Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger and creating database pointing to S3 not working

Labels:
avatar
author-rank anand_ranganath
Expert Contributor

Created ‎12-16-2016 02:19 AM

Unable to create table pointing to S3 after enabling Ranger.

This is database we created before enabling Ranger. 

SET fs.s3a.impl=org.apache.hadoop.fs.s3a.S3AFileSystem;
SET fs.s3a.access.key=xxxxxxx;
SET fs.s3a.secret.key=yyyyyyyyyyyyyyy;


CREATE DATABASE IF NOT EXISTS backup_s3a1
COMMENT "s3a schema test"
LOCATION "s3a://gd-de-dp-db-hcat-backup-schema/";

After Ranger was enabled, we try to create another database but it is throwing error. 

0: jdbc:hive2://usw2dxdpmn01.local:> SET fs.s3a.impl=org.apache.hadoop.fs.s3a.S3AFileSystem;
Error: Error while processing statement: Cannot modify fs.s3a.impl at runtime. It is not in list of params that are allowed to be modified at runtime (state=42000,code=1)

How do I whitelist the fs.s3* parameters in Ranger ?

5,862 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank anand_ranganath
Expert Contributor

Created ‎12-20-2016 02:30 AM

I resolved the problem by adding this configuration in custom-hiveserver2-site.xml 

hive.security.authorization.sqlstd.confwhitelist.append=fs\.s3a\..*|fs\.s3n\..* |

View solution in original post

5,190 Views
12 REPLIES 12

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎12-16-2016 05:24 PM

I am not sure if this is Ranger related. Could you please provide hiveserver2.log?

4,743 Views
0 Kudos

avatar
author-rank Dominika author-rank
Guru

Created ‎12-16-2016 07:14 PM

@Anandha L Ranganathan

I don't know if this will help, but you could try setting the parameters in the xml files rather than at runtime.

http://hortonworks.github.io/hdp-aws/s3-security/index.html#configuring-authentication

4,743 Views
0 Kudos

avatar
author-rank bmathew
Guru

Created ‎12-17-2016 08:55 PM

Try using a configuration file that stores your AWS credentials. Follow the instructions here:

https://hortonworks.github.io/hdp-aws/s3-security/#create-a-credential-file

4,743 Views
0 Kudos

avatar
author-rank anand_ranganath
Expert Contributor

Created ‎12-19-2016 09:07 AM

@Binu Mathew

I am getting error saying AWS credential from any provider in the chain error. 

I am able to read files from S3 by directly passing access and secret key. 

[hdfs@usw2dxdpmn01 root]$ hadoop fs -Dfs.s3a.access.key=xxxxxxxxxxxx -Dfs.s3a.secret.key=YYYYYYYYYYYYYYY -ls s3a://gd-data-stage/
Found 7 items
drwxrwxrwx   -          0 1970-01-01 00:00 s3a://gd-data-stage/cluster-db
drwxrwxrwx   -          0 1970-01-01 00:00 s3a://gd-data-stage/user
drwxrwxrwx   -          0 1970-01-01 00:00 s3a://gd-data-stage/ut1-upload



Then creating credential file. 

[hdfs@usw2dxdpmn01 root]$ hadoop credential create fs.s3a.access.key -value xxxxxxxxxxxx     -provider jceks://file/tmp/gd-data-stage.jceks
fs.s3a.access.key has been successfully created.
org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.




[hdfs@usw2dxdpmn01 root]$ hadoop credential create fs.s3a.secret.key -value YYYYYYYYYYYYYYY  -provider  jceks://file/tmp/gd-data-stage.jceks
fs.s3a.secret.key has been successfully created.
org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.




[hdfs@usw2dxdpmn01 root]$  hadoop credential list -provider jceks://file/tmp/gd-data-stage.jceks
Listing aliases for CredentialProvider: jceks://file/tmp/gd-data-stage.jceks
fs.s3a.secret.key
fs.s3a.access.key






[hdfs@usw2dxdpmn01 root]$ hadoop fs  -Dhadoop.security.credential.provider.path=jceks://file/tmp/gd-data-stage.jceks -ls s3a://gd-data-stage
-ls: Fatal internal error
com.amazonaws.AmazonClientException: Unable to load AWS credentials from any provider in the chain
	at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:117)
	at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3521)
	at com.amazonaws.services.s3.AmazonS3Client.headBucket(AmazonS3Client.java:1031)
	at com.amazonaws.services.s3.AmazonS3Client.doesBucketExist(AmazonS3Client.java:994)
	at org.apache.hadoop.fs.s3a.S3AFileSystem.initialize(S3AFileSystem.java:297)
	at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:2653)
	at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:92)
	at org.apache.hadoop.fs.FileSystem$Cache.getInternal(FileSystem.java:2687)
	at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2669)
	at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:371)
	at org.apache.hadoop.fs.Path.getFileSystem(Path.java:295)
	at org.apache.hadoop.fs.shell.PathData.expandAsGlob(PathData.java:325)
	at org.apache.hadoop.fs.shell.Command.expandArgument(Command.java:235)
	at org.apache.hadoop.fs.shell.Command.expandArguments(Command.java:218)
	at org.apache.hadoop.fs.shell.Command.processRawArguments(Command.java:201)
	at org.apache.hadoop.fs.shell.Command.run(Command.java:165)
	at org.apache.hadoop.fs.FsShell.run(FsShell.java:287)
	at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
	at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:90)
	at org.apache.hadoop.fs.FsShell.main(FsShell.java:340)
4,743 Views
0 Kudos

avatar
author-rank anand_ranganath
Expert Contributor

Created ‎12-19-2016 08:15 AM

@Dominika Bialek , @Binu Mathew,

I configured the credentials in the core-site.xml and always returns "undefined" when I am trying to see the values using below commands. This is in our "pre-dev" environment and Ranger is enabled. In our other environment where Ranger is not installed , we are not facing this problem. 

0: jdbc:hive2://usw2dxdpmn01:10010> set  fs.s3a.impl;
+-----------------------------------------------------+--+
|                         set                         |
+-----------------------------------------------------+--+
| fs.s3a.impl=org.apache.hadoop.fs.s3a.S3AFileSystem  |
+-----------------------------------------------------+--+
1 row selected (0.006 seconds)
0: jdbc:hive2://usw2dxdpmn01:10010> set fs.s3a.access.key;
+---------------------------------+--+
|               set               |
+---------------------------------+--+
| fs.s3a.access.key is undefined  |
+---------------------------------+--+
1 row selected (0.005 seconds)
0: jdbc:hive2://usw2dxdpmn01:10010> set fs.s3a.secret.key;
+---------------------------------+--+
|               set               |
+---------------------------------+--+
| fs.s3a.secret.key is undefined  |
+---------------------------------+--+
1 row selected (0.005 seconds)
4,743 Views
0 Kudos

avatar
author-rank Dominika author-rank
Guru

Created ‎12-19-2016 04:37 PM

@stevel Do you know if using S3 is supported in Ranger?

4,743 Views
0 Kudos

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎12-19-2016 04:40 PM

S3 is not supported in Ranger as of now

4,743 Views

avatar
author-rank anand_ranganath
Expert Contributor

Created ‎12-19-2016 10:34 PM

@Ramesh Mani

This is just hiveserver2 configuration. The underlying file system is untouched. My expectation is Hive should work as usual. Please correct me if my understanding is incorrect after enabling Ranger.

4,743 Views
0 Kudos

avatar
author-rank anand_ranganath
Expert Contributor

Created ‎12-20-2016 02:30 AM

I resolved the problem by adding this configuration in custom-hiveserver2-site.xml 

hive.security.authorization.sqlstd.confwhitelist.append=fs\.s3a\..*|fs\.s3n\..* |
5,191 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements