You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Loïc Chanel <lo...@telecomnancy.net> on 2015/06/18 12:05:41 UTC
Knox group policies not enforced
Hi fellow Ranger users,
As I am using Ranger plugin for Knox, I noticed that group policies are not
applied. For example, if I grant to the group "users" the right to connect
from anywhere, and I try to use WebHDFS with a user of this group, I keep
getting 403 responses from Knox.
In addition, I can't find any audit logs from Knox in Ranger interface, but
I thinks this is linked to the error I get in gateway.out :
[EL Severe]: ejb: 2015-06-18
11:33:44.253--ServerSession(453422229)--Exception [EclipseLink-4003]
(Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd):
org.eclipse.persistence.exceptions.DatabaseException
Exception Description: Configuration error. Class [com.mysql.jdbc.Driver]
not found.
This error is actually weird too because the JDBC driver is properly
installed, as I can see audit logs from HDFS repository.
Has anyone an idea of where these errors might come from ?
Thanks in advance for your help,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
Re: Knox group policies not enforced
Posted by Loïc Chanel <lo...@telecomnancy.net>.
Well, I am using Ambari, and it seems that the Agent did not copy the MySQL
connector to the ext/ directory :-/
I will check if this happen again, and keep the community in touch if so.
Thanks a lot for your answers !
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-06-19 11:47 GMT+02:00 Gautam Borad <gb...@gmail.com>:
> Loïc, yes if you are using Ambari, the Ambari agent should copy the mysql
> connector to the ext/ directory.
>
> >>Knox does not search for the connector in other directories
>
> It will look for connector only in the directories in the classpath. I
> know that the ext is in the classpath, am not aware of other directories :-)
>
>
>
> On Fri, Jun 19, 2015 at 2:37 PM, Loïc Chanel <loic.chanel@telecomnancy.net
> > wrote:
>
>> Hi Gautam,
>>
>> I did not have the connector jar in this directory, and the problem
>> actually came from here : thanks a lot ! :-)
>>
>> Still, I'm a little surprised : Knox does not search for the connector in
>> other directories ? Because as during the configuration we specify to the
>> Ambari-server the location of mysql-java-connector, Knox should be able to
>> pull this information, shouldn't it ?
>>
>> Thanks again,
>>
>>
>> Loïc
>>
>> Loïc CHANEL
>> Engineering student at TELECOM Nancy
>> Trainee at Worldline - Villeurbanne
>>
>> 2015-06-19 10:51 GMT+02:00 Gautam Borad <gb...@gmail.com>:
>>
>>> Hi Loïc
>>> Can you please check if the connector jar(*mysql-connector-java.jar*)
>>> is present in the knox/ext/ dir? The jar should be present in the
>>> classpath. Please check and let us know.
>>>
>>>
>>>
>>> On Fri, Jun 19, 2015 at 1:29 PM, Loïc Chanel <
>>> loic.chanel@telecomnancy.net> wrote:
>>>
>>>> Alok,
>>>>
>>>> I already turned logging on, but it seems I can't see any plugin logs.
>>>> I tried to add the following properties :
>>>> log4j.logger.org.apache.ranger=DEBUG
>>>> log4j.logger.org.apache.ranger.services.knox=DEBUG
>>>>
>>>> But all I can see in the logs are Knox gateway logs, and there is
>>>> nothing wrong with them (the only think I see that is wrong come from
>>>> gateway.out, and is the error I mentioned in my first e-Mail). How can I
>>>> turn Ranger plugin logs on ? And where can I find these logs afterwards ?
>>>>
>>>> In addition, I turned on the property "Audit to HDFS", but as I can't
>>>> find audit records in the cluster, I think the auditing problem is kind of
>>>> a general one.
>>>>
>>>> As far as the policy manager is concerned, I can see audit records for
>>>> HDFS repository, so I don't think the problem comes from there.
>>>>
>>>> Do you see a possible origin of the problem ?
>>>> Thanks,
>>>>
>>>>
>>>> Loïc
>>>>
>>>> Loïc CHANEL
>>>> Engineering student at TELECOM Nancy
>>>> Trainee at Worldline - Villeurbanne
>>>>
>>>> 2015-06-18 19:48 GMT+02:00 Alok Lal <al...@hortonworks.com>:
>>>>
>>>>> I spoke too soon. I don’t think the following is true. We never
>>>>> let the inability to audit
>>>>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L202-L211>
>>>>> prevent auth. My bad!
>>>>>
>>>>> Can you turn logging on (/etc/knox/conf/gateway-log4j.properties)
>>>>> and paste relevant parts from it?
>>>>>
>>>>>
>>>>>
>>>>> From: Alok Lal <al...@hortonworks.com>
>>>>> Date: Thursday, June 18, 2015 at 10:42 AM
>>>>> To: "user@ranger.incubator.apache.org" <
>>>>> user@ranger.incubator.apache.org>
>>>>> Subject: Re: Knox group policies not enforced
>>>>>
>>>>> I assume you are using ranger-0.4.
>>>>>
>>>>> - Do you see access audit records on the audit page of policy
>>>>> manager?
>>>>> - Writing audits to HDFS is not through JDBC driver. Only
>>>>> writing to DB needs it.
>>>>> - Further, only audits written to the DB are shown on the audit
>>>>> page — which is why I asked the above question.
>>>>> - It is possible that you have audit turned on to both DB and HDFS?
>>>>> - The way code is today
>>>>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L124-L139>
>>>>> inability to write audit, say, due to a misconfigured JDBC adaptor, would
>>>>> cause authorization to fail, too (because the auth call would throw an
>>>>> unhandled exception).
>>>>> - However, I don’t know why that should be related only
>>>>> membership to a group.
>>>>> - If inability to write to audit is in fact the issue then you
>>>>> should not be able to connect as long as the policy granting you access is
>>>>> audited. Perhaps you can confirm that to be the case to help narrow the
>>>>> cause.
>>>>>
>>>>> Alok
>>>>>
>>>>> From: Loïc Chanel <lo...@telecomnancy.net>
>>>>> Reply-To: "user@ranger.incubator.apache.org" <
>>>>> user@ranger.incubator.apache.org>
>>>>> Date: Thursday, June 18, 2015 at 3:05 AM
>>>>> To: "user@ranger.incubator.apache.org" <
>>>>> user@ranger.incubator.apache.org>
>>>>> Subject: Knox group policies not enforced
>>>>>
>>>>> Hi fellow Ranger users,
>>>>>
>>>>> As I am using Ranger plugin for Knox, I noticed that group policies
>>>>> are not applied. For example, if I grant to the group "users" the right to
>>>>> connect from anywhere, and I try to use WebHDFS with a user of this group,
>>>>> I keep getting 403 responses from Knox.
>>>>>
>>>>> In addition, I can't find any audit logs from Knox in Ranger
>>>>> interface, but I thinks this is linked to the error I get in gateway.out :
>>>>> [EL Severe]: ejb: 2015-06-18
>>>>> 11:33:44.253--ServerSession(453422229)--Exception [EclipseLink-4003]
>>>>> (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd):
>>>>> org.eclipse.persistence.exceptions.DatabaseException
>>>>> Exception Description: Configuration error. Class
>>>>> [com.mysql.jdbc.Driver] not found.
>>>>>
>>>>> This error is actually weird too because the JDBC driver is properly
>>>>> installed, as I can see audit logs from HDFS repository.
>>>>>
>>>>> Has anyone an idea of where these errors might come from ?
>>>>> Thanks in advance for your help,
>>>>>
>>>>>
>>>>> Loïc
>>>>>
>>>>> Loïc CHANEL
>>>>> Engineering student at TELECOM Nancy
>>>>> Trainee at Worldline - Villeurbanne
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Gautam.
>>>
>>
>>
>
>
> --
> Regards,
> Gautam.
>
Re: Knox group policies not enforced
Posted by Gautam Borad <gb...@gmail.com>.
Loïc, yes if you are using Ambari, the Ambari agent should copy the mysql
connector to the ext/ directory.
>>Knox does not search for the connector in other directories
It will look for connector only in the directories in the classpath. I know
that the ext is in the classpath, am not aware of other directories :-)
On Fri, Jun 19, 2015 at 2:37 PM, Loïc Chanel <lo...@telecomnancy.net>
wrote:
> Hi Gautam,
>
> I did not have the connector jar in this directory, and the problem
> actually came from here : thanks a lot ! :-)
>
> Still, I'm a little surprised : Knox does not search for the connector in
> other directories ? Because as during the configuration we specify to the
> Ambari-server the location of mysql-java-connector, Knox should be able to
> pull this information, shouldn't it ?
>
> Thanks again,
>
>
> Loïc
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-06-19 10:51 GMT+02:00 Gautam Borad <gb...@gmail.com>:
>
>> Hi Loïc
>> Can you please check if the connector jar(*mysql-connector-java.jar*)
>> is present in the knox/ext/ dir? The jar should be present in the
>> classpath. Please check and let us know.
>>
>>
>>
>> On Fri, Jun 19, 2015 at 1:29 PM, Loïc Chanel <
>> loic.chanel@telecomnancy.net> wrote:
>>
>>> Alok,
>>>
>>> I already turned logging on, but it seems I can't see any plugin logs. I
>>> tried to add the following properties :
>>> log4j.logger.org.apache.ranger=DEBUG
>>> log4j.logger.org.apache.ranger.services.knox=DEBUG
>>>
>>> But all I can see in the logs are Knox gateway logs, and there is
>>> nothing wrong with them (the only think I see that is wrong come from
>>> gateway.out, and is the error I mentioned in my first e-Mail). How can I
>>> turn Ranger plugin logs on ? And where can I find these logs afterwards ?
>>>
>>> In addition, I turned on the property "Audit to HDFS", but as I can't
>>> find audit records in the cluster, I think the auditing problem is kind of
>>> a general one.
>>>
>>> As far as the policy manager is concerned, I can see audit records for
>>> HDFS repository, so I don't think the problem comes from there.
>>>
>>> Do you see a possible origin of the problem ?
>>> Thanks,
>>>
>>>
>>> Loïc
>>>
>>> Loïc CHANEL
>>> Engineering student at TELECOM Nancy
>>> Trainee at Worldline - Villeurbanne
>>>
>>> 2015-06-18 19:48 GMT+02:00 Alok Lal <al...@hortonworks.com>:
>>>
>>>> I spoke too soon. I don’t think the following is true. We never let
>>>> the inability to audit
>>>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L202-L211>
>>>> prevent auth. My bad!
>>>>
>>>> Can you turn logging on (/etc/knox/conf/gateway-log4j.properties) and
>>>> paste relevant parts from it?
>>>>
>>>>
>>>>
>>>> From: Alok Lal <al...@hortonworks.com>
>>>> Date: Thursday, June 18, 2015 at 10:42 AM
>>>> To: "user@ranger.incubator.apache.org" <
>>>> user@ranger.incubator.apache.org>
>>>> Subject: Re: Knox group policies not enforced
>>>>
>>>> I assume you are using ranger-0.4.
>>>>
>>>> - Do you see access audit records on the audit page of policy
>>>> manager?
>>>> - Writing audits to HDFS is not through JDBC driver. Only
>>>> writing to DB needs it.
>>>> - Further, only audits written to the DB are shown on the audit
>>>> page — which is why I asked the above question.
>>>> - It is possible that you have audit turned on to both DB and HDFS?
>>>> - The way code is today
>>>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L124-L139>
>>>> inability to write audit, say, due to a misconfigured JDBC adaptor, would
>>>> cause authorization to fail, too (because the auth call would throw an
>>>> unhandled exception).
>>>> - However, I don’t know why that should be related only
>>>> membership to a group.
>>>> - If inability to write to audit is in fact the issue then you
>>>> should not be able to connect as long as the policy granting you access is
>>>> audited. Perhaps you can confirm that to be the case to help narrow the
>>>> cause.
>>>>
>>>> Alok
>>>>
>>>> From: Loïc Chanel <lo...@telecomnancy.net>
>>>> Reply-To: "user@ranger.incubator.apache.org" <
>>>> user@ranger.incubator.apache.org>
>>>> Date: Thursday, June 18, 2015 at 3:05 AM
>>>> To: "user@ranger.incubator.apache.org" <
>>>> user@ranger.incubator.apache.org>
>>>> Subject: Knox group policies not enforced
>>>>
>>>> Hi fellow Ranger users,
>>>>
>>>> As I am using Ranger plugin for Knox, I noticed that group policies
>>>> are not applied. For example, if I grant to the group "users" the right to
>>>> connect from anywhere, and I try to use WebHDFS with a user of this group,
>>>> I keep getting 403 responses from Knox.
>>>>
>>>> In addition, I can't find any audit logs from Knox in Ranger
>>>> interface, but I thinks this is linked to the error I get in gateway.out :
>>>> [EL Severe]: ejb: 2015-06-18
>>>> 11:33:44.253--ServerSession(453422229)--Exception [EclipseLink-4003]
>>>> (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd):
>>>> org.eclipse.persistence.exceptions.DatabaseException
>>>> Exception Description: Configuration error. Class
>>>> [com.mysql.jdbc.Driver] not found.
>>>>
>>>> This error is actually weird too because the JDBC driver is properly
>>>> installed, as I can see audit logs from HDFS repository.
>>>>
>>>> Has anyone an idea of where these errors might come from ?
>>>> Thanks in advance for your help,
>>>>
>>>>
>>>> Loïc
>>>>
>>>> Loïc CHANEL
>>>> Engineering student at TELECOM Nancy
>>>> Trainee at Worldline - Villeurbanne
>>>>
>>>
>>>
>>
>>
>> --
>> Regards,
>> Gautam.
>>
>
>
--
Regards,
Gautam.
Re: Knox group policies not enforced
Posted by Loïc Chanel <lo...@telecomnancy.net>.
Hi Gautam,
I did not have the connector jar in this directory, and the problem
actually came from here : thanks a lot ! :-)
Still, I'm a little surprised : Knox does not search for the connector in
other directories ? Because as during the configuration we specify to the
Ambari-server the location of mysql-java-connector, Knox should be able to
pull this information, shouldn't it ?
Thanks again,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-06-19 10:51 GMT+02:00 Gautam Borad <gb...@gmail.com>:
> Hi Loïc
> Can you please check if the connector jar(*mysql-connector-java.jar*)
> is present in the knox/ext/ dir? The jar should be present in the
> classpath. Please check and let us know.
>
>
>
> On Fri, Jun 19, 2015 at 1:29 PM, Loïc Chanel <loic.chanel@telecomnancy.net
> > wrote:
>
>> Alok,
>>
>> I already turned logging on, but it seems I can't see any plugin logs. I
>> tried to add the following properties :
>> log4j.logger.org.apache.ranger=DEBUG
>> log4j.logger.org.apache.ranger.services.knox=DEBUG
>>
>> But all I can see in the logs are Knox gateway logs, and there is nothing
>> wrong with them (the only think I see that is wrong come from gateway.out,
>> and is the error I mentioned in my first e-Mail). How can I turn Ranger
>> plugin logs on ? And where can I find these logs afterwards ?
>>
>> In addition, I turned on the property "Audit to HDFS", but as I can't
>> find audit records in the cluster, I think the auditing problem is kind of
>> a general one.
>>
>> As far as the policy manager is concerned, I can see audit records for
>> HDFS repository, so I don't think the problem comes from there.
>>
>> Do you see a possible origin of the problem ?
>> Thanks,
>>
>>
>> Loïc
>>
>> Loïc CHANEL
>> Engineering student at TELECOM Nancy
>> Trainee at Worldline - Villeurbanne
>>
>> 2015-06-18 19:48 GMT+02:00 Alok Lal <al...@hortonworks.com>:
>>
>>> I spoke too soon. I don’t think the following is true. We never let
>>> the inability to audit
>>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L202-L211>
>>> prevent auth. My bad!
>>>
>>> Can you turn logging on (/etc/knox/conf/gateway-log4j.properties) and
>>> paste relevant parts from it?
>>>
>>>
>>>
>>> From: Alok Lal <al...@hortonworks.com>
>>> Date: Thursday, June 18, 2015 at 10:42 AM
>>> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org
>>> >
>>> Subject: Re: Knox group policies not enforced
>>>
>>> I assume you are using ranger-0.4.
>>>
>>> - Do you see access audit records on the audit page of policy
>>> manager?
>>> - Writing audits to HDFS is not through JDBC driver. Only
>>> writing to DB needs it.
>>> - Further, only audits written to the DB are shown on the audit
>>> page — which is why I asked the above question.
>>> - It is possible that you have audit turned on to both DB and HDFS?
>>> - The way code is today
>>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L124-L139>
>>> inability to write audit, say, due to a misconfigured JDBC adaptor, would
>>> cause authorization to fail, too (because the auth call would throw an
>>> unhandled exception).
>>> - However, I don’t know why that should be related only
>>> membership to a group.
>>> - If inability to write to audit is in fact the issue then you
>>> should not be able to connect as long as the policy granting you access is
>>> audited. Perhaps you can confirm that to be the case to help narrow the
>>> cause.
>>>
>>> Alok
>>>
>>> From: Loïc Chanel <lo...@telecomnancy.net>
>>> Reply-To: "user@ranger.incubator.apache.org" <
>>> user@ranger.incubator.apache.org>
>>> Date: Thursday, June 18, 2015 at 3:05 AM
>>> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org
>>> >
>>> Subject: Knox group policies not enforced
>>>
>>> Hi fellow Ranger users,
>>>
>>> As I am using Ranger plugin for Knox, I noticed that group policies are
>>> not applied. For example, if I grant to the group "users" the right to
>>> connect from anywhere, and I try to use WebHDFS with a user of this group,
>>> I keep getting 403 responses from Knox.
>>>
>>> In addition, I can't find any audit logs from Knox in Ranger interface,
>>> but I thinks this is linked to the error I get in gateway.out :
>>> [EL Severe]: ejb: 2015-06-18
>>> 11:33:44.253--ServerSession(453422229)--Exception [EclipseLink-4003]
>>> (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd):
>>> org.eclipse.persistence.exceptions.DatabaseException
>>> Exception Description: Configuration error. Class
>>> [com.mysql.jdbc.Driver] not found.
>>>
>>> This error is actually weird too because the JDBC driver is properly
>>> installed, as I can see audit logs from HDFS repository.
>>>
>>> Has anyone an idea of where these errors might come from ?
>>> Thanks in advance for your help,
>>>
>>>
>>> Loïc
>>>
>>> Loïc CHANEL
>>> Engineering student at TELECOM Nancy
>>> Trainee at Worldline - Villeurbanne
>>>
>>
>>
>
>
> --
> Regards,
> Gautam.
>
Re: Knox group policies not enforced
Posted by Gautam Borad <gb...@gmail.com>.
Hi Loïc
Can you please check if the connector jar(*mysql-connector-java.jar*)
is present in the knox/ext/ dir? The jar should be present in the
classpath. Please check and let us know.
On Fri, Jun 19, 2015 at 1:29 PM, Loïc Chanel <lo...@telecomnancy.net>
wrote:
> Alok,
>
> I already turned logging on, but it seems I can't see any plugin logs. I
> tried to add the following properties :
> log4j.logger.org.apache.ranger=DEBUG
> log4j.logger.org.apache.ranger.services.knox=DEBUG
>
> But all I can see in the logs are Knox gateway logs, and there is nothing
> wrong with them (the only think I see that is wrong come from gateway.out,
> and is the error I mentioned in my first e-Mail). How can I turn Ranger
> plugin logs on ? And where can I find these logs afterwards ?
>
> In addition, I turned on the property "Audit to HDFS", but as I can't find
> audit records in the cluster, I think the auditing problem is kind of a
> general one.
>
> As far as the policy manager is concerned, I can see audit records for
> HDFS repository, so I don't think the problem comes from there.
>
> Do you see a possible origin of the problem ?
> Thanks,
>
>
> Loïc
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-06-18 19:48 GMT+02:00 Alok Lal <al...@hortonworks.com>:
>
>> I spoke too soon. I don’t think the following is true. We never let
>> the inability to audit
>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L202-L211>
>> prevent auth. My bad!
>>
>> Can you turn logging on (/etc/knox/conf/gateway-log4j.properties) and
>> paste relevant parts from it?
>>
>>
>>
>> From: Alok Lal <al...@hortonworks.com>
>> Date: Thursday, June 18, 2015 at 10:42 AM
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>> Subject: Re: Knox group policies not enforced
>>
>> I assume you are using ranger-0.4.
>>
>> - Do you see access audit records on the audit page of policy
>> manager?
>> - Writing audits to HDFS is not through JDBC driver. Only writing
>> to DB needs it.
>> - Further, only audits written to the DB are shown on the audit
>> page — which is why I asked the above question.
>> - It is possible that you have audit turned on to both DB and HDFS?
>> - The way code is today
>> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L124-L139>
>> inability to write audit, say, due to a misconfigured JDBC adaptor, would
>> cause authorization to fail, too (because the auth call would throw an
>> unhandled exception).
>> - However, I don’t know why that should be related only membership
>> to a group.
>> - If inability to write to audit is in fact the issue then you
>> should not be able to connect as long as the policy granting you access is
>> audited. Perhaps you can confirm that to be the case to help narrow the
>> cause.
>>
>> Alok
>>
>> From: Loïc Chanel <lo...@telecomnancy.net>
>> Reply-To: "user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> Date: Thursday, June 18, 2015 at 3:05 AM
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>> Subject: Knox group policies not enforced
>>
>> Hi fellow Ranger users,
>>
>> As I am using Ranger plugin for Knox, I noticed that group policies are
>> not applied. For example, if I grant to the group "users" the right to
>> connect from anywhere, and I try to use WebHDFS with a user of this group,
>> I keep getting 403 responses from Knox.
>>
>> In addition, I can't find any audit logs from Knox in Ranger interface,
>> but I thinks this is linked to the error I get in gateway.out :
>> [EL Severe]: ejb: 2015-06-18
>> 11:33:44.253--ServerSession(453422229)--Exception [EclipseLink-4003]
>> (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd):
>> org.eclipse.persistence.exceptions.DatabaseException
>> Exception Description: Configuration error. Class
>> [com.mysql.jdbc.Driver] not found.
>>
>> This error is actually weird too because the JDBC driver is properly
>> installed, as I can see audit logs from HDFS repository.
>>
>> Has anyone an idea of where these errors might come from ?
>> Thanks in advance for your help,
>>
>>
>> Loïc
>>
>> Loïc CHANEL
>> Engineering student at TELECOM Nancy
>> Trainee at Worldline - Villeurbanne
>>
>
>
--
Regards,
Gautam.
Re: Knox group policies not enforced
Posted by Loïc Chanel <lo...@telecomnancy.net>.
Alok,
I already turned logging on, but it seems I can't see any plugin logs. I
tried to add the following properties :
log4j.logger.org.apache.ranger=DEBUG
log4j.logger.org.apache.ranger.services.knox=DEBUG
But all I can see in the logs are Knox gateway logs, and there is nothing
wrong with them (the only think I see that is wrong come from gateway.out,
and is the error I mentioned in my first e-Mail). How can I turn Ranger
plugin logs on ? And where can I find these logs afterwards ?
In addition, I turned on the property "Audit to HDFS", but as I can't find
audit records in the cluster, I think the auditing problem is kind of a
general one.
As far as the policy manager is concerned, I can see audit records for HDFS
repository, so I don't think the problem comes from there.
Do you see a possible origin of the problem ?
Thanks,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-06-18 19:48 GMT+02:00 Alok Lal <al...@hortonworks.com>:
> I spoke too soon. I don’t think the following is true. We never let
> the inability to audit
> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L202-L211>
> prevent auth. My bad!
>
> Can you turn logging on (/etc/knox/conf/gateway-log4j.properties) and
> paste relevant parts from it?
>
>
>
> From: Alok Lal <al...@hortonworks.com>
> Date: Thursday, June 18, 2015 at 10:42 AM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: Re: Knox group policies not enforced
>
> I assume you are using ranger-0.4.
>
> - Do you see access audit records on the audit page of policy manager?
> - Writing audits to HDFS is not through JDBC driver. Only writing
> to DB needs it.
> - Further, only audits written to the DB are shown on the audit
> page — which is why I asked the above question.
> - It is possible that you have audit turned on to both DB and HDFS?
> - The way code is today
> <https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L124-L139>
> inability to write audit, say, due to a misconfigured JDBC adaptor, would
> cause authorization to fail, too (because the auth call would throw an
> unhandled exception).
> - However, I don’t know why that should be related only membership
> to a group.
> - If inability to write to audit is in fact the issue then you
> should not be able to connect as long as the policy granting you access is
> audited. Perhaps you can confirm that to be the case to help narrow the
> cause.
>
> Alok
>
> From: Loïc Chanel <lo...@telecomnancy.net>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Thursday, June 18, 2015 at 3:05 AM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: Knox group policies not enforced
>
> Hi fellow Ranger users,
>
> As I am using Ranger plugin for Knox, I noticed that group policies are
> not applied. For example, if I grant to the group "users" the right to
> connect from anywhere, and I try to use WebHDFS with a user of this group,
> I keep getting 403 responses from Knox.
>
> In addition, I can't find any audit logs from Knox in Ranger interface,
> but I thinks this is linked to the error I get in gateway.out :
> [EL Severe]: ejb: 2015-06-18
> 11:33:44.253--ServerSession(453422229)--Exception [EclipseLink-4003]
> (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd):
> org.eclipse.persistence.exceptions.DatabaseException
> Exception Description: Configuration error. Class [com.mysql.jdbc.Driver]
> not found.
>
> This error is actually weird too because the JDBC driver is properly
> installed, as I can see audit logs from HDFS repository.
>
> Has anyone an idea of where these errors might come from ?
> Thanks in advance for your help,
>
>
> Loïc
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
Re: Knox group policies not enforced
Posted by Alok Lal <al...@hortonworks.com>.
I spoke too soon. I don't think the following is true. We never let the inability to audit<https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L202-L211> prevent auth. My bad!
Can you turn logging on (/etc/knox/conf/gateway-log4j.properties) and paste relevant parts from it?
From: Alok Lal <al...@hortonworks.com>>
Date: Thursday, June 18, 2015 at 10:42 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Re: Knox group policies not enforced
I assume you are using ranger-0.4.
* Do you see access audit records on the audit page of policy manager?
* Writing audits to HDFS is not through JDBC driver. Only writing to DB needs it.
* Further, only audits written to the DB are shown on the audit page - which is why I asked the above question.
* It is possible that you have audit turned on to both DB and HDFS?
* The way code is today<https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L124-L139> inability to write audit, say, due to a misconfigured JDBC adaptor, would cause authorization to fail, too (because the auth call would throw an unhandled exception).
* However, I don't know why that should be related only membership to a group.
* If inability to write to audit is in fact the issue then you should not be able to connect as long as the policy granting you access is audited. Perhaps you can confirm that to be the case to help narrow the cause.
Alok
From: Loïc Chanel <lo...@telecomnancy.net>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Thursday, June 18, 2015 at 3:05 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Knox group policies not enforced
Hi fellow Ranger users,
As I am using Ranger plugin for Knox, I noticed that group policies are not applied. For example, if I grant to the group "users" the right to connect from anywhere, and I try to use WebHDFS with a user of this group, I keep getting 403 responses from Knox.
In addition, I can't find any audit logs from Knox in Ranger interface, but I thinks this is linked to the error I get in gateway.out :
[EL Severe]: ejb: 2015-06-18 11:33:44.253--ServerSession(453422229)--Exception [EclipseLink-4003] (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd): org.eclipse.persistence.exceptions.DatabaseException
Exception Description: Configuration error. Class [com.mysql.jdbc.Driver] not found.
This error is actually weird too because the JDBC driver is properly installed, as I can see audit logs from HDFS repository.
Has anyone an idea of where these errors might come from ?
Thanks in advance for your help,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
Re: Knox group policies not enforced
Posted by Alok Lal <al...@hortonworks.com>.
I assume you are using ranger-0.4.
* Do you see access audit records on the audit page of policy manager?
* Writing audits to HDFS is not through JDBC driver. Only writing to DB needs it.
* Further, only audits written to the DB are shown on the audit page - which is why I asked the above question.
* It is possible that you have audit turned on to both DB and HDFS?
* The way code is today<https://github.com/apache/incubator-ranger/blob/ranger-0.4/agents-impl/src/main/java/com/xasecure/pdp/knox/filter/XASecurePDPKnoxFilter.java#L124-L139> inability to write audit, say, due to a misconfigured JDBC adaptor, would cause authorization to fail, too (because the auth call would throw an unhandled exception).
* However, I don't know why that should be related only membership to a group.
* If inability to write to audit is in fact the issue then you should not be able to connect as long as the policy granting you access is audited. Perhaps you can confirm that to be the case to help narrow the cause.
Alok
From: Loïc Chanel <lo...@telecomnancy.net>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Thursday, June 18, 2015 at 3:05 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Knox group policies not enforced
Hi fellow Ranger users,
As I am using Ranger plugin for Knox, I noticed that group policies are not applied. For example, if I grant to the group "users" the right to connect from anywhere, and I try to use WebHDFS with a user of this group, I keep getting 403 responses from Knox.
In addition, I can't find any audit logs from Knox in Ranger interface, but I thinks this is linked to the error I get in gateway.out :
[EL Severe]: ejb: 2015-06-18 11:33:44.253--ServerSession(453422229)--Exception [EclipseLink-4003] (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd): org.eclipse.persistence.exceptions.DatabaseException
Exception Description: Configuration error. Class [com.mysql.jdbc.Driver] not found.
This error is actually weird too because the JDBC driver is properly installed, as I can see audit logs from HDFS repository.
Has anyone an idea of where these errors might come from ?
Thanks in advance for your help,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne