Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Not A Bug
-
2.2.0
-
None
-
None
Description
When I configured Ranger with Kerberos. I can not access its Restful API with
ranger.admin.allow.unauthenticated.access = false
# ranger.admin.allow.unauthenticated.access = false in ranger-admin-site.xml ]$ curl -v 'http://localhost:6080/service/plugins/policies/download/kmsdev' < HTTP/1.1 200 OK # ranger.admin.allow.unauthenticated.access = true in ranger-admin-site.xml ]$ kinit freeman@SA Password for freeman@SA: ]$ klist Ticket cache: KCM:1000 Default principal: freeman@SA ]$ curl -v -u: --negotiate 'http://localhost:6080/service/plugins/policies/download/kmsdev' * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 6080 (#0) > GET /service/plugins/policies/download/kmsdev HTTP/1.1 > Host: localhost:6080 > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 404 Not Found < Content-Length: 0 < Date: Thu, 27 Jan 2022 12:30:26 GMT < Server: Apache Ranger < * Connection #0 to host localhost left intact
CURL even do not have chance to do Authenticaion.
My configurations:
core-site.xml
<configuration>
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[1:$1@$0](^.*$)s/^(.*)@.*$/$1/
RULE:[2:$1@$0](^.*$)s/^(.*)@.*$/$1/
DEFAULT
</value>
</property>
</configuration>
ranger-admin-kms.xml
<configuration> ... <property> <name>ranger.service.https.attrib.ssl.enabled</name> <value>false</value> </property> <property> <name>ranger.service.host</name> <value>localhost</value> </property> <property> <name>ranger.service.http.port</name> <value>6080</value> </property> <property> <name>ranger.admin.kerberos.keytab</name> <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value> </property> <property> <name>ranger.spnego.kerberos.principal</name> <value>HTTP/kirbytest01.sa@SA</value> </property> <property> <name>ranger.spnego.kerberos.keytab</name> <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value> </property> <property> <name>ranger.lookup.kerberos.principal</name> <value>rangerlookup/kirbytest01.sa@SA</value> </property> <property> <name>ranger.lookup.kerberos.keytab</name> <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value> </property> <property> <name>ranger.admin.allow.unauthenticated.access</name> <value>false</value> <!-- it is default --> </property> ... </configuration>
Workaround:
set "ranger.admin.allow.unauthenticated.access" = "true" in ranger-admin-site.xml
I have no idea now.