You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Lukas Bradley <lu...@gmail.com> on 2017/04/25 15:31:21 UTC
Apache Ranger 0.7.0 KMS - Service Mgr Create Service - Username/Password?
I've connected the Ranger KMS plugin to the Apache Ranger. However, during
the KMS setup, I didn't use Kerberos or any user authentication
specification. In the Service Manager, when attempting to Create the KMS
service using the keyadmin login, I'm being asked for a username/password.
Is there a default one created during setup? If so, where is this
specified? I've tried multiple combinations, but nothing works.
Screenshot of the Service Manger admin: http://imgur.com/a/J8Umn
Error message in the admin:
rg.apache.ranger.plugin.client.HadoopException: {
"RemoteException" : {
"message" : "User:abc123 not allowed to do 'GET_KEYS'",
"exception" : "AuthorizationException",
"javaClassName" :
"org.apache.hadoop.security.authorize.AuthorizationException"
}
}.
{
"RemoteException" : {
"message" : "User:abc123 not allowed to do 'GET_KEYS'",
"exception" : "AuthorizationException",
"javaClassName" :
"org.apache.hadoop.security.authorize.AuthorizationException"
}
}.
Error message in the KMS (for completeness):
2017-04-25 11:28:38,630 UNAUTHORIZED[op=GET_KEYS, user=abc123]
Thanks for any help.
Lukas
Re: Apache Ranger 0.7.0 KMS - Service Mgr Create Service - Username/Password?
Posted by Colm O hEigeartaigh <co...@apache.org>.
keyadmin/keyadmin works for me.
Colm.
On Tue, Apr 25, 2017 at 4:31 PM, Lukas Bradley <lu...@gmail.com>
wrote:
> I've connected the Ranger KMS plugin to the Apache Ranger. However,
> during the KMS setup, I didn't use Kerberos or any user authentication
> specification. In the Service Manager, when attempting to Create the KMS
> service using the keyadmin login, I'm being asked for a username/password.
>
> Is there a default one created during setup? If so, where is this
> specified? I've tried multiple combinations, but nothing works.
>
> Screenshot of the Service Manger admin: http://imgur.com/a/J8Umn
>
> Error message in the admin:
>
> rg.apache.ranger.plugin.client.HadoopException: {
> "RemoteException" : {
> "message" : "User:abc123 not allowed to do 'GET_KEYS'",
> "exception" : "AuthorizationException",
> "javaClassName" : "org.apache.hadoop.security.authorize.
> AuthorizationException"
> }
> }.
> {
> "RemoteException" : {
> "message" : "User:abc123 not allowed to do 'GET_KEYS'",
> "exception" : "AuthorizationException",
> "javaClassName" : "org.apache.hadoop.security.authorize.
> AuthorizationException"
> }
> }.
>
> Error message in the KMS (for completeness):
>
> 2017-04-25 11:28:38,630 UNAUTHORIZED[op=GET_KEYS, user=abc123]
>
> Thanks for any help.
>
> Lukas
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Apache Ranger 0.7.0 KMS - Service Mgr Create Service - Username/Password?
Posted by Lukas Bradley <lu...@gmail.com>.
Well.... good to know.
I confirmed the service, and everything connected correctly. I'm also able
to create keys from the command line and see them propagate through the
logs. I'm sure I'll have more questions soon.
Thank you for your help.
On Thu, Apr 27, 2017 at 10:17 AM, Velmurugan Periasamy <
vperiasamy@hortonworks.com> wrote:
> Hi Lukas:
>
> This issue should not affect KMS functionality (only key lookup from
> ranger admin UI will be affected), so you can go ahead and save the KMS
> service and create necessary policies. To test, you can grant access to the
> users required and try creating the keys from Hadoop CLI. Once this is
> verified, make sure the lookup user configured here has necessary
> permissions to get the key lookup working.
>
> Thanks,
> Vel
>
>
> From: Lukas Bradley <lu...@gmail.com>
> Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
> Date: Thursday, April 27, 2017 at 10:05 AM
> To: "user@ranger.apache.org" <us...@ranger.apache.org>, Colm O
> hEigeartaigh <co...@apache.org>, Velmurugan Periasamy <ve...@apache.org>
> Subject: Re: Apache Ranger 0.7.0 KMS - Service Mgr Create Service -
> Username/Password?
>
> I've tried reinstalls of both 0.7.0 and 1.0.0-SNAPSHOT, and the
> keyadmin/keyadmin login does NOT work for setting up the keydev service in
> Ranger Admin. It DOES allow me to log into the Ranger Admin itself, but it
> does NOT authenticate against the KMS itself to create the service link.
>
> Is there any way to specify this username/password during the ranger-kms
> installation?
>
> Thanks for your help. If I can get this all working, I'd be happy to
> update all the documentation.
>
> On Tue, Apr 25, 2017 at 11:44 AM, Velmurugan Periasamy <ve...@apache.org>
> wrote:
>
>> Did you try keyadmin/keyadmin? In case of kerberos cluster, a valid
>> kerberos principal/password or ranger keytab is needed for that. Please see
>> https://cwiki.apache.org/confluence/display/RANGER/Range
>> r+installation+in+Kerberized++Environment
>>
>> From: Lukas Bradley <lu...@gmail.com>
>> Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
>> Date: Tuesday, April 25, 2017 at 11:31 AM
>> To: "user@ranger.apache.org" <us...@ranger.apache.org>
>> Subject: Apache Ranger 0.7.0 KMS - Service Mgr Create Service -
>> Username/Password?
>>
>> I've connected the Ranger KMS plugin to the Apache Ranger. However,
>> during the KMS setup, I didn't use Kerberos or any user authentication
>> specification. In the Service Manager, when attempting to Create the KMS
>> service using the keyadmin login, I'm being asked for a username/password.
>>
>> Is there a default one created during setup? If so, where is this
>> specified? I've tried multiple combinations, but nothing works.
>>
>> Screenshot of the Service Manger admin: http://imgur.com/a/J8Umn
>>
>> Error message in the admin:
>>
>> rg.apache.ranger.plugin.client.HadoopException: {
>> "RemoteException" : {
>> "message" : "User:abc123 not allowed to do 'GET_KEYS'",
>> "exception" : "AuthorizationException",
>> "javaClassName" : "org.apache.hadoop.security.au
>> thorize.AuthorizationException"
>> }
>> }.
>> {
>> "RemoteException" : {
>> "message" : "User:abc123 not allowed to do 'GET_KEYS'",
>> "exception" : "AuthorizationException",
>> "javaClassName" : "org.apache.hadoop.security.au
>> thorize.AuthorizationException"
>> }
>> }.
>>
>> Error message in the KMS (for completeness):
>>
>> 2017-04-25 11:28:38,630 UNAUTHORIZED[op=GET_KEYS, user=abc123]
>>
>> Thanks for any help.
>>
>> Lukas
>>
>>
>
Re: Apache Ranger 0.7.0 KMS - Service Mgr Create Service -
Username/Password?
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
Hi Lukas:
This issue should not affect KMS functionality (only key lookup from ranger admin UI will be affected), so you can go ahead and save the KMS service and create necessary policies. To test, you can grant access to the users required and try creating the keys from Hadoop CLI. Once this is verified, make sure the lookup user configured here has necessary permissions to get the key lookup working.
Thanks,
Vel
From: Lukas Bradley <lu...@gmail.com>>
Reply-To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Date: Thursday, April 27, 2017 at 10:05 AM
To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>, Colm O hEigeartaigh <co...@apache.org>>, Velmurugan Periasamy <ve...@apache.org>>
Subject: Re: Apache Ranger 0.7.0 KMS - Service Mgr Create Service - Username/Password?
I've tried reinstalls of both 0.7.0 and 1.0.0-SNAPSHOT, and the keyadmin/keyadmin login does NOT work for setting up the keydev service in Ranger Admin. It DOES allow me to log into the Ranger Admin itself, but it does NOT authenticate against the KMS itself to create the service link.
Is there any way to specify this username/password during the ranger-kms installation?
Thanks for your help. If I can get this all working, I'd be happy to update all the documentation.
On Tue, Apr 25, 2017 at 11:44 AM, Velmurugan Periasamy <ve...@apache.org>> wrote:
Did you try keyadmin/keyadmin? In case of kerberos cluster, a valid kerberos principal/password or ranger keytab is needed for that. Please see https://cwiki.apache.org/confluence/display/RANGER/Ranger+installation+in+Kerberized++Environment
From: Lukas Bradley <lu...@gmail.com>>
Reply-To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Date: Tuesday, April 25, 2017 at 11:31 AM
To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Subject: Apache Ranger 0.7.0 KMS - Service Mgr Create Service - Username/Password?
I've connected the Ranger KMS plugin to the Apache Ranger. However, during the KMS setup, I didn't use Kerberos or any user authentication specification. In the Service Manager, when attempting to Create the KMS service using the keyadmin login, I'm being asked for a username/password.
Is there a default one created during setup? If so, where is this specified? I've tried multiple combinations, but nothing works.
Screenshot of the Service Manger admin: http://imgur.com/a/J8Umn
Error message in the admin:
rg.apache.ranger.plugin.client.HadoopException: {
"RemoteException" : {
"message" : "User:abc123 not allowed to do 'GET_KEYS'",
"exception" : "AuthorizationException",
"javaClassName" : "org.apache.hadoop.security.authorize.AuthorizationException"
}
}.
{
"RemoteException" : {
"message" : "User:abc123 not allowed to do 'GET_KEYS'",
"exception" : "AuthorizationException",
"javaClassName" : "org.apache.hadoop.security.authorize.AuthorizationException"
}
}.
Error message in the KMS (for completeness):
2017-04-25 11:28:38,630 UNAUTHORIZED[op=GET_KEYS, user=abc123]
Thanks for any help.
Lukas
Re: Apache Ranger 0.7.0 KMS - Service Mgr Create Service - Username/Password?
Posted by Lukas Bradley <lu...@gmail.com>.
I've tried reinstalls of both 0.7.0 and 1.0.0-SNAPSHOT, and the
keyadmin/keyadmin login does NOT work for setting up the keydev service in
Ranger Admin. It DOES allow me to log into the Ranger Admin itself, but it
does NOT authenticate against the KMS itself to create the service link.
Is there any way to specify this username/password during the ranger-kms
installation?
Thanks for your help. If I can get this all working, I'd be happy to
update all the documentation.
On Tue, Apr 25, 2017 at 11:44 AM, Velmurugan Periasamy <ve...@apache.org>
wrote:
> Did you try keyadmin/keyadmin? In case of kerberos cluster, a valid
> kerberos principal/password or ranger keytab is needed for that. Please see
> https://cwiki.apache.org/confluence/display/RANGER/Ranger+installation+in+
> Kerberized++Environment
>
> From: Lukas Bradley <lu...@gmail.com>
> Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
> Date: Tuesday, April 25, 2017 at 11:31 AM
> To: "user@ranger.apache.org" <us...@ranger.apache.org>
> Subject: Apache Ranger 0.7.0 KMS - Service Mgr Create Service -
> Username/Password?
>
> I've connected the Ranger KMS plugin to the Apache Ranger. However,
> during the KMS setup, I didn't use Kerberos or any user authentication
> specification. In the Service Manager, when attempting to Create the KMS
> service using the keyadmin login, I'm being asked for a username/password.
>
> Is there a default one created during setup? If so, where is this
> specified? I've tried multiple combinations, but nothing works.
>
> Screenshot of the Service Manger admin: http://imgur.com/a/J8Umn
>
> Error message in the admin:
>
> rg.apache.ranger.plugin.client.HadoopException: {
> "RemoteException" : {
> "message" : "User:abc123 not allowed to do 'GET_KEYS'",
> "exception" : "AuthorizationException",
> "javaClassName" : "org.apache.hadoop.security.authorize.
> AuthorizationException"
> }
> }.
> {
> "RemoteException" : {
> "message" : "User:abc123 not allowed to do 'GET_KEYS'",
> "exception" : "AuthorizationException",
> "javaClassName" : "org.apache.hadoop.security.authorize.
> AuthorizationException"
> }
> }.
>
> Error message in the KMS (for completeness):
>
> 2017-04-25 11:28:38,630 UNAUTHORIZED[op=GET_KEYS, user=abc123]
>
> Thanks for any help.
>
> Lukas
>
>
Re: Apache Ranger 0.7.0 KMS - Service Mgr Create Service - Username/Password?
Posted by Lukas Bradley <lu...@gmail.com>.
Thanks for your response. This is the screen after logging into Ranger as
keyadmin/keyadmin. This is the screen when adding the actual KMS service.
The docs say the following:
https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5.0+Installation#ApacheRanger0.5.0Installation-RangerUIsetup
Add following property in
ews/webapp/WEBINF/classes/conf.dist/kms-site.xml : (Replace “testkms1”
with appropriate user who will be used for credential authentication):
[snip]
Then:
Check the user present in ranger which will be used for credential
validation (for e.g (“testkms1”) if not then create that using “admin” login
I've done both of those things, and testkms1 does not work.
Finally, I am not using Kerberos, but that section link had the best
documentation of the bunch... so I tried it.
On Tue, Apr 25, 2017 at 11:44 AM, Velmurugan Periasamy <ve...@apache.org>
wrote:
> Did you try keyadmin/keyadmin? In case of kerberos cluster, a valid
> kerberos principal/password or ranger keytab is needed for that. Please see
> https://cwiki.apache.org/confluence/display/RANGER/Ranger+installation+in+
> Kerberized++Environment
>
> From: Lukas Bradley <lu...@gmail.com>
> Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
> Date: Tuesday, April 25, 2017 at 11:31 AM
> To: "user@ranger.apache.org" <us...@ranger.apache.org>
> Subject: Apache Ranger 0.7.0 KMS - Service Mgr Create Service -
> Username/Password?
>
> I've connected the Ranger KMS plugin to the Apache Ranger. However,
> during the KMS setup, I didn't use Kerberos or any user authentication
> specification. In the Service Manager, when attempting to Create the KMS
> service using the keyadmin login, I'm being asked for a username/password.
>
> Is there a default one created during setup? If so, where is this
> specified? I've tried multiple combinations, but nothing works.
>
> Screenshot of the Service Manger admin: http://imgur.com/a/J8Umn
>
> Error message in the admin:
>
> rg.apache.ranger.plugin.client.HadoopException: {
> "RemoteException" : {
> "message" : "User:abc123 not allowed to do 'GET_KEYS'",
> "exception" : "AuthorizationException",
> "javaClassName" : "org.apache.hadoop.security.authorize.
> AuthorizationException"
> }
> }.
> {
> "RemoteException" : {
> "message" : "User:abc123 not allowed to do 'GET_KEYS'",
> "exception" : "AuthorizationException",
> "javaClassName" : "org.apache.hadoop.security.authorize.
> AuthorizationException"
> }
> }.
>
> Error message in the KMS (for completeness):
>
> 2017-04-25 11:28:38,630 UNAUTHORIZED[op=GET_KEYS, user=abc123]
>
> Thanks for any help.
>
> Lukas
>
>
Re: Apache Ranger 0.7.0 KMS - Service Mgr Create Service - Username/Password?
Posted by Lukas Bradley <lu...@gmail.com>.
I just re-installed using 1.0.0-SNAPSHOT and am still getting the same
login issue:
org.apache.ranger.plugin.client.HadoopException: {
"RemoteException" : {
"message" : "User:keyadmin not allowed to do 'GET_KEYS'",
"exception" : "AuthorizationException",
"javaClassName" :
"org.apache.hadoop.security.authorize.AuthorizationException"
}
}.
{
"RemoteException" : {
"message" : "User:keyadmin not allowed to do 'GET_KEYS'",
"exception" : "AuthorizationException",
"javaClassName" :
"org.apache.hadoop.security.authorize.AuthorizationException"
}
}.
On Tue, Apr 25, 2017 at 11:44 AM, Velmurugan Periasamy <ve...@apache.org>
wrote:
> Did you try keyadmin/keyadmin? In case of kerberos cluster, a valid
> kerberos principal/password or ranger keytab is needed for that. Please see
> https://cwiki.apache.org/confluence/display/RANGER/Ranger+installation+in+
> Kerberized++Environment
>
> From: Lukas Bradley <lu...@gmail.com>
> Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
> Date: Tuesday, April 25, 2017 at 11:31 AM
> To: "user@ranger.apache.org" <us...@ranger.apache.org>
> Subject: Apache Ranger 0.7.0 KMS - Service Mgr Create Service -
> Username/Password?
>
> I've connected the Ranger KMS plugin to the Apache Ranger. However,
> during the KMS setup, I didn't use Kerberos or any user authentication
> specification. In the Service Manager, when attempting to Create the KMS
> service using the keyadmin login, I'm being asked for a username/password.
>
> Is there a default one created during setup? If so, where is this
> specified? I've tried multiple combinations, but nothing works.
>
> Screenshot of the Service Manger admin: http://imgur.com/a/J8Umn
>
> Error message in the admin:
>
> rg.apache.ranger.plugin.client.HadoopException: {
> "RemoteException" : {
> "message" : "User:abc123 not allowed to do 'GET_KEYS'",
> "exception" : "AuthorizationException",
> "javaClassName" : "org.apache.hadoop.security.authorize.
> AuthorizationException"
> }
> }.
> {
> "RemoteException" : {
> "message" : "User:abc123 not allowed to do 'GET_KEYS'",
> "exception" : "AuthorizationException",
> "javaClassName" : "org.apache.hadoop.security.authorize.
> AuthorizationException"
> }
> }.
>
> Error message in the KMS (for completeness):
>
> 2017-04-25 11:28:38,630 UNAUTHORIZED[op=GET_KEYS, user=abc123]
>
> Thanks for any help.
>
> Lukas
>
>
Re: Apache Ranger 0.7.0 KMS - Service Mgr Create Service -
Username/Password?
Posted by Velmurugan Periasamy <ve...@apache.org>.
Did you try keyadmin/keyadmin? In case of kerberos cluster, a valid kerberos
principal/password or ranger keytab is needed for that. Please see
https://cwiki.apache.org/confluence/display/RANGER/Ranger+installation+in+Ke
rberized++Environment
From: Lukas Bradley <lu...@gmail.com>
Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
Date: Tuesday, April 25, 2017 at 11:31 AM
To: "user@ranger.apache.org" <us...@ranger.apache.org>
Subject: Apache Ranger 0.7.0 KMS - Service Mgr Create Service -
Username/Password?
I've connected the Ranger KMS plugin to the Apache Ranger. However, during
the KMS setup, I didn't use Kerberos or any user authentication
specification. In the Service Manager, when attempting to Create the KMS
service using the keyadmin login, I'm being asked for a username/password.
Is there a default one created during setup? If so, where is this
specified? I've tried multiple combinations, but nothing works.
Screenshot of the Service Manger admin: http://imgur.com/a/J8Umn
Error message in the admin:
rg.apache.ranger.plugin.client.HadoopException: {
"RemoteException" : {
"message" : "User:abc123 not allowed to do 'GET_KEYS'",
"exception" : "AuthorizationException",
"javaClassName" :
"org.apache.hadoop.security.authorize.AuthorizationException"
}
}.
{
"RemoteException" : {
"message" : "User:abc123 not allowed to do 'GET_KEYS'",
"exception" : "AuthorizationException",
"javaClassName" :
"org.apache.hadoop.security.authorize.AuthorizationException"
}
}.
Error message in the KMS (for completeness):
2017-04-25 11:28:38,630 UNAUTHORIZED[op=GET_KEYS, user=abc123]
Thanks for any help.
Lukas