Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

On an unkerborized cluster, how can I get ranger solr to work? Can I get solr ranger working without kerberos?

Labels:
avatar
author-rank mamirne
Contributor

Created ‎02-08-2016 07:08 PM

Hi,

Trying to enable Ranger audit through solr on a non-kerborized cluster.

Not able to get the audits written to Solr.

Is kerborization a must for Solr Ranger to work?

How can I get it working?

3,005 Views
1 ACCEPTED SOLUTION

avatar
author-rank amcbarnett
Guru

Created ‎02-08-2016 07:10 PM

Yes you need Kerberos for Ranger to manage Solr.

See also

https://community.hortonworks.com/articles/15159/securing-solr-collections-with-ranger-kerberos.html

(Updated)

Or are you referring to Solr Auditing for Ranger. In that case you do not need Kerberos.

For Solr Audit see the following:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/solr_ranger_... and

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/audit_to_sol...

If you did the necessary install and Solr audits are not showing, I had a case where I did a ps -ef | ranger and it was running under the wrong uid. I had to kill it first and then restart from Ambari to get the Solr audits to work.

View solution in original post

2,436 Views
7 REPLIES 7

avatar
author-rank amcbarnett
Guru

Created ‎02-08-2016 07:10 PM

Yes you need Kerberos for Ranger to manage Solr.

See also

https://community.hortonworks.com/articles/15159/securing-solr-collections-with-ranger-kerberos.html

(Updated)

Or are you referring to Solr Auditing for Ranger. In that case you do not need Kerberos.

For Solr Audit see the following:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/solr_ranger_... and

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/audit_to_sol...

If you did the necessary install and Solr audits are not showing, I had a case where I did a ps -ef | ranger and it was running under the wrong uid. I had to kill it first and then restart from Ambari to get the Solr audits to work.

2,437 Views

avatar
author-rank mamirne
Contributor

Created ‎02-08-2016 07:19 PM

Ok, thank you for the response. For enabling Solr Audit, can you give me the link?

Are you talking about the link --

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/solr_ranger_...

and then the link below:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/audit_to_sol...

?

If so, after performing the steps mentioned in the above, I do not see any thing in the Ranger Audit - "Access" tab. Is that the expected behavior?

2,436 Views

avatar
author-rank amcbarnett
Guru

Created on ‎02-08-2016 07:30 PM - edited ‎08-19-2019 02:25 AM

I recommend doing the Solr Standalone. I have always had an issue with Solr Cloud for Ranger Auditing.

Are you sure in Advanced ranger-admin-site everything is set appropriately?

If you are using the HDFS or Hive plug in did you turn Auri to Solr on?

1924-screen-shot-2016-02-08-at-22940-pm.png

2,436 Views

avatar
author-rank mamirne
Contributor

Created ‎02-08-2016 08:17 PM

Yes, I have set up the SolrCloud following the document link that I pasted earlier. And then in the Ambari Ranger configuration, enabled SolrAudit ("Audit to Solr" ie. xasecure.audit.destination.solr).

The configuration set to

ranger.audit.solr.urls = http://solr_host:6083/solr/ranger_audits

But once, I enabled SolrCloud ie. (is_SolrCloud_enabled) , then the property changed to be

ranger.audit.solr.urls = solr_host:2181/ranger_audits

Is this the correct behavior? I have the other properties as you mentioned.

Can I just have just SolrAudit ("Audit to Solr") enabled, and not have solrCloud?

2,436 Views

avatar
author-rank SK1
Guru

Created ‎07-22-2016 06:17 AM

@Ancil McBarnett: I also have requirement where i want to secure solr with Ranger but I don't have kerberos env. So is it possible to secure with Rnager without kerberos ?

2,436 Views
0 Kudos

avatar
author-rank mqureshi
Super Guru

Created ‎07-23-2016 07:50 PM

@Saurabh Kuma

@Madhavi Amirneni

Let me try to explain how security works from a high level and why Ranger without Kerberos is useless.

Kerberos is what is used by many applications to authenticate a user. That is, to verify that the user is exactly who he says he is. Ranger is used as a next step in security. That is once you know, let's say a user name Alex is actually 'Alex', then does Alex have permissions to view a particular set of data. That is the job of Ranger. It enforces policies for users who have been authenticated.

Authentication of whether a user is actually who he says he is, is done by Kerberos. Without Kerberos you don't even know, if Alex is actually Alex. That's why there is no point in trying to enforce using Ranger a policy that Alex cannot access certain datasets or doing an audit on what Alex did when he logged in. Without Kerberos you are not even sure, was it really Alex, when someone named Alex logged in. Authorization and audit are pretty much useless at that point and that's why you need a Kerberized cluster before you enable authorization/auditing using Ranger.

2,436 Views
0 Kudos

avatar
author-rank SK1
Guru

Created ‎07-24-2016 05:22 AM

Thanks @mqureshi. I understood your point and agree kerberos is always best option to secure cluster. But I am looking an alternative which I can use to secure solr like knox with ranger or something else. So do we have any alternative ?

2,436 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements