookup should function correctly for ranger hive
> plugin to work. It just a convenience for looking up the resource. But if
> you want to configure it correctly check that 2 way SSL between the Ranger
> Admin and HiveServer2 Ranger plugin is configured correctly with trusted
> properly imported.
>
> Please check this out.
>
> https://www.youtube.com/watch?v=Y9MzcyAj3jg
>
> Thanks,
> Ramesh
>
> From: Don Bosco Durai <bo...@apache.org>
> Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
> Date: Wednesday, January 9, 2019 at 4:36 AM
> To: "user@ranger.apache.org" <us...@ranger.apache.org>
> Subject: Re: ranger fails to connect with hive metastore
>
> Check the jdbc.url property in the Ranger/Hive Service config. It should
> be the same as what you would have used with beeline on command line.
>
>
>
> Bosco
>
>
>
>
>
> *From: *Sanket Gaykar <sa...@gmail.com>
> *Reply-To: *<us...@ranger.apache.org>
> *Date: *Wednesday, January 9, 2019 at 4:31 AM
> *To: *<us...@ranger.apache.org>
> *Subject: *Re: ranger fails to connect with hive metastore
>
>
>
> Can someone please address this issue.
>
>
>
> On Fri, 4 Jan 2019 at 17:42, Sanket Gaykar <sa...@gmail.com>
> wrote:
>
> Hi,
>
> We have a dedicate instance for Apache Ranger, where we run the
> ranger-admin service, also we have installed the Ranger hive plugin on the
> instance where HiveServer2 is running. Below are the configurations we have:
>
>
>
> 1. Ranger(Ranger-Admin) running on SSL and Kerberos.
> 2. HiveServer2 running on SSL and Kerberos.
> 3. Hive Metastore (mysql) runs only SSL.
>
> Web Ui has the following configurations:
>
> Service name : hive
>
> Active status: enabled
>
> Username: admin
>
> Password: ***
>
>
>
> Extra configurations:
>
>
>
> hive.site.file.path: /etc/hive/conf/hive-site.xml
>
> policy.auth.download.users: hive
>
> tag.auth.download.users:hive
>
> enable.hive.metastore.lookup: true
>
>
>
> However when ranger tries to connect to Hive Metastore when using auto
> suggest while creating policies we get the following error:
>
>
>
> SASL negotiation failure. No common protection layer between client and
> server.
>
>
>
>
>
>
>
>
>
>
>
>
Re: ranger fails to connect with hive metastore
Posted by Ramesh Mani <rm...@hortonworks.com>.
Hi Sanket,
Since the issue is just auto lookup of the ranger tables / columns in SSL environment, it might be mostly the configuration. Note that its not necessary that the auto lookup should function correctly for ranger hive plugin to work. It just a convenience for looking up the resource. But if you want to configure it correctly check that 2 way SSL between the Ranger Admin and HiveServer2 Ranger plugin is configured correctly with trusted properly imported.
Please check this out.
https://www.youtube.com/watch?v=Y9MzcyAj3jg
Thanks,
Ramesh
From: Don Bosco Durai <bo...@apache.org>>
Reply-To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Date: Wednesday, January 9, 2019 at 4:36 AM
To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Subject: Re: ranger fails to connect with hive metastore
Check the jdbc.url property in the Ranger/Hive Service config. It should be the same as what you would have used with beeline on command line.
Bosco
From: Sanket Gaykar <sa...@gmail.com>>
Reply-To: <us...@ranger.apache.org>>
Date: Wednesday, January 9, 2019 at 4:31 AM
To: <us...@ranger.apache.org>>
Subject: Re: ranger fails to connect with hive metastore
Can someone please address this issue.
On Fri, 4 Jan 2019 at 17:42, Sanket Gaykar <sa...@gmail.com>> wrote:
Hi,
We have a dedicate instance for Apache Ranger, where we run the ranger-admin service, also we have installed the Ranger hive plugin on the instance where HiveServer2 is running. Below are the configurations we have:
1. Ranger(Ranger-Admin) running on SSL and Kerberos.
2. HiveServer2 running on SSL and Kerberos.
3. Hive Metastore (mysql) runs only SSL.
Web Ui has the following configurations:
Service name : hive
Active status: enabled
Username: admin
Password: ***
Extra configurations:
hive.site.file.path: /etc/hive/conf/hive-site.xml
policy.auth.download.users: hive
tag.auth.download.users:hive
enable.hive.metastore.lookup: true
However when ranger tries to connect to Hive Metastore when using auto suggest while creating policies we get the following error:
SASL negotiation failure. No common protection layer between client and server.
Re: ranger fails to connect with hive metastore
Posted by Don Bosco Durai <bo...@apache.org>.
Check the jdbc.url property in the Ranger/Hive Service config. It should be the same as what you would have used with beeline on command line.
Bosco
From: Sanket Gaykar <sa...@gmail.com>
Reply-To: <us...@ranger.apache.org>
Date: Wednesday, January 9, 2019 at 4:31 AM
To: <us...@ranger.apache.org>
Subject: Re: ranger fails to connect with hive metastore
Can someone please address this issue.
On Fri, 4 Jan 2019 at 17:42, Sanket Gaykar <sa...@gmail.com> wrote:
Hi,
We have a dedicate instance for Apache Ranger, where we run the ranger-admin service, also we have installed the Ranger hive plugin on the instance where HiveServer2 is running. Below are the configurations we have:
Ranger(Ranger-Admin) running on SSL and Kerberos.
HiveServer2 running on SSL and Kerberos.
Hive Metastore (mysql) runs only SSL.
Web Ui has the following configurations:
Service name : hive
Active status: enabled
Username: admin
Password: ***
Extra configurations:
hive.site.file.path: /etc/hive/conf/hive-site.xml
policy.auth.download.users: hive
tag.auth.download.users:hive
enable.hive.metastore.lookup: true
However when ranger tries to connect to Hive Metastore when using auto suggest while creating policies we get the following error:
SASL negotiation failure. No common protection layer between client and server.
Re: ranger fails to connect with hive metastore
Posted by Sanket Gaykar <sa...@gmail.com>.
Can someone please address this issue.
On Fri, 4 Jan 2019 at 17:42, Sanket Gaykar <sa...@gmail.com>
wrote:
> Hi,
> We have a dedicate instance for Apache Ranger, where we run the
> ranger-admin service, also we have installed the Ranger hive plugin on the
> instance where HiveServer2 is running. Below are the configurations we have:
>
>
> 1. Ranger(Ranger-Admin) running on SSL and Kerberos.
> 2. HiveServer2 running on SSL and Kerberos.
> 3. Hive Metastore (mysql) runs only SSL.
>
> Web Ui has the following configurations:
>
> Service name : hive
>
> Active status: enabled
> Username: admin
> Password: ***
>
> Extra configurations:
>
> hive.site.file.path: /etc/hive/conf/hive-site.xml
> policy.auth.download.users: hive
> tag.auth.download.users:hive
> enable.hive.metastore.lookup: true
>
> However when ranger tries to connect to Hive Metastore when using auto
> suggest while creating policies we get the following error:
>
> SASL negotiation failure. No common protection layer between client and
> server.
>
>
>
>
>
>