You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Rajat Goel <ra...@guavus.com> on 2019/01/17 03:20:49 UTC
Ranger Plugin downloading policies with empty resource{}
Hi,
I have a Kerberised HDP (2.6.5) setup and I am using CDAP which is integrated with Ranger for policy management. When I login to CDAP UI, I don’t see any resources on UI even though Ranger policies are defined for allowing access to my user. My CDAP ranger plugin is emitting authorization failed for all requests.
On debugging the issue a bit, I found that the Ranger’s policy cache json file for CDAP created on local file system has resources{}section empty for all my CDAP policies. Though rest of the properties in policycache json file such as accesses{}, users{} is present. CDAP has logs has messages like:
2019-01-16 19:06:25,421 INFO [leader-election-election-master.services] util.PolicyRefresher: PolicyRefresher(serviceName=platacc003-reflex-platform_cdap): found updated version. lastKnownVersion=-1; newVersion=80
2019-01-16 19:06:25,501 WARN [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)
2019-01-16 19:06:25,514 WARN [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)
2019-01-16 19:06:25,514 WARN [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)
2019-01-16 19:06:25,514 WARN [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)
2019-01-16 19:06:25,515 WARN [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)
I checked Ranger Admin access.log file and saw that Ranger REST request from CDAP to download policies was successful with 200 response code. If I manually run the same REST request using curl with admin credentials it works fine and emits json with valid resource{} section.
Can someone please help here in this regard?
Thanks & Regards,
Rajat
Re: Ranger Plugin downloading policies with empty resource{}
Posted by Ramesh Mani <rm...@hortonworks.com>.
Hi Rajat,
Did you try removing the Ranger policy cache json file? Please try that and see in the debug log where the policy download was successful on the CDAP log that you are seeing a successful download?
If possible put CDAP in debug and see if there are any exceptions?
Please check this doc.
https://cwiki.apache.org/confluence/display/RANGER/Ranger+installation+in+Kerberized++Environment#RangerinstallationinKerberizedEnvironment-InstallationStepsforRanger-Admin
There is one step which you need to do in the Ranger Admin is you need add the following property in "platacc003-reflex-platform_cdap" service.
-> In Custom repo config add component user (in your case it would the user used to download policy =cdap?) as value for below properties
1. policy.download.auth.users
2. tag.download.auth.users
Thanks,
Ramesh
From: Rajat Goel <ra...@guavus.com>>
Reply-To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Date: Wednesday, January 16, 2019 at 8:20 PM
To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Subject: Ranger Plugin downloading policies with empty resource{}
Hi,
I have a Kerberised HDP (2.6.5) setup and I am using CDAP which is integrated with Ranger for policy management. When I login to CDAP UI, I don't see any resources on UI even though Ranger policies are defined for allowing access to my user. My CDAP ranger plugin is emitting authorization failed for all requests.
On debugging the issue a bit, I found that the Ranger's policy cache json file for CDAP created on local file system has resources{}section empty for all my CDAP policies. Though rest of the properties in policycache json file such as accesses{}, users{} is present. CDAP has logs has messages like:
2019-01-16 19:06:25,421 INFO [leader-election-election-master.services] util.PolicyRefresher: PolicyRefresher(serviceName=platacc003-reflex-platform_cdap): found updated version. lastKnownVersion=-1; newVersion=80
2019-01-16 19:06:25,501 WARN [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)
2019-01-16 19:06:25,514 WARN [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)
2019-01-16 19:06:25,514 WARN [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)
2019-01-16 19:06:25,514 WARN [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)
2019-01-16 19:06:25,515 WARN [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed: policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)
I checked Ranger Admin access.log file and saw that Ranger REST request from CDAP to download policies was successful with 200 response code. If I manually run the same REST request using curl with admin credentials it works fine and emits json with valid resource{} section.
Can someone please help here in this regard?
Thanks & Regards,
Rajat