Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3237

The Hive plugin cannot synchronize policy information after Kerberos is enabled

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Blocker
    • Resolution: Unresolved
    • Affects Version/s: 2.1.0
    • Fix Version/s: None
    • Component/s: admin, plugins
    • Labels:
      None
    • Environment:
      CDH6.3.1
      CM 6.3.2
      Ranger 2.1.0
      Kerberos : FreeIPA
    • Flags:
      Important

      Description

      I have a question

      when  i  enable  kerberos , hive plugin can't sync info to hiveservice  ,i see log ,But there was no useful information,  if no have kerberos  ,The function is normal ,so ,who can help me?

      =============================================================

      question1:

      in hive policy server config  ,i  click  test connection   show me  Error 

      detail :

      Connection Failed.
      Unable to retrieve any files using given parameters, You can still save the repository and start creating policies, but you would not be able to use autocomplete for resource names. Check ranger_admin.log for more info.

      org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [show databases like "*"]..
      Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [hive] does not have [USE] privilege on [*].
      Permission denied: user [hive] does not have [USE] privilege on [*].
       

      question2:

      hive plugin can't sync info to hiveservice   

      show me Error  401  from  hive log and rangeradmin log

      some info

      hostname : idc-bigdata-185-56.jdy.kd.internal

      principal:   ranger.keytab

      Keytab name: FILE:ranger.keytab
      KVNO Timestamp Principal
      ---- ------------------- ------------------------------------------------------
      1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:51:55 HTTP/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:52:12 rangeradmin/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:52:12 rangeradmin/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:52:12 rangeradmin/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:52:12 rangeradmin/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:52:12 rangeradmin/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:52:12 rangeradmin/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:52:23 rangerlookup/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:52:23 rangerlookup/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:52:23 rangerlookup/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:52:23 rangerlookup/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:52:23 rangerlookup/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      1 04/09/2021 13:52:23 rangerlookup/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL

      ============================================================

      ranger admin install.properties

      spnego_principal=HTTP/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      spnego_keytab=/data/service/ranger/ranger.keytab
      token_valid=30
      cookie_domain=idc-bigdata-185-56.jdy.kd.internal
      cookie_path=/
      admin_principal=rangeradmin/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      admin_keytab=/data/service/ranger/ranger.keytab
      lookup_principal=rangerlookup/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL
      lookup_keytab=/data/service/ranger/ranger.keytab
      hadoop_conf=/opt/cloudera/parcels/CDH/lib/hadoop/etc/hadoop

      ranger hive install.properties

      POLICY_MGR_URL=http://idc-bigdata-185-56.jdy.kd.internal:6080

      REPOSITORY_NAME=HIVE_CDH

      COMPONENT_INSTALL_DIR_NAME=/opt/cloudera/parcels/CDH/lib/hive

      ranger admin UI  hive policy service

      Service Name : HIVE_CDH
      Username :  hive@JDY.KD.INTERNAL
      jdbc.driverClassName :org.apache.hive.jdbc.HiveDriver
      jdbc.url : jdbc:hive2://idc-bigdata-185-57.jdy.kd.internal:2181,idc-bigdata-185-58.jdy.kd.internal:2181,idc-bigdata-185-59.jdy.kd.internal:2181/;principal=hive/_HOST@JDY.KD.INTERNA;serviceDiscoveryMode=zooKeeper;user=hive;zooKeeperNamespace=hiveserver2
       

      hive log info :

      stdout.log

      [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting Roles. secureMode=true, user=hive/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL (auth:KERBEROS), response=

      {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}

      , serviceName=HIVE_CDH
      [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting policies. secureMode=true, user=hive/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL (auth:KERBEROS), response=

      {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}

      , serviceName=HIVE_CDH
      [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting Roles. secureMode=true, user=hive/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL (auth:KERBEROS), response=

      {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}

      , serviceName=HIVE_CDH
      [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting policies. secureMode=true, user=hive/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL (auth:KERBEROS), response=

      {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}

      , serviceName=HIVE_CDH
      [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting Roles. secureMode=true, user=hive/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL (auth:KERBEROS), response=

      {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}

      , serviceName=HIVE_CDH
      [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting policies. secureMode=true, user=hive/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL (auth:KERBEROS), response=

      {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}

      , serviceName=HIVE_CDH
      [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting Roles. secureMode=true, user=hive/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL (auth:KERBEROS), response=

      {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}

      , serviceName=HIVE_CDH
      [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting policies. secureMode=true, user=hive/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL (auth:KERBEROS), response=

      {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}

      , serviceName=HIVE_CDH
      [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting Roles. secureMode=true, user=hive/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL (auth:KERBEROS), response=

      {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}

      , serviceName=HIVE_CDH
      [esher(serviceName=HIVE_CDH)-22] RangerAdminRESTClient WARN Error getting policies. secureMode=true, user=hive/idc-bigdata-185-56.jdy.kd.internal@JDY.KD.INTERNAL (auth:KERBEROS), response=

      {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}

      , serviceName=HIVE_CDH

      ============================================================

      ranger access log

      access_log.2021-04-12.log

      172.20.185.56 - - [12/Apr/2021:09:50:08 +0000] "GET /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=1 HTTP/1.1" 401 52 "" "Java/1.8.0_281"
      172.20.185.56 - - [12/Apr/2021:09:50:38 +0000] "GET /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=1 HTTP/1.1" 401 52 "" "Java/1.8.0_281"
      172.20.185.56 - - [12/Apr/2021:09:50:38 +0000] "GET /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=1 HTTP/1.1" 401 52 "" "Java/1.8.0_281"
      172.20.185.56 - - [12/Apr/2021:09:51:08 +0000] "GET /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=1 HTTP/1.1" 401 52 "" "Java/1.8.0_281"
      172.20.185.56 - - [12/Apr/2021:09:51:08 +0000] "GET /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=1 HTTP/1.1" 401 52 "" "Java/1.8.0_281"
      172.20.185.56 - - [12/Apr/2021:09:51:38 +0000] "GET /service/roles/secure/download/HIVE_CDH?pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528903&pluginCapabilities=fff&lastKnownRoleVersion=1 HTTP/1.1" 401 52 "" "Java/1.8.0_281"
      172.20.185.56 - - [12/Apr/2021:09:51:38 +0000] "GET /service/plugins/secure/policies/download/HIVE_CDH?supportsPolicyDeltas=false&pluginId=hiveServer2%40idc-bigdata-185-56.jdy.kd.internal-HIVE_CDH&clusterName=&lastActivationTime=1618217528949&pluginCapabilities=fff&lastKnownVersion=1 HTTP/1.1" 401 52 "" "Java/1.8.0_281"

       

       

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              kkx1100 kangkaixin
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: