Support Questions

Find answers, ask questions, and share your expertise

No rules applied to rangerlookup@EXAMPLE.COM on RANGER ADMIN Service Manager

avatar
Explorer

I'm trying to configure the service repository for HDFS, using the user rangerlookup created on AD, but I'm getting an error on xa_portal.log

2016-06-28 17:58:48,676 [timed-executor-pool-0] ERROR apache.ranger.services.hdfs.client.HdfsResourceMgr (HdfsResourceMgr.java:48) - <== HdfsResourceMgr.testConnection Error: java.lang.IllegalArgumentException: Illegal principal name rangerlookup@EXAMPLE.COM: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to rangerlookup@EXAMPLE.COM
2016-06-28 17:58:48,676 [timed-executor-pool-0] ERROR org.apache.ranger.services.hdfs.RangerServiceHdfs (RangerServiceHdfs.java:59) - <== RangerServiceHdfs.validateConfig Error:java.lang.IllegalArgumentException: Illegal principal name rangerlookup@EXAMPLE.COM: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to rangerlookup@EXAMPLE.COM
2016-06-28 17:58:48,676 [timed-executor-pool-0] ERROR org.apache.ranger.biz.ServiceMgr$TimedCallable (ServiceMgr.java:434) - TimedCallable.call: Error:java.lang.IllegalArgumentException: Illegal principal name rangerlookup@EXAMPLE.COM: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to rangerlookup@EXAMPLE.COM
2016-06-28 17:58:48,676 [http-bio-6182-exec-8] ERROR org.apache.ranger.biz.ServiceMgr (ServiceMgr.java:120) - ==> ServiceMgr.validateConfig Error:java.util.concurrent.ExecutionException: java.lang.IllegalArgumentException: Illegal principal name rangerlookup@EXAMPLE.COM: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to rangerlookup@EXAMPLE.COM

My service configuration the following:

Username = rangerlookup@EXAMPLE.COM
Password = *****
Namenode URL = hdfs://<clusterservicename>
Authorization Enabled = Yes
Authentication Type = Kerberos
hadoop.security.auth_to_local = <core-site.xml auth_to_local parameter>
dfs.datanode.kerberos.principal = dn/_HOST@EXAMPLE.COM
dfs.namenode.kerberos.principal = nn/_HOST@EXAMPLE.COM
dfs.secondary.namenode.kerberos.principal = nn/_HOST@EXAMPLE.COM
RPC ProtectioN Type = Authentication
Common Name for Certificate = ranger

Does anyone know this error?

3 REPLIES 3

avatar

can you please add a rule RULE:[2:$1@$0](rangerlookup@EXAMPLE.COM)s/.*/rangerlookup/ and restart and retry once

avatar
New Contributor

I've fixed the same problem as @Leonardo Dias. Just by lookup the doc(https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/hdfs_plugin_kerberos.html)

Here are my steps:

1. Add the "rangerhdfslookup" user to the os and "rangerhdfslookup@realm" to my kdc

2. Update properties of ranger hdfs plugins via ambari

3. restart HDFS & Ranger service

avatar
Explorer

seems like it was a simple useradd command without a -g or -G option for groups on the operating system yes?