Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger KMS Kerberos Issue

Ranger KMS Kerberos Issue

Contributor

Hi,

Getting below error while connecting to KMS repo:-

xa_portal.log:-

ERROR org.apache.ranger.biz.ServiceMgr (ServiceMgr.java:120) - ==> ServiceMgr.validateConfig Error:java.util.concurrent.ExecutionException: org.apache.ranger.plugin.client.HadoopException: { "RemoteException" : { "message" : "User:keyadmin not allowed to do 'GET_KEYS'", "exception" : "AuthorizationException", "javaClassName" : "org.apache.hadoop.security.authorize.AuthorizationException" }

2-3 days before it was working perfectly so I think I need to initialize(kinit) keytab and principal in every 24 hour but not sure which one. This is happening with me 4th time, previouly to resolve this, I just removed and reinstalled It worked but I need permanent resolution for this.

Please help me on this

12 REPLIES 12

Re: Ranger KMS Kerberos Issue

Contributor

Below is my configuration for ranger kms:-

hadoop.kms.authentication.kerberos.keytab = /etc/security/keytabs/spnego.service.keytab
hadoop.kms.authentication.kerberos.name.rules=DEFAULT
hadoop.kms.authentication.kerberos.principal=*
hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab=/etc/security/keytabs/spnego.service.keytab
hadoop.kms.authentication.type=kerberos

Re: Ranger KMS Kerberos Issue

Rising Star

@Ankit Tripathi Did you add keyadmin user to the KMS policy?

Re: Ranger KMS Kerberos Issue

Contributor

Thanks Yogesh!!!!!

Yes I have added.

Re: Ranger KMS Kerberos Issue

Rising Star

@Ankit Tripathi Is your ranger integrated with the AD/ LDAP ?

Do you have this properties in the custom kms-site.xml ?

  • hadoop.kms.proxyuser.keyadmin.groups=*
  • hadoop.kms.proxyuser.keyadmin.hosts=*
  • hadoop.kms.proxyuser.keyadmin.users=*

Re: Ranger KMS Kerberos Issue

Contributor

No, not integrated with AD/LDAP.

Yes, I have these properties in custom kms-site.xml.

Re: Ranger KMS Kerberos Issue

Do you see any error in kms.log?

Do you have a symlink to /etc/hadoop/conf/core-site.xml under /etc/ranger/kms/conf?

Re: Ranger KMS Kerberos Issue

Contributor

Yes, link is there.

kms.log says :-

2016-06-01 15:09:45,514 DEBUG RangerPolicyEngineImpl - <== RangerPolicyEngineImpl.isAccessAllowed(RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null} elements={keyname=; } }} accessType={getkeys} user={keyadmin} userGroups={keyadmin } accessTime={Wed Jun 01 15:09:45 GMT 2016} clientIPAddress={172.31.28.248} clientType={null} action={getkeys} requestData={null} sessionId={null} resourceMatchingScope={SELF} context={} }): RangerAccessResult={isAccessDetermined={false} isAllowed={false} isAuditedDetermined={false} isAudited={false} policyId={-1} reason={null} } 2016-06-01 15:09:45,514 DEBUG RangerKmsAuthorizer - <== RangerkmsAuthorizer.hasAccess(GET_KEYS, keyadmin (auth:PROXY) via keyadmin@HDP-TBRND-DEV (auth:KERBEROS) , ): false 2016-06-01 15:10:02,625 DEBUG PolicyRefresher - ==> PolicyRefresher(serviceName=tbarnd01_kms).loadPolicy()

Thanks

Re: Ranger KMS Kerberos Issue

Is KMS plugin downloading the policies from Ranger? Looks like that may not be happening. You can check it from Ranger UI (Audit -> Plugins)

Re: Ranger KMS Kerberos Issue

Contributor

Its in sync. I have just copy pasted ranger UI plugin data :-

06/01/2016 08:40:33 PMtbarnd01_kmskms@hostnamehostname200Policies synced to plugin
06/01/2016 04:47:30 PMtbarnd01_kmskms@hostnamehostname200Policies synced to plugin

Thanks