You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by wenxing zheng <we...@gmail.com> on 2017/06/21 08:23:47 UTC
Ranger HBase plugin doesn't work
Dear all,
I am using the Ranger 0.7.1 against my HBASE 1.2.4. From the log files, I
can see HBase got the policy file correctly. But when I executed the "scan"
command from the "hbase shell", we got "Insufficient permissions".
>
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
> Insufficient permissions for user 'hdfs' (table=users, action=READ)
Appreciated for any hints on how to determine the root cause
Regards, Wenxing
Re: Re: Which file config policy.download.auth.users ?
Posted by "luochong@gdbigdata.com" <lu...@gdbigdata.com>.
Hi,
Now i solved this problem and share it.
Problem:
Hdfs fail to download policy from range admin in kerberos env. In the namenode log:
2017-07-15 07:28:37,556 WARN org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. secureMode=true, user=nn/admin141.example.com@EXAMPLE.COM (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}, serviceName=hadooopdev. ret = null
Solved :
In ranger admin node, add the parameter --hadoop.security.authentication in ranger-admin-site.xml .
The config in my env as below:
[root@admin141 conf]# pwd
/usr/local/ranger-0.7.0-admin/conf
[root@admin141 conf]# cat ranger-admin-site.xml
<configuration>
... ....
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
</configuration>
Reason:
When range admin receive the request message from hdfs, the function of RangerKRBAuthenticationFilter class will be invoked:
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
String authtype = PropertiesUtil.getProperty(RANGER_AUTH_TYPE);
HttpServletRequest httpRequest = (HttpServletRequest)request;
if(isSpnegoEnable(authtype)){ ---------------- if the authtype is not kerberos, the else step will be run.
... ...
}else{
filterChain.doFilter(request, response); -- At here ,the RangerAuthenticationEntryPoint::commence() will be called. and the hdfs will receive 401
}
}
And check the function -- isSpnegoEnable(), the system will get the value of the parameter -- hadoop.security.authentication . In my env, this parameter is not configured, so hdfs fail to download policy . After i added this parameter, it is OK.
Thanks & Regards
luochong@gdbigdata.com
From: luochong@gdbigdata.com
Date: 2017-07-17 11:23
To: user
Subject: Re: Which file config policy.download.auth.users ?
Hi Ramesh,
Thanks for your reply. I config this parameter in ranger UI, but the error is still exist. I think i should not find the real reason.
I read the code and find the error part . It is in the RangerAuthenticationEntryPoint::commence() ( Ranger version : 0.7.0 )
public void commence(HttpServletRequest request,
HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
String ajaxRequestHeader = request.getHeader("X-Requested-With");
.... ....
if ("XMLHttpRequest".equals(ajaxRequestHeader)) {
... ....
return;
} else {
try {
logger.info("KKKK --- In commence.... ajaxRequestHeader = " + ajaxRequestHeader); /// Add one log info. the ajaxRequestHeader is null. so the ranger admin reply 401.
VXResponse vXResponse = new VXResponse();
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
vXResponse.setMsgDesc("Authentication Failed");
... ....
}
}
With tcpdump, this parameter is not exist in tcp message. But in the hdfs plugin file, this parameter could not be configed.
Thanks & Regards
Luochong
luochong@gdbigdata.com
From: Ramesh Mani
Date: 2017-07-16 03:38
To: user@ranger.apache.org
Subject: Re: Which file config policy.download.auth.users ?
Luochong,
You can update this in the Ranger UI.
Open the HDFS service you created in ranger UI and in the config you will find “ Add new configuration”. Add these properties there.
Refer this for Screen shots, https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide?preview=/https%3A%2F%2Flh3.googleusercontent.com%2FFH8RmMq1pIX8w-_L3jqGMt9RtvqLjUH4Ywf68wMapfPWxytFdK8fIVfU7QDelFqC-6vBIqIONkIujEE7OPql-FQgeFmsW3wZSLQiRn5TQGVJWJ2EpevB36gBtUmATNTD1i5_gng
Thanks,
Ramesh
From: "luochong@gdbigdata.com" <lu...@gdbigdata.com>
Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
Date: Saturday, July 15, 2017 at 12:24 AM
To: user <us...@ranger.apache.org>
Subject: Which file config policy.download.auth.users ?
Hi
Env:
Ranger version : 0.7.0
Hdfs : 2.7.0 with kerberos
After I installed hdfs\ ranger\ kerberos manually, i found the hdfs fail to download policy from Ranger.
In the namenode Log:
2017-07-15 07:28:37,556 WARN org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. secureMode=true, user=nn/admin141.example.com@EXAMPLE.COM (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}, serviceName=hadooopdev. ret = null
Read this document: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.5/bk_command-line-upgrade/content/upgrade-ranger_23.html
In this file, there is one step:
For Download Policy to be successful, use the Ranger UI to update the service configuration with the following custom properties for each supported component:
policy.download.auth.users=<Component service user>
tag.download.auth.users=<Component service user>(if tag download)
So i think it is the reason that hdfs fail to download policy. I did not config this parameter policy.download.auth.users
But i did not know how to config this parameter -- policy.download.auth.users . In the internet, this parameter should config in custom repo file. But i did know the path the custom repo file?
Thank & Regards
luochong@gdbigdata.com
Re: Which file config policy.download.auth.users ?
Posted by "luochong@gdbigdata.com" <lu...@gdbigdata.com>.
Hi Ramesh,
Thanks for your reply. I config this parameter in ranger UI, but the error is still exist. I think i should not find the real reason.
I read the code and find the error part . It is in the RangerAuthenticationEntryPoint::commence() ( Ranger version : 0.7.0 )
public void commence(HttpServletRequest request,
HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
String ajaxRequestHeader = request.getHeader("X-Requested-With");
.... ....
if ("XMLHttpRequest".equals(ajaxRequestHeader)) {
... ....
return;
} else {
try {
logger.info("KKKK --- In commence.... ajaxRequestHeader = " + ajaxRequestHeader); /// Add one log info. the ajaxRequestHeader is null. so the ranger admin reply 401.
VXResponse vXResponse = new VXResponse();
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
vXResponse.setMsgDesc("Authentication Failed");
... ....
}
}
With tcpdump, this parameter is not exist in tcp message. But in the hdfs plugin file, this parameter could not be configed.
Thanks & Regards
Luochong
luochong@gdbigdata.com
From: Ramesh Mani
Date: 2017-07-16 03:38
To: user@ranger.apache.org
Subject: Re: Which file config policy.download.auth.users ?
Luochong,
You can update this in the Ranger UI.
Open the HDFS service you created in ranger UI and in the config you will find “ Add new configuration”. Add these properties there.
Refer this for Screen shots, https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide?preview=/https%3A%2F%2Flh3.googleusercontent.com%2FFH8RmMq1pIX8w-_L3jqGMt9RtvqLjUH4Ywf68wMapfPWxytFdK8fIVfU7QDelFqC-6vBIqIONkIujEE7OPql-FQgeFmsW3wZSLQiRn5TQGVJWJ2EpevB36gBtUmATNTD1i5_gng
Thanks,
Ramesh
From: "luochong@gdbigdata.com" <lu...@gdbigdata.com>
Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
Date: Saturday, July 15, 2017 at 12:24 AM
To: user <us...@ranger.apache.org>
Subject: Which file config policy.download.auth.users ?
Hi
Env:
Ranger version : 0.7.0
Hdfs : 2.7.0 with kerberos
After I installed hdfs\ ranger\ kerberos manually, i found the hdfs fail to download policy from Ranger.
In the namenode Log:
2017-07-15 07:28:37,556 WARN org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. secureMode=true, user=nn/admin141.example.com@EXAMPLE.COM (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}, serviceName=hadooopdev. ret = null
Read this document: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.5/bk_command-line-upgrade/content/upgrade-ranger_23.html
In this file, there is one step:
For Download Policy to be successful, use the Ranger UI to update the service configuration with the following custom properties for each supported component:
policy.download.auth.users=<Component service user>
tag.download.auth.users=<Component service user>(if tag download)
So i think it is the reason that hdfs fail to download policy. I did not config this parameter policy.download.auth.users
But i did not know how to config this parameter -- policy.download.auth.users . In the internet, this parameter should config in custom repo file. But i did know the path the custom repo file?
Thank & Regards
luochong@gdbigdata.com
Re: Which file config policy.download.auth.users ?
Posted by Ramesh Mani <rm...@hortonworks.com>.
Luochong,
You can update this in the Ranger UI.
Open the HDFS service you created in ranger UI and in the config you will find “ Add new configuration”. Add these properties there.
Refer this for Screen shots, https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide?preview=/https%3A%2F%2Flh3.googleusercontent.com%2FFH8RmMq1pIX8w-_L3jqGMt9RtvqLjUH4Ywf68wMapfPWxytFdK8fIVfU7QDelFqC-6vBIqIONkIujEE7OPql-FQgeFmsW3wZSLQiRn5TQGVJWJ2EpevB36gBtUmATNTD1i5_gng
Thanks,
Ramesh
From: "luochong@gdbigdata.com<ma...@gdbigdata.com>" <lu...@gdbigdata.com>>
Reply-To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Date: Saturday, July 15, 2017 at 12:24 AM
To: user <us...@ranger.apache.org>>
Subject: Which file config policy.download.auth.users ?
Hi
Env:
Ranger version : 0.7.0
Hdfs : 2.7.0 with kerberos
After I installed hdfs\ ranger\ kerberos manually, i found the hdfs fail to download policy from Ranger.
In the namenode Log:
2017-07-15 07:28:37,556 WARN org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. secureMode=true, user=nn/admin141.example.com@EXAMPLE.COM<ma...@EXAMPLE.COM> (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}, serviceName=hadooopdev. ret = null
Read this document: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.5/bk_command-line-upgrade/content/upgrade-ranger_23.html
In this file, there is one step:
For Download Policy to be successful, use the Ranger UI to update the service configuration with the following custom properties for each supported component:
policy.download.auth.users=<Component service user>
tag.download.auth.users=<Component service user>(if tag download)
So i think it is the reason that hdfs fail to download policy. I did not config this parameter policy.download.auth.users
But i did not know how to config this parameter -- policy.download.auth.users . In the internet, this parameter should config in custom repo file. But i did know the path the custom repo file?
Thank & Regards
________________________________
luochong@gdbigdata.com<ma...@gdbigdata.com>
Which file config policy.download.auth.users ?
Posted by "luochong@gdbigdata.com" <lu...@gdbigdata.com>.
Hi
Env:
Ranger version : 0.7.0
Hdfs : 2.7.0 with kerberos
After I installed hdfs\ ranger\ kerberos manually, i found the hdfs fail to download policy from Ranger.
In the namenode Log:
2017-07-15 07:28:37,556 WARN org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. secureMode=true, user=nn/admin141.example.com@EXAMPLE.COM (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}, serviceName=hadooopdev. ret = null
Read this document: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.5/bk_command-line-upgrade/content/upgrade-ranger_23.html
In this file, there is one step:
For Download Policy to be successful, use the Ranger UI to update the service configuration with the following custom properties for each supported component:
policy.download.auth.users=<Component service user>
tag.download.auth.users=<Component service user>(if tag download)
So i think it is the reason that hdfs fail to download policy. I did not config this parameter policy.download.auth.users
But i did not know how to config this parameter -- policy.download.auth.users . In the internet, this parameter should config in custom repo file. But i did know the path the custom repo file?
Thank & Regards
luochong@gdbigdata.com
Re: Two question about ranger usersync
Posted by Bhavik Patel <bh...@gmail.com>.
Hi luochong,
Regarding, *Is there another way to sync user info automatically?*
Ranger-Usersync process syncs the added users in particular time interval
which is in minutes; By default it is set to 5 minutes.The property name is
"SYNC_INTERVAL". So it will sync newly added user after that interval or
you have restart ranger-usersync.
You can update this value in install.properties file and run the setup.sh
script to update the value in the Usersync process, after this you will
have to restart ranger-usersync process.
Regarding,
* How to remove the user info of ranger?* To delete the user from Ranger
database, you will have to delete the user from Ranger UI manually, as the
Ranger-Usersync process will only add users to Ranger Database.
Regard,
Bhavik Patel
+91-7208744109
On Thu, Jun 22, 2017 at 1:16 PM, luochong@gdbigdata.com <
luochong@gdbigdata.com> wrote:
> Hi,
> Now I sync the users of Linux OS to Ranger. But i meet two questions.
>
> Ranger Version : 0.7.0
>
> 1) Ranger could not sync OS user info .
> Steps:
> 1) Excecute the command : ranger-usersync start
> 2) then create one user in linux : useradd -d /usr/unix02 -m
> unix02
> 3) Check the ranger database.
> But I could not find this user -- unix02 in ranger database. Only
> restart the ranger-usersync , this record can be found.
> In the Internet, there is one record -- https://community.
> hortonworks.com/questions/21170/is-there-a-way-to-force-
> ranger-user-sync.html. In this, they suggested execute the command UnixUserGroupBuilder
> manually.
>
> My Question: Is there another way to sync user info automaticly?
>
> 2) Ranger could not remove the user
> Steps:
> 1) add the user in OS system
> 2) Ranger sync this user to ranger database after restart
> ranger-usersync
> 3) delete this user from OS system
> 4) restart the ranger-usersync.
>
> This deleted user is still in Ranger database,
>
> My question: How to remove the user info of ranger?
>
>
> Thanks & Regards
>
> ------------------------------
> luochong@gdbigdata.com
>
>
Two question about ranger usersync
Posted by "luochong@gdbigdata.com" <lu...@gdbigdata.com>.
Hi,
Now I sync the users of Linux OS to Ranger. But i meet two questions.
Ranger Version : 0.7.0
1) Ranger could not sync OS user info .
Steps:
1) Excecute the command : ranger-usersync start
2) then create one user in linux : useradd -d /usr/unix02 -m unix02
3) Check the ranger database.
But I could not find this user -- unix02 in ranger database. Only restart the ranger-usersync , this record can be found.
In the Internet, there is one record -- https://community.hortonworks.com/questions/21170/is-there-a-way-to-force-ranger-user-sync.html. In this, they suggested execute the command UnixUserGroupBuilder manually.
My Question: Is there another way to sync user info automaticly?
2) Ranger could not remove the user
Steps:
1) add the user in OS system
2) Ranger sync this user to ranger database after restart ranger-usersync
3) delete this user from OS system
4) restart the ranger-usersync.
This deleted user is still in Ranger database,
My question: How to remove the user info of ranger?
Thanks & Regards
luochong@gdbigdata.com
Re: Ranger HBase plugin doesn't work
Posted by Madhan Neethiraj <ma...@apache.org>.
To troubleshoot further, consider setting log level to debug for the following packages and trace the policy evaluation details in HBase log files:
org.apache.ranger.plugin.policyevaluator
org.apache.ranger.plugin.policyengine
Madhan
From: "luochong@gdbigdata.com" <lu...@gdbigdata.com>
Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
Date: Wednesday, June 21, 2017 at 11:17 PM
To: user <us...@ranger.apache.org>
Subject: Re: Ranger HBase plugin doesn't work
Hi
Maybe I did not know your question clearly. you login the hbase system with the user -- hdfs, , the system will check the access when you execute the command. And it found there is no right of hdfs, it throw exception.
It is corret , i think. Maybe you login with another user, it will be ok.
Regards
luochong@gdbigdata.com
From: wenxing zheng
Date: 2017-06-21 16:23
To: user
Subject: Ranger HBase plugin doesn't work
Dear all,
I am using the Ranger 0.7.1 against my HBASE 1.2.4. From the log files, I can see HBase got the policy file correctly. But when I executed the "scan" command from the "hbase shell", we got "Insufficient permissions".
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'hdfs' (table=users, action=READ)
Appreciated for any hints on how to determine the root cause
Regards, Wenxing
Re: Ranger HBase plugin doesn't work
Posted by "luochong@gdbigdata.com" <lu...@gdbigdata.com>.
Hi
Maybe I did not know your question clearly. you login the hbase system with the user -- hdfs, , the system will check the access when you execute the command. And it found there is no right of hdfs, it throw exception.
It is corret , i think. Maybe you login with another user, it will be ok.
Regards
luochong@gdbigdata.com
From: wenxing zheng
Date: 2017-06-21 16:23
To: user
Subject: Ranger HBase plugin doesn't work
Dear all,
I am using the Ranger 0.7.1 against my HBASE 1.2.4. From the log files, I can see HBase got the policy file correctly. But when I executed the "scan" command from the "hbase shell", we got "Insufficient permissions".
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'hdfs' (table=users, action=READ)
Appreciated for any hints on how to determine the root cause
Regards, Wenxing
Re: Re: Re: Ranger HBase plugin doesn't work
Posted by wenxing zheng <we...@gmail.com>.
we set the setting of "hbase.coprocessor.master.classes" with 4 classes
before executing the plugin installer. and it resulted in wrong
configurations after installation.
On Thu, Jun 29, 2017 at 10:04 AM, <pe...@zte.com.cn> wrote:
> Hi Wenxing Zheng
>
> These configurations are correct after you installed ranger hbase plugin.
> These configurations were updated automatically by hbase plugin installer
> when you installed the ranger hbase plugin.
>
>
>
>
>
> Jianhua Peng
> 原始邮件
> *发件人:* <we...@gmail.com>;
> *收件人:*彭建华10069681;
> *抄送人:* <de...@ranger.apache.org>;
> *日 期 :*2017年06月29日 09:32
> *主 题 :**Re: Re: Ranger HBase plugin doesn't work*
>
>
> Dear all,
>
> We found the issue days ago. The root cause was that we have set the
> following 2 configurations with other values instead of the one below in
> HBASE according to some manuals:
> <property>
> <name>hbase.coprocessor.master.classes</name>
>
> <value>org.apache.ranger.authorization.hbase.
> RangerAuthorizationCoprocessor</value>
> </property>
> <property>
> <name>hbase.coprocessor.region.classes</name>
>
> <value>org.apache.ranger.authorization.hbase.
> RangerAuthorizationCoprocessor</value>
> </property>
>
> It works now.
> Thanks,
>
>
>
>
Re: Re: Re: Ranger HBase plugin doesn't work
Posted by pe...@zte.com.cn.
SGkgV2VueGluZyBaaGVuZw0KDQoNClRoZXNlIGNvbmZpZ3VyYXRpb25zIGFyZSBjb3JyZWN0IGFm
dGVyIHlvdSBpbnN0YWxsZWQgcmFuZ2VyIGhiYXNlIHBsdWdpbi4gVGhlc2UgY29uZmlndXJhdGlv
bnMgd2VyZSB1cGRhdGVkIGF1dG9tYXRpY2FsbHkgYnkgaGJhc2UgcGx1Z2luIGluc3RhbGxlciB3
aGVuIHlvdSBpbnN0YWxsZWQgdGhlIHJhbmdlciBoYmFzZSBwbHVnaW4uIA0KDQoNCg0KDQoNCg0K
DQoNCg0KDQoNCg0KDQoNCg0KDQpKaWFuaHVhIFBlbmcNCg0KDQoNCg0KDQoNCg0K5Y6f5aeL6YKu
5Lu2DQoNCg0KDQrlj5Hku7bkurrvvJogPHdlbnhpbmcuemhlbmdAZ21haWwuY29tPg0K5pS25Lu2
5Lq677ya5b2t5bu65Y2OMTAwNjk2ODENCuaKhOmAgeS6uu+8miA8ZGV2QHJhbmdlci5hcGFjaGUu
b3JnPg0K5pelIOacnyDvvJoyMDE35bm0MDbmnIgyOeaXpSAwOTozMg0K5Li7IOmimCDvvJpSZTog
UmU6IFJhbmdlciBIQmFzZSBwbHVnaW4gZG9lc24ndCB3b3JrDQoNCg0KDQoNCg0KRGVhciBhbGws
DQoNCldlIGZvdW5kIHRoZSBpc3N1ZSBkYXlzIGFnby4gVGhlIHJvb3QgY2F1c2Ugd2FzIHRoYXQg
d2UgaGF2ZSBzZXQgdGhlDQpmb2xsb3dpbmcgMiBjb25maWd1cmF0aW9ucyB3aXRoIG90aGVyIHZh
bHVlcyBpbnN0ZWFkIG9mIHRoZSBvbmUgYmVsb3cgaW4NCkhCQVNFIGFjY29yZGluZyB0byBzb21l
IG1hbnVhbHM6DQogICAgPHByb3BlcnR5Pg0KICAgICAgICA8bmFtZT5oYmFzZS5jb3Byb2Nlc3Nv
ci5tYXN0ZXIuY2xhc3NlczwvbmFtZT4NCg0KPHZhbHVlPm9yZy5hcGFjaGUucmFuZ2VyLmF1dGhv
cml6YXRpb24uaGJhc2UuUmFuZ2VyQXV0aG9yaXphdGlvbkNvcHJvY2Vzc29yPC92YWx1ZT4NCiAg
ICA8L3Byb3BlcnR5Pg0KICAgIDxwcm9wZXJ0eT4NCiAgICAgICAgPG5hbWU+aGJhc2UuY29wcm9j
ZXNzb3IucmVnaW9uLmNsYXNzZXM8L25hbWU+DQoNCjx2YWx1ZT5vcmcuYXBhY2hlLnJhbmdlci5h
dXRob3JpemF0aW9uLmhiYXNlLlJhbmdlckF1dGhvcml6YXRpb25Db3Byb2Nlc3NvcjwvdmFsdWU+
DQogICAgPC9wcm9wZXJ0eT4NCg0KSXQgd29ya3Mgbm93Lg0KVGhhbmtzLA==
Re: Re: Ranger HBase plugin doesn't work
Posted by wenxing zheng <we...@gmail.com>.
Dear all,
We found the issue days ago. The root cause was that we have set the
following 2 configurations with other values instead of the one below in
HBASE according to some manuals:
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor</value>
</property>
It works now.
Thanks,
Re: Re: Ranger HBase plugin doesn't work
Posted by pe...@zte.com.cn.
SGkgV2VueGluZyBaaGVuZywNCg0KWW91IHNob3VsZCBhZGQgcG9saWN5IGZvciAnaGRmcycgdXNl
ci4gUGxlYXNlIGZvbGxvdyB0aGUgc3RlcHMgYmVsb3cgYWZ0ZXIgaW5zdGFsbGVkIGhiYXNlIHBs
dWdpbjoNCg0KMS4gTG9naW4gcmFuZ2VyIHVzaW5nIGFkbWluIHVzZXIuDQoNCjIuIEFkZCBoYmFz
ZSBzZXJ2aWNlDQoNCg0KDQoNCg0KMy4gTWFuYWdlIFBvbGljeSBmb3IgaGRmcyB1c2VyLg0KDQoN
Cg0KDQoNCg0KDQoNCg0KDQoNCkppYW5odWEgUGVuZw0KDQoNCg0KDQoNCg0K5Y6f5aeL6YKu5Lu2
DQoNCg0KDQrlj5Hku7bkurrvvJogPHdlbnhpbmcuemhlbmdAZ21haWwuY29tPg0K5pS25Lu25Lq6
77yaIDxkZXZAcmFuZ2VyLmFwYWNoZS5vcmc+DQrml6Ug5pyfIO+8mjIwMTflubQwNuaciDIy5pel
IDEyOjQ4DQrkuLsg6aKYIO+8mlJlOiBSYW5nZXIgSEJhc2UgcGx1Z2luIGRvZXNuJ3Qgd29yaw0K
DQoNCg0KDQoNCkRlYXIgZXhwZXJ0cywNCg0KQXBwcmVjaWF0ZWQgZm9yIGFueSBhZHZpY2Ugb24g
aG93IHRvIGRldGVybWluZSB0aGUgcm9vdCBjYXVzZSBiZWxvdy4NCg0KT24gV2VkLCBKdW4gMjEs
IDIwMTcgYXQgNDoyMyBQTSwgd2VueGluZyB6aGVuZyA8d2VueGluZy56aGVuZ0BnbWFpbC5jb20+
DQp3cm90ZToNCg0KPiBEZWFyIGFsbCwNCj4NCj4gSSBhbSB1c2luZyB0aGUgUmFuZ2VyIDAuNy4x
IGFnYWluc3QgbXkgSEJBU0UgMS4yLjQuIEZyb20gdGhlIGxvZyBmaWxlcywgSQ0KPiBjYW4gc2Vl
IEhCYXNlIGdvdCB0aGUgcG9saWN5IGZpbGUgY29ycmVjdGx5LiBCdXQgd2hlbiBJIGV4ZWN1dGVk
IHRoZSAic2NhbiINCj4gY29tbWFuZCBmcm9tIHRoZSAiaGJhc2Ugc2hlbGwiLCB3ZSBnb3QgIklu
c3VmZmljaWVudCBwZXJtaXNzaW9ucyIuDQo+DQo+Pg0KPj4gRVJST1I6IG9yZy5hcGFjaGUuaGFk
b29wLmhiYXNlLnNlY3VyaXR5LkFjY2Vzc0RlbmllZEV4Y2VwdGlvbjoNCj4+IEluc3VmZmljaWVu
dCBwZXJtaXNzaW9ucyBmb3IgdXNlciAnaGRmcycgKHRhYmxlPXVzZXJzLCBhY3Rpb249UkVBRCkN
Cj4NCj4NCj4gQXBwcmVjaWF0ZWQgZm9yIGFueSBoaW50cyBvbiBob3cgdG8gZGV0ZXJtaW5lIHRo
ZSByb290IGNhdXNlDQo+IFJlZ2FyZHMsIFdlbnhpbmcNCj4=
Re: Ranger HBase plugin doesn't work
Posted by wenxing zheng <we...@gmail.com>.
Dear experts,
Appreciated for any advice on how to determine the root cause below.
On Wed, Jun 21, 2017 at 4:23 PM, wenxing zheng <we...@gmail.com>
wrote:
> Dear all,
>
> I am using the Ranger 0.7.1 against my HBASE 1.2.4. From the log files, I
> can see HBase got the policy file correctly. But when I executed the "scan"
> command from the "hbase shell", we got "Insufficient permissions".
>
>>
>> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
>> Insufficient permissions for user 'hdfs' (table=users, action=READ)
>
>
> Appreciated for any hints on how to determine the root cause
> Regards, Wenxing
>
Re: Ranger HBase plugin doesn't work
Posted by wenxing zheng <we...@gmail.com>.
Include the DEV for advice.
On Thu, Jun 22, 2017 at 9:43 AM, wenxing zheng <we...@gmail.com>
wrote:
> Appreciated if anyone can help to advice how to do the troubleshooting on
> this issue.
>
> Regards, Wenxing
>
> On Wed, Jun 21, 2017 at 6:07 PM, wenxing zheng <we...@gmail.com>
> wrote:
>
>> It's pity that we already created the policy as shown in the screenshot
>> below.
>>
>> Another question is that we can't see any security logs when we use the
>> user "hdfs" to scan the table.
>>
>> [image: Inline image 1]
>>
>
>
Re: Ranger HBase plugin doesn't work
Posted by wenxing zheng <we...@gmail.com>.
Appreciated if anyone can help to advice how to do the troubleshooting on
this issue.
Regards, Wenxing
On Wed, Jun 21, 2017 at 6:07 PM, wenxing zheng <we...@gmail.com>
wrote:
> It's pity that we already created the policy as shown in the screenshot
> below.
>
> Another question is that we can't see any security logs when we use the
> user "hdfs" to scan the table.
>
> [image: Inline image 1]
>
Re: Ranger HBase plugin doesn't work
Posted by wenxing zheng <we...@gmail.com>.
It's pity that we already created the policy as shown in the screenshot
below.
Another question is that we can't see any security logs when we use the
user "hdfs" to scan the table.
[image: Inline image 1]
Re: Ranger HBase plugin doesn't work
Posted by Colm O hEigeartaigh <co...@apache.org>.
I suspect you need a policy which grants the "admin" permission to the user
who is running HBase. Create such a policy, then wait for it to be synced
and restart HBase and see if it works. Perhaps HBase is not working
properly due to the lack of this admin policy.
Colm.
On Wed, Jun 21, 2017 at 10:37 AM, wenxing zheng <we...@gmail.com>
wrote:
> Thanks to Colm.
>
> I can't open the png since the blogspot is blocked in China. But I
> attached my policy for your reference.
>
>
>
>
> On Wed, Jun 21, 2017 at 5:26 PM, Colm O hEigeartaigh <co...@apache.org>
> wrote:
>
>> What does your policy look like in the Admin UI? It should look something
>> like this:
>>
>> https://3.bp.blogspot.com/-MB0-dK0SSGM/WT_P1CdFg3I/AAAAAAAAA
>> -o/gTF5l7caqwUzwtwHP39DkS0-1cPTvI9fQCLcB/s1600/ranger-hbase.png
>>
>> Colm.
>>
>> On Wed, Jun 21, 2017 at 9:23 AM, wenxing zheng <we...@gmail.com>
>> wrote:
>>
>>> Dear all,
>>>
>>> I am using the Ranger 0.7.1 against my HBASE 1.2.4. From the log files,
>>> I can see HBase got the policy file correctly. But when I executed the
>>> "scan" command from the "hbase shell", we got "Insufficient permissions".
>>>
>>>>
>>>> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
>>>> Insufficient permissions for user 'hdfs' (table=users, action=READ)
>>>
>>>
>>> Appreciated for any hints on how to determine the root cause
>>> Regards, Wenxing
>>>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Ranger HBase plugin doesn't work
Posted by wenxing zheng <we...@gmail.com>.
Thanks to Colm.
I can't open the png since the blogspot is blocked in China. But I attached
my policy for your reference.
On Wed, Jun 21, 2017 at 5:26 PM, Colm O hEigeartaigh <co...@apache.org>
wrote:
> What does your policy look like in the Admin UI? It should look something
> like this:
>
> https://3.bp.blogspot.com/-MB0-dK0SSGM/WT_P1CdFg3I/AAAAAAAAA-o/
> gTF5l7caqwUzwtwHP39DkS0-1cPTvI9fQCLcB/s1600/ranger-hbase.png
>
> Colm.
>
> On Wed, Jun 21, 2017 at 9:23 AM, wenxing zheng <we...@gmail.com>
> wrote:
>
>> Dear all,
>>
>> I am using the Ranger 0.7.1 against my HBASE 1.2.4. From the log files, I
>> can see HBase got the policy file correctly. But when I executed the "scan"
>> command from the "hbase shell", we got "Insufficient permissions".
>>
>>>
>>> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
>>> Insufficient permissions for user 'hdfs' (table=users, action=READ)
>>
>>
>> Appreciated for any hints on how to determine the root cause
>> Regards, Wenxing
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: Ranger HBase plugin doesn't work
Posted by Colm O hEigeartaigh <co...@apache.org>.
What does your policy look like in the Admin UI? It should look something
like this:
https://3.bp.blogspot.com/-MB0-dK0SSGM/WT_P1CdFg3I/AAAAAAAAA-o/gTF5l7caqwUzwtwHP39DkS0-1cPTvI9fQCLcB/s1600/ranger-hbase.png
Colm.
On Wed, Jun 21, 2017 at 9:23 AM, wenxing zheng <we...@gmail.com>
wrote:
> Dear all,
>
> I am using the Ranger 0.7.1 against my HBASE 1.2.4. From the log files, I
> can see HBase got the policy file correctly. But when I executed the "scan"
> command from the "hbase shell", we got "Insufficient permissions".
>
>>
>> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
>> Insufficient permissions for user 'hdfs' (table=users, action=READ)
>
>
> Appreciated for any hints on how to determine the root cause
> Regards, Wenxing
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com