Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger Custom ContextEnricher not being fired in policy

Ranger Custom ContextEnricher not being fired in policy

New Contributor

I have created a short RangerAbstractContextEnricher to add an additional variable USERNORMAL for user in Ranger Hive policies. Basically, it removes some special characters and then is used to allow users to create tables with the name <USERNORMAL>_*. I can see the class getting initialized in theHS2 log, but never see it calling the enrich() method. Here are the steps I have followed:

Code:

package org.apache.ranger.plugin.contextenricher;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;

public class RangerUserNormalizerProvider extends RangerAbstractContextEnricher {
    private static final Log LOG = LogFactory.getLog(RangerUserNormalizerProvider.class);
    private String contextName="USERNORMAL";
    
    @Override
    public void init() {
        LOG.info("==> RangerUserNormalizerProvider.init(" + enricherDef + ")");
        super.init();        
        contextName = getOption("contextName", "USERNORMAL");
        LOG.info("<== RangerUserNormalizerProvider.init(" + enricherDef + ")");
    }

    @Override
    public void enrich(RangerAccessRequest request) {
        LOG.info("==> RangerUserNormalizerProvider.enrich(" + request + ")");
        if(request != null) {
            Map<String, Object> context = request.getContext();
            String user = request.getUser().toLowerCase().replace('-', '_');
    
            if(context != null && !StringUtils.isEmpty(user)) {
                request.getContext().put(contextName, user);
            } else {
                LOG.info("RangerUserNormalizerProvider.enrich(): skipping due to unavailable context or user. context=" + context + "; TENANT=" + user);
            }
        }

        LOG.info("<== RangerUserNormalizerProvider.enrich(" + request + ")");
    }
}

Placed on these locations on the host running Ranger and HS2:

/usr/hdp/3.1.0.0-78/hive/lib/ranger-hive-plugin-impl/conditions-enrichers-1.2.0.3.1.2.0-4.jar
/usr/hdp/3.1.0.0-78/ranger-hive-plugin/lib/ranger-hive-plugin-impl/conditions-enrichers-1.2.0.3.1.2.0-4.jar
/usr/hdp/3.1.0.0-78/ranger-admin/ews/webapp/WEB-INF/lib/conditions-enrichers-1.2.0.3.1.2.0-4.jar

Registered the enricher by adding the following

curl -v -u $USR:$PASS -H "Content-Type: application/json" -X PUT $RANGER_HOST/service/public/v2/api/servicedef/name/hive -d @hive.json

# Snippet from hive.json
   "contextEnrichers": [
        {
            "enricher": "org.apache.ranger.plugin.contextenricher.RangerUserTenantMappingProvider",
            "enricherOptions": {
                "contextName": "TENANT",
                "dataFile": "/etc/ranger/data/userTenant.txt"
            },
            "itemId": 1,
            "name": "tenant-provider"
        },
        {
            "enricher": "org.apache.ranger.plugin.contextenricher.RangerUserNormalizerProvider",
            "enricherOptions": {
                "contextName": "USERNORMAL"
            },
            "itemId": 2,
            "name": "usernormal-provider"
        }

Can see log messages in HS2 log for init(), but never see the enrich() method called

2019-05-28T14:04:11,891 INFO  [main]: contextenricher.RangerUserNormalizerProvider (:()) - ==> RangerUserNormalizerProvider.init(RangerContextEnricherDef={itemId={2} name={usernormal-provider} enricher={org.apache.ranger.plugin.contextenricher.RangerUserNormalizerProvider} enricherOptions={{contextName=USERNORMAL}} })
2019-05-28T14:04:11,891 INFO  [main]: contextenricher.RangerUserNormalizerProvider (:()) - <== RangerUserNormalizerProvider.init(RangerContextEnricherDef={itemId={2} name={usernormal-provider} enricher={org.apache.ranger.plugin.contextenricher.RangerUserNormalizerProvider} enricherOptions={{contextName=USERNORMAL}} })

Here is the Policy:

109014-1559078238882.png

And my utter lack of joy:

Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [hive] does not have [CREATE] privilege on [xxx_foo/hive_test22] (state=42000,code=40000)


Any steps missed here? Any way to get Ranger to dump out some more info about how policies are being evaluated (setting log level to DEBUG did not print anything of interest.) Thanks in advance!

Don't have an account?
Coming from Hortonworks? Activate your account here