You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ambari.apache.org by Lian Jiang <ji...@gmail.com> on 2018/06/06 18:54:47 UTC
create knox policy for admin topology
I am creating a ranger policy for admin user to use knox admin topology. My
cluster uses ldap for authentication. If I set XASecurePDPKnox
authorization as true, then ranger admin "test connection" to knox will get
403 forbidden response. If I set XASecurePDPKnox as false, then "test
connection" succeeds.
This sounds chicken and egg problem. I am creating a policy to allow admin
to access admin topology. But the admin need knox access before the policy
can be created. I understand the policy can still be created even "test
connection" fails. But should I use XASecurePDPKnox=true and add the policy
even "test connection" fails? Or I should use "XASecurePDPKnox=false" and
add the policy with a successful "test connection"?
Thanks for any hints.
Re: create knox policy for admin topology
Posted by Lian Jiang <ji...@gmail.com>.
I found that the ranger-knox-plugin does not work.
Caused by: java.lang.NoClassDefFoundError:
com/sun/jersey/api/client/GenericType
at
org.apache.ranger.plugin.service.RangerBasePlugin.createAdminClient(RangerBasePlugin.java:396)
at
org.apache.ranger.plugin.service.RangerBasePlugin.init(RangerBasePlugin.java:153)
at
org.apache.ranger.authorization.knox.KnoxRangerPlugin.init(KnoxRangerPlugin.java:45)
at
org.apache.ranger.authorization.knox.RangerPDPKnoxFilter.init(RangerPDPKnoxFilter.java:78)
at
org.apache.ranger.authorization.knox.RangerPDPKnoxFilter.init(RangerPDPKnoxFilter.java:129)
at
org.apache.hadoop.gateway.GatewayFilter$Holder.getInstance(GatewayFilter.java:362)
at
org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:331)
at
org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:232)
at
org.apache.hadoop.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter.doFilterInternal(AbstractIdentityAssertionFilter.java:196)
at
org.apache.hadoop.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter.continueChainAsPrincipal(AbstractIdentityAssertionFilter.java:153)
at
org.apache.hadoop.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter.doFilter(CommonIdentityAssertionFilter.java:66)
at
org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:332)
at
org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:232)
at
org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteServletFilter.doFilter(UrlRewriteServletFilter.java:60)
at
org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61)
https://community.hortonworks.com/content/supportkb/49709/knox-authorization-error-while-accessing-webhdfs.html
has a similar issue but the solution is to disable ranger authorization
which is not acceptable in my case. Any idea how to resolve this issue?
On Wed, Jun 6, 2018 at 11:54 AM, Lian Jiang <ji...@gmail.com> wrote:
> I am creating a ranger policy for admin user to use knox admin topology.
> My cluster uses ldap for authentication. If I set XASecurePDPKnox
> authorization as true, then ranger admin "test connection" to knox will get
> 403 forbidden response. If I set XASecurePDPKnox as false, then "test
> connection" succeeds.
>
> This sounds chicken and egg problem. I am creating a policy to allow admin
> to access admin topology. But the admin need knox access before the policy
> can be created. I understand the policy can still be created even "test
> connection" fails. But should I use XASecurePDPKnox=true and add the policy
> even "test connection" fails? Or I should use "XASecurePDPKnox=false" and
> add the policy with a successful "test connection"?
>
> Thanks for any hints.
>