Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3138

RangerAdminRESTClient: Error getting policies, 401

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.0.0
    • Fix Version/s: None
    • Component/s: admin, plugins, Ranger
    • Labels:
      None

      Description

      I have Ranger 2.0, and Hadoop cluster with Kerberos.

      When I enable HDFS plugin, in HDFS name node's log:

      RangerAdminRESTClient: Error getting policies. secureMode=true, user=nn/bigdata-server-05@BDP.COM (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, serviceName=hadoop
      

      I was config the `hadoop.security.auth_to_local` both Hadoop's core-site.xml and Ranger's server manager.

      I saw the same issue `RANGER-2621`  with getting policies to fail, and the response code is 401. Maybe that caused by IP in Kerberos principal but I am not.

      hdfs-site.xml (only some name node configs)

      dfs.namenode.kerberos.principal=nn/_HOST@BDP.COM
      dfs.namenode.keytab.file=/etc/kerberos/hadoop/nn.bdp-05.keytab
      dfs.namenode.kerberos.internal.spnego.principal=HTTP@BDP.COM
      dfs.web.authentication.kerberos.keytab=/etc/kerberos/hadoop/http.keytab
      

      Ranger admin's install.properties (kerberos config)

      spnego_principal=rangerhttp@BDP.COM
      spnego_keytab=/etc/kerberos/ranger/rangerhttp.keytab
      token_valid=30
      cookie_domain=
      cookie_path=/
      admin_principal=rangeradmin/bigdata-server-05@BDP.COM
      admin_keytab=/etc/kerberos/ranger/rangeradmin.bdp-05.keytab
      lookup_principal=rangerlookup/bigdata-server-05@BDP.COM
      lookup_keytab=/etc/kerberos/ranger/rangerlookup.bdp-05.keytab
      hadoop_conf=/data/bd-components/hadoop-3.1.3/etc/hadoop/

      Ranger-hdfs's install.properties

      POLICY_MGR_URL=http://bigdata-server-05:6080
      REPOSITORY_NAME=hadoop
      CUSTOM_USER=hdfs
      CUSTOM_GROUP=hadoop
      

      HDFS service on Ranger web UI:

      Service Name: hadoop
      Username: hdfs
      password: any
      Namenode URL: hdfs://bigdata-server-05:9820
      Authorization Enabled: true
      Authentication Type: kerberos
      hadoop.security.auth_to_local: RULE:[2:$1/$2@$0]([nds]n/.*@BDP\.COM)s/.*/hdfs/ RULE:[2:$1/$2@$0]([rn]m/.*@BDP\.COM)s/.*/yarn/ RULE:[2:$1/$2@$0](jhs/.*@BDP\.COM)s/.*/mapred/
      dfs.datanode.kerberos.principal: dn/_HOST@BDP.COM
      dfs.namenode.kerberos.principal: nn/_HOST@BDP.COM
      dfs.secondary.namenode.kerberos.principa: sn/_HOST@BDP.COM
      RPC Protection Type: authentication
      tag.download.auth.users: hdfs
      policy.download.auth.users: hdfs

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              .xJUxb3Q_z7prWk panwu
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: