question Keyadmin user not allowed to Get_keys in Support Questions https://community.cloudera.com/t5/Support-Questions/Keyadmin-user-not-allowed-to-Get-keys/m-p/106113#M68991 <P>Hi,</P><P>It was working perfectly before but all of sudden it is not allowing to get_keys for keyadmin user. It seems some authorization problem but not sure how to resolve. Please fine below logs:-</P><P>KMS.log says:-</P><P>RangerKmsAuthorizer - &lt;== RangerkmsAuthorizer.hasAccess(GET_KEYS, keyadmin (auth:PROXY) via <A href="mailto:keyadmin@HDP-TBRND-DEV">keyadmin@HDP-TBRND-DEV</A> (auth:KERBEROS) , <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> false</P><P>xa_portal.log says:-</P><P>[http-bio-6080-exec-4] ERROR org.apache.ranger.rest.XKeyREST (XKeyREST.java:197) - { "RemoteException" : { "message" : "User:keyadmin not allowed to do 'GET_KEYS'", "exception" : "AuthorizationException", "javaClassName" : "org.apache.hadoop.security.authorize.AuthorizationException" } } 2016-05-28 08:22:34,705 [http-bio-6080-exec-4] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:64) - Request failed. SessionId=9058, loginId=keyadmin, logMessage=User:keyadmin not allowed to do 'GET_KEYS' javax.ws.rs.WebApplicationException at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:55) at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:310) at org.apache.ranger.rest.XKeyREST.handleError(XKeyREST.java:214) at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:88) at org.apache.ranger.rest.XKeyREST$$FastClassByCGLIB$$c5260d52.invoke(&lt;generated&gt;) at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:191) at org.springframework.aop.framework.Cglib2AopProxy$CglibMethodInvocation.invokeJoinpoint(Cglib2AopProxy.java:689) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:622) at org.apache.ranger.rest.XKeyREST$$EnhancerByCGLIB$$59c1dca0.searchKeys(&lt;generated&gt;) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:168) at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:70) at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:279) at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:136) at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:86) at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:136) at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:74) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1357) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1289) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1239) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1229) at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:420) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:497) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:684) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.apache.ranger.security.web.filter.RangerSecurityContextFormationFilter.doFilter(RangerSecurityContextFormationFilter.java:141) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) 2016-05-28 08:22:34,706 [http-bio-6080-exec-4] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:311) - Operation error. <A href="mailto:response=VXResponse={org.apache.ranger.view.VXResponse@43b0bb40statusCode={1">response=VXResponse={org.apache.ranger.view.VXResponse@43b0bb40statusCode={1</A>} msgDesc={User:keyadmin not allowed to do 'GET_KEYS'} messageList={[VXMessage={org.apache.ranger.view.VXMessage@7c0ffdd7name={ERROR_SYSTEM} rbKey={xa.error.system} message={System Error. Please try later.} objectId={null} fieldName={null} }]} } javax.ws.rs.WebApplicationException</P><P>Can someone please help me on this?</P><P>Thanks in advance</P> Sat, 28 May 2016 15:32:04 GMT trip_ankit87 2016-05-28T15:32:04Z Keyadmin user not allowed to Get_keys https://community.cloudera.com/t5/Support-Questions/Keyadmin-user-not-allowed-to-Get-keys/m-p/106113#M68991 <P>Hi,</P><P>It was working perfectly before but all of sudden it is not allowing to get_keys for keyadmin user. It seems some authorization problem but not sure how to resolve. Please fine below logs:-</P><P>KMS.log says:-</P><P>RangerKmsAuthorizer - &lt;== RangerkmsAuthorizer.hasAccess(GET_KEYS, keyadmin (auth:PROXY) via <A href="mailto:keyadmin@HDP-TBRND-DEV">keyadmin@HDP-TBRND-DEV</A> (auth:KERBEROS) , <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> false</P><P>xa_portal.log says:-</P><P>[http-bio-6080-exec-4] ERROR org.apache.ranger.rest.XKeyREST (XKeyREST.java:197) - { "RemoteException" : { "message" : "User:keyadmin not allowed to do 'GET_KEYS'", "exception" : "AuthorizationException", "javaClassName" : "org.apache.hadoop.security.authorize.AuthorizationException" } } 2016-05-28 08:22:34,705 [http-bio-6080-exec-4] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:64) - Request failed. SessionId=9058, loginId=keyadmin, logMessage=User:keyadmin not allowed to do 'GET_KEYS' javax.ws.rs.WebApplicationException at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:55) at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:310) at org.apache.ranger.rest.XKeyREST.handleError(XKeyREST.java:214) at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:88) at org.apache.ranger.rest.XKeyREST$$FastClassByCGLIB$$c5260d52.invoke(&lt;generated&gt;) at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:191) at org.springframework.aop.framework.Cglib2AopProxy$CglibMethodInvocation.invokeJoinpoint(Cglib2AopProxy.java:689) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:622) at org.apache.ranger.rest.XKeyREST$$EnhancerByCGLIB$$59c1dca0.searchKeys(&lt;generated&gt;) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:168) at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:70) at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:279) at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:136) at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:86) at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:136) at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:74) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1357) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1289) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1239) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1229) at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:420) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:497) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:684) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.apache.ranger.security.web.filter.RangerSecurityContextFormationFilter.doFilter(RangerSecurityContextFormationFilter.java:141) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) 2016-05-28 08:22:34,706 [http-bio-6080-exec-4] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:311) - Operation error. <A href="mailto:response=VXResponse={org.apache.ranger.view.VXResponse@43b0bb40statusCode={1">response=VXResponse={org.apache.ranger.view.VXResponse@43b0bb40statusCode={1</A>} msgDesc={User:keyadmin not allowed to do 'GET_KEYS'} messageList={[VXMessage={org.apache.ranger.view.VXMessage@7c0ffdd7name={ERROR_SYSTEM} rbKey={xa.error.system} message={System Error. Please try later.} objectId={null} fieldName={null} }]} } javax.ws.rs.WebApplicationException</P><P>Can someone please help me on this?</P><P>Thanks in advance</P> Sat, 28 May 2016 15:32:04 GMT https://community.cloudera.com/t5/Support-Questions/Keyadmin-user-not-allowed-to-Get-keys/m-p/106113#M68991 trip_ankit87 2016-05-28T15:32:04Z Re: Keyadmin user not allowed to Get_keys https://community.cloudera.com/t5/Support-Questions/Keyadmin-user-not-allowed-to-Get-keys/m-p/106114#M68992 <P><A rel="user" href="https://community.cloudera.com/users/10652/tripankit87.html" nodeid="10652">@Ankit Tripathi</A></P><P>Can you check below properties if any change -</P><PRE>&lt;property&gt; &lt;name&gt;hadoop.kms.authentication.type&lt;/name&gt; &lt;value&gt;kerberos&lt;/value&gt; &lt;/property&gt; &lt;property&gt; &lt;name&gt;hadoop.kms.authentication.kerberos.keytab&lt;/name&gt; &lt;value&gt;${user.home}/kms.keytab&lt;/value&gt; &lt;/property&gt; &lt;property&gt; &lt;name&gt;hadoop.kms.authentication.kerberos.principal&lt;/name&gt; &lt;value&gt;HTTP/localhost&lt;/value&gt; &lt;/property&gt; &lt;property&gt; &lt;name&gt;hadoop.kms.authentication.kerberos.name.rules&lt;/name&gt; &lt;value&gt;DEFAULT&lt;/value&gt; &lt;/property&gt; </PRE><PRE>&lt;property&gt; &lt;name&gt;hadoop.kms.proxyuser.#USER#.users&lt;/name&gt; &lt;value&gt;*&lt;/value&gt; &lt;/property&gt; &lt;property&gt; &lt;name&gt;hadoop.kms.proxyuser.#USER#.groups&lt;/name&gt; &lt;value&gt;*&lt;/value&gt; &lt;/property&gt; &lt;property&gt; &lt;name&gt;hadoop.kms.proxyuser.#USER#.hosts&lt;/name&gt; &lt;value&gt;*&lt;/value&gt; &lt;/property&gt;</PRE><P>Make sure you have policy for user to get keys in ranger kms admin UI.</P> Sat, 28 May 2016 20:02:13 GMT https://community.cloudera.com/t5/Support-Questions/Keyadmin-user-not-allowed-to-Get-keys/m-p/106114#M68992 sshimpi 2016-05-28T20:02:13Z Re: Keyadmin user not allowed to Get_keys https://community.cloudera.com/t5/Support-Questions/Keyadmin-user-not-allowed-to-Get-keys/m-p/106115#M68993 <P>Thanks Sagar for your reply!!</P><P>I have set hadoop.kms.authentication.kerberos.keytab as /etc/security/keytabs/spnego.service.keytab</P><P>Rest there is no change in the property. I have kept as you suggested. 3-4 days before it was working perfectly but now even test connection is getting failed. It says "</P><P>Unable to connect repository with given config for cluster_kms". Do I need do kinit on any keytab?</P><P>Please help me.</P> Sat, 28 May 2016 20:40:31 GMT https://community.cloudera.com/t5/Support-Questions/Keyadmin-user-not-allowed-to-Get-keys/m-p/106115#M68993 trip_ankit87 2016-05-28T20:40:31Z Re: Keyadmin user not allowed to Get_keys https://community.cloudera.com/t5/Support-Questions/Keyadmin-user-not-allowed-to-Get-keys/m-p/106116#M68994 <P><A rel="user" href="https://community.cloudera.com/users/10652/tripankit87.html" nodeid="10652">@Ankit Tripathi</A></P><P>The best way is to enable debug in the file /usr/hdp/current/ranger-admin/ews/webapp/WEB-INF/log4j.xml</P><P>Just replace all lines with -</P><P> &lt;priority value="info" /&gt; ----&gt; &lt;priority value="debug" /&gt;</P><P>Restart ranger.</P><P>Try test connection and same time do "tail -f /var/log/ranger/admin/xa-portal.log"</P> Sun, 29 May 2016 10:23:23 GMT https://community.cloudera.com/t5/Support-Questions/Keyadmin-user-not-allowed-to-Get-keys/m-p/106116#M68994 sshimpi 2016-05-29T10:23:23Z Re: Keyadmin user not allowed to Get_keys https://community.cloudera.com/t5/Support-Questions/Keyadmin-user-not-allowed-to-Get-keys/m-p/106117#M68995 <P>Thanks A lot Sagar!!</P><P>I removed and installed. It worked.</P> Sun, 29 May 2016 14:07:35 GMT https://community.cloudera.com/t5/Support-Questions/Keyadmin-user-not-allowed-to-Get-keys/m-p/106117#M68995 trip_ankit87 2016-05-29T14:07:35Z