please help understand Ranger security

aliyesami — Wed, 07 Dec 2016 09:07:52 GMT

I have given myself full rights on both HDFS and HIVE , yet for some reason I can't connect to HIVE using my ticket 'sami' but if grant myself a 'hive' ticket then I can get into hive . Why ?

-bash-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_600
Default principal: sami@TMY.COM
Valid starting     Expires            Service principal
12/06/16 19:57:32  12/07/16 19:57:32  krbtgt/TMY.COM@TMY.COM
        renew until 12/06/16 19:57:32
-bash-4.1$
-bash-4.1$
-bash-4.1$ hive
Logging initialized using configuration in file:/etc/hive/2.5.0.0-1245/0/hive-log4j.properties
Exception in thread "main" java.lang.RuntimeException: org.apache.tez.dag.api.SessionNotRunning: TezSession has already shutdown. Application application_1481054355280_0003 failed 2 times due to AM Container for appattempt_1481054355280_0003_000002 exited with  exitCode: -1000
For more detailed output, check the application tracking page: http://hadoop2.my.com:8088/cluster/app/application_1481054355280_0003 Then click on links to logs of each attempt.
Diagnostics: Application application_1481054355280_0003 initialization failed (exitCode=255) with output: main : command provided 0
main : run as user is sami
main : requested yarn user is sami
User sami not found
Failing this attempt. Failing the application.
        at org.apache.hadoop.hive.ql.session.SessionState.start(SessionState.java:536)
        at org.apache.hadoop.hive.cli.CliDriver.run(CliDriver.java:680)
        at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:624)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.hadoop.util.RunJar.run(RunJar.java:233)
        at org.apache.hadoop.util.RunJar.main(RunJar.java:148)
Caused by: org.apache.tez.dag.api.SessionNotRunning: TezSession has already shutdown. Application application_1481054355280_0003 failed 2 times due to AM Container for appattempt_1481054355280_0003_000002 exited with  exitCode: -1000
For more detailed output, check the application tracking page: http://hadoop2.my.com:8088/cluster/app/application_1481054355280_0003 Then click on links to logs of each attempt.
Diagnostics: Application application_1481054355280_0003 initialization failed (exitCode=255) with output: main : command provided 0
main : run as user is sami
main : requested yarn user is sami
User sami not found
Failing this attempt. Failing the application.
        at org.apache.tez.client.TezClient.waitTillReady(TezClient.java:779)
        at org.apache.hadoop.hive.ql.exec.tez.TezSessionState.open(TezSessionState.java:217)
        at org.apache.hadoop.hive.ql.exec.tez.TezSessionState.open(TezSessionState.java:117)
        at org.apache.hadoop.hive.ql.session.SessionState.start(SessionState.java:533)
        ... 8 more
-bash-4.1$
-bash-4.1$
-bash-4.1$ id
uid=600(sami) gid=600(sami) groups=600(sami),501(hadoop)
-bash-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_600
Default principal: sami@TMY.COM
Valid starting     Expires            Service principal
12/06/16 19:57:32  12/07/16 19:57:32  krbtgt/TMY.COM@TMY.COM
        renew until 12/06/16 19:57:32
-bash-4.1$ kinit hive
Password for hive@TMY.COM:
-bash-4.1$
-bash-4.1$
-bash-4.1$ hive
Logging initialized using configuration in file:/etc/hive/2.5.0.0-1245/0/hive-log4j.properties
hive>

Re: please help understand Ranger security

myoung — Wed, 07 Dec 2016 09:18:06 GMT

@Sami Ahmad

Looking at the output, it says "User sami not found". Where is user "sami" defined?

Re: please help understand Ranger security

aliyesami — Wed, 07 Dec 2016 09:20:11 GMT

user 'sami' is unix user as well as the KDC ,that's why I can do "kinit sami"

Re: please help understand Ranger security

sunile_manjee — Wed, 07 Dec 2016 12:52:01 GMT

@Sami Ahmad can you verify you have run ranger ldap sync.

Re: please help understand Ranger security

dsharma — Wed, 07 Dec 2016 17:36:48 GMT

check whether usersync has happened properly ? , check it in ranger usersync logs or ranger ui setting --> users page , there do you see sami user?

Re: please help understand Ranger security

aliyesami — Thu, 08 Dec 2016 05:02:03 GMT

iam not using LDAP

Re: please help understand Ranger security

aliyesami — Mon, 19 Aug 2019 08:17:31 GMT

yes I see the user 'sami' there , please see the screenshot below

Re: please help understand Ranger security

rmani — Thu, 08 Dec 2016 05:11:43 GMT

Make user "sami" belongs to hdfs group and then try hive command line.

Re: please help understand Ranger security

aliyesami — Thu, 08 Dec 2016 05:37:33 GMT

where ? on Linux like below ?

hdfs:x:504:hdfs,sami

tried the above but same error

Re: please help understand Ranger security

aliyesami — Thu, 08 Dec 2016 05:58:22 GMT

ah it needed an account on the hadoop2 server since hiveserver2 is running there. I created 'sami' on hadoop2 and added it to the hadoop group and then I can use hive using my ticket.

question Re: please help understand Ranger security in Archives of Support Questions (Read Only)

please help understand Ranger security

Re: please help understand Ranger security

Re: please help understand Ranger security

Re: please help understand Ranger security

Re: please help understand Ranger security

Re: please help understand Ranger security

Re: please help understand Ranger security

Re: please help understand Ranger security

Re: please help understand Ranger security

Re: please help understand Ranger security