Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3138

RangerAdminRESTClient: Error getting policies, 401

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.0.0
    • Fix Version/s: None
    • Component/s: admin, plugins, Ranger
    • Labels:
      None

      Description

      I have Ranger 2.0, and Hadoop cluster with Kerberos.

      When I enable HDFS plugin, in HDFS name node's log:

      RangerAdminRESTClient: Error getting policies. secureMode=true, user=nn/bigdata-server-05@BDP.COM (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, serviceName=hadoop

      I was config the `hadoop.security.auth_to_local` both Hadoop's core-site.xml and Ranger's server manager.

      I saw the same issue `RANGER-2621`  with getting policies to fail, and the response code is 401. Maybe that caused by IP in Kerberos principal but I am not.

      hdfs-site.xml (only some name node configs)

      dfs.namenode.kerberos.principal=nn/_HOST@BDP.COM
dfs.namenode.keytab.file=/etc/kerberos/hadoop/nn.bdp-05.keytab
dfs.namenode.kerberos.internal.spnego.principal=HTTP@BDP.COM
dfs.web.authentication.kerberos.keytab=/etc/kerberos/hadoop/http.keytab

      Ranger admin's install.properties (kerberos config)

      spnego_principal=rangerhttp@BDP.COM
spnego_keytab=/etc/kerberos/ranger/rangerhttp.keytab
token_valid=30
cookie_domain=
cookie_path=/
admin_principal=rangeradmin/bigdata-server-05@BDP.COM
admin_keytab=/etc/kerberos/ranger/rangeradmin.bdp-05.keytab
lookup_principal=rangerlookup/bigdata-server-05@BDP.COM
lookup_keytab=/etc/kerberos/ranger/rangerlookup.bdp-05.keytab
hadoop_conf=/data/bd-components/hadoop-3.1.3/etc/hadoop/

      Ranger-hdfs's install.properties

      POLICY_MGR_URL=http://bigdata-server-05:6080
REPOSITORY_NAME=hadoop
CUSTOM_USER=hdfs
CUSTOM_GROUP=hadoop

      HDFS service on Ranger web UI:

      Service Name: hadoop
Username: hdfs
password: any
Namenode URL: hdfs://bigdata-server-05:9820
Authorization Enabled: true
Authentication Type: kerberos
hadoop.security.auth_to_local: RULE:[2:$1/$2@$0]([nds]n/.*@BDP\.COM)s/.*/hdfs/ RULE:[2:$1/$2@$0]([rn]m/.*@BDP\.COM)s/.*/yarn/ RULE:[2:$1/$2@$0](jhs/.*@BDP\.COM)s/.*/mapred/
dfs.datanode.kerberos.principal: dn/_HOST@BDP.COM
dfs.namenode.kerberos.principal: nn/_HOST@BDP.COM
dfs.secondary.namenode.kerberos.principa: sn/_HOST@BDP.COM
RPC Protection Type: authentication
tag.download.auth.users: hdfs
policy.download.auth.users: hdfs

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              .xJUxb3Q_z7prWk panwu
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: