You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "panwu (Jira)" <ji...@apache.org> on 2021/01/03 07:07:00 UTC

[jira] [Created] (RANGER-3138) RangerAdminRESTClient: Error getting policies, 401

panwu created RANGER-3138:
-----------------------------

             Summary: RangerAdminRESTClient: Error getting policies, 401
                 Key: RANGER-3138
                 URL: https://issues.apache.org/jira/browse/RANGER-3138
             Project: Ranger
          Issue Type: Bug
          Components: admin, plugins, Ranger
    Affects Versions: 2.0.0
            Reporter: panwu


I have Ranger 2.0, and Hadoop cluster with Kerberos.

When I enable HDFS plugin, in HDFS name node's log:
{code:java}
RangerAdminRESTClient: Error getting policies. secureMode=true, user=nn/bigdata-server-05@BDP.COM (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, serviceName=hadoop
{code}
I was config the `hadoop.security.auth_to_local` both Hadoop's core-site.xml and Ranger's server manager.

I saw the same issue `RANGER-2621`  with getting policies to fail, and the response code is 401. Maybe that caused by IP in Kerberos principal but I am not.

hdfs-site.xml (only some name node configs)
{code:java}
dfs.namenode.kerberos.principal=nn/_HOST@BDP.COM
dfs.namenode.keytab.file=/etc/kerberos/hadoop/nn.bdp-05.keytab
dfs.namenode.kerberos.internal.spnego.principal=HTTP@BDP.COM
dfs.web.authentication.kerberos.keytab=/etc/kerberos/hadoop/http.keytab
{code}
Ranger admin's install.properties (kerberos config)
{code:java}
spnego_principal=rangerhttp@BDP.COM
spnego_keytab=/etc/kerberos/ranger/rangerhttp.keytab
token_valid=30
cookie_domain=
cookie_path=/
admin_principal=rangeradmin/bigdata-server-05@BDP.COM
admin_keytab=/etc/kerberos/ranger/rangeradmin.bdp-05.keytab
lookup_principal=rangerlookup/bigdata-server-05@BDP.COM
lookup_keytab=/etc/kerberos/ranger/rangerlookup.bdp-05.keytab
hadoop_conf=/data/bd-components/hadoop-3.1.3/etc/hadoop/{code}
Ranger-hdfs's install.properties
{code:java}
POLICY_MGR_URL=http://bigdata-server-05:6080
REPOSITORY_NAME=hadoop
CUSTOM_USER=hdfs
CUSTOM_GROUP=hadoop
{code}
HDFS service on Ranger web UI:
{code:java}
Service Name: hadoop
Username: hdfs
password: any
Namenode URL: hdfs://bigdata-server-05:9820
Authorization Enabled: true
Authentication Type: kerberos
hadoop.security.auth_to_local: RULE:[2:$1/$2@$0]([nds]n/.*@BDP\.COM)s/.*/hdfs/ RULE:[2:$1/$2@$0]([rn]m/.*@BDP\.COM)s/.*/yarn/ RULE:[2:$1/$2@$0](jhs/.*@BDP\.COM)s/.*/mapred/
dfs.datanode.kerberos.principal: dn/_HOST@BDP.COM
dfs.namenode.kerberos.principal: nn/_HOST@BDP.COM
dfs.secondary.namenode.kerberos.principa: sn/_HOST@BDP.COM
RPC Protection Type: authentication
tag.download.auth.users: hdfs
policy.download.auth.users: hdfs{code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)