Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3602

Can not access RestAPI when Ranger authenticated with Kerberos.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Not A Bug
    • 2.2.0
    • None
    • admin
    • None

    Description

      When I configured Ranger with Kerberos. I can not access its Restful API with 

      ranger.admin.allow.unauthenticated.access = false

       

      # ranger.admin.allow.unauthenticated.access = false in ranger-admin-site.xml
]$ curl -v 'http://localhost:6080/service/plugins/policies/download/kmsdev' 
< HTTP/1.1 200 OK

# ranger.admin.allow.unauthenticated.access = true in ranger-admin-site.xml
]$ kinit freeman@SA 
Password for freeman@SA: 
]$ klist
Ticket cache: KCM:1000
Default principal: freeman@SA
]$ curl -v -u: --negotiate 'http://localhost:6080/service/plugins/policies/download/kmsdev'
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 6080 (#0)
> GET /service/plugins/policies/download/kmsdev HTTP/1.1
> Host: localhost:6080
> User-Agent: curl/7.61.1
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Content-Length: 0
< Date: Thu, 27 Jan 2022 12:30:26 GMT
< Server: Apache Ranger
< 
* Connection #0 to host localhost left intact

       

       

      CURL even do not have chance to do Authenticaion.

       

      My configurations:

      core-site.xml

       

      <configuration>
  <property>
    <name>hadoop.security.authentication</name>
    <value>kerberos</value>
  </property>
  <property>
    <name>hadoop.security.authorization</name>
    <value>true</value>
  </property>
  <property>
    <name>hadoop.security.auth_to_local</name>
    <value>
RULE:[1:$1@$0](^.*$)s/^(.*)@.*$/$1/
RULE:[2:$1@$0](^.*$)s/^(.*)@.*$/$1/
DEFAULT
    </value>
  </property>
</configuration>

       

       

      ranger-admin-kms.xml

       

      <configuration>
...
       <property>
                <name>ranger.service.https.attrib.ssl.enabled</name>
                <value>false</value>
        </property>
        <property>
                <name>ranger.service.host</name>
                <value>localhost</value>
        </property>
        <property>
                <name>ranger.service.http.port</name>
                <value>6080</value>
        </property>

       <property>
                <name>ranger.admin.kerberos.keytab</name>
                <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
        </property>
        <property>
                <name>ranger.spnego.kerberos.principal</name>
                <value>HTTP/kirbytest01.sa@SA</value>
        </property>
        <property>
                <name>ranger.spnego.kerberos.keytab</name>
                <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
        </property>
        <property>
                <name>ranger.lookup.kerberos.principal</name>
                <value>rangerlookup/kirbytest01.sa@SA</value>
        </property>
        <property>
                <name>ranger.lookup.kerberos.keytab</name>
                <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
        </property>

        <property>
                <name>ranger.admin.allow.unauthenticated.access</name>
                <value>false</value>
                <!-- it is default -->
        </property>
...
</configuration>

       

      Workaround:

      set "ranger.admin.allow.unauthenticated.access" = "true" in ranger-admin-site.xml 

       

      I have no idea now.

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            kirbyzhou kirby zhou
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: