Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger Admin policies not synced for all services

avatar
Super Collaborator

Hi, I have a problem with policy synchronization. HDP 2.5.0-1245, Ambari 2.4.1. When I add/edit policy, the policy changes in MySQL database "ranger", but not in Audit -> Plugins. Also the change does not affect on /etc/ranger/servicename/policycache/XXX.json file (last change was 10 days ago, same as Plugin tab shows). From xa_portal.log in DEBUG mode I see an error every 30 seconds:

"DEBUG org.springframework.security.web.access.ExceptionTranslationFilter (ExceptionTranslationFilter.java:165) - Access is denied (user is anonymous); redirecting to authentication entry point org springframework.security.access.AccessDeniedException: Access is denied"

That is the only difference in this log when I compare my working cluster with this one.

The connection to database is good, but what happens next I dont know. How do policies are propagated from MySQL to .json file? Which user is responsible for this? Any solution ideas? Thank you in advance.

1 ACCEPTED SOLUTION

avatar
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
8 REPLIES 8

avatar
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Super Collaborator

@Deepak Sharma

Thank you for a quick answer.

In access_log when I edit a policy I got PUT and GET code 200, but except that every 30 seconds I got GET with code 302.

In correspoding service logs I got "failed to refresh policies. Will continue to use last known version of policies (61).

It was working before, but for 10 days policies are not synced.

avatar

can you check if ranger policy url is properly defined in hdfs ranger plugin config, and was there anything changed when you started seeing this issue ?

avatar
Super Collaborator

Sorry guys, that was the issue. Not only me have access to that cluster, and somebody changed ranger policy url in every plugin config. Thank you!

avatar
Super Collaborator

The strange thing is that in access_log Ranger tries to GET status from not defined URL:

"IP - - [DATE] "GET / HTTP/1.0" 302 -"

avatar
Super Guru

@Edgar Daeds

Can you check below things -

1. is your test connection for repository work successfully ?

2. Do you see any alert in Ambari UI wrt "Ranger Admin Password check"?

3. If that is HDFS policy can you check namenode logs if you any error there ?

Please post more logs to analyze the issue.

avatar
Super Collaborator

@Sagar Shimpi

1. Test connection works for HDFS and HBase, for Hive I have my own modified jars and it is not working for a long time (but policies were working)

2. In Ambari UI I dont see any alerts regarding to Ranger

3. In every service logs I see only one error which is known: "failed to refresh policies. Will continue to use last known version of policies (XX) [...] Connection Refused".

Could you please specify which logs I can post? It is on clients cluster and I dont have direct access, so I need to rewrite logs manually.

P. S. policies are not synced for every service which I am using (HDFS,HBase,Hive,Kafka,Knox)

avatar

If this is kerberos env, make sure there are no kerberos ticket renewal errors.

Also, are you using SSL for ranger? In that case, make sure plugins are configured to trust ranger admin certificate.