Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger policy is not applied

Ranger policy is not applied

Guru

Hi,

I created a policy for HDFS in Ranger and gave a dedicated user full permissions to the corresponding folder. But that user is not able to list the contents of that folder due to HDFS-access denied-error. It seems like that the Ranger policy is not really in effect / not applied, see screenshots below for the details.

What I want to do (normally pretty simple ) grant user w999711 full permissions to HDFS folder /data/raw. Authorization shall be handled completely by Ranger, therefore HDFS permissions on that folder are restrictive (700).

The error

1714-dfs-command-line-error.png

Policy config

1715-hdfs-policy-rawlayer.png

Audit log

1716-hdfs-audit-w999711-access-denied.png

Why isn't the defined policy applied while accessing /data/raw ?!?! It also confuses me that in the Audit log there is enforcer "hadoop-acl", whereas I'd expected "xa-secure-acl" for accessing /data/raw

Any hints highly appreciated.....thanks, Gerd

PS: HDP2.2.4.2, Ambari 2.1.2.1

8 REPLIES 8

Re: Ranger policy is not applied

Check if the policies have been synced:

  • In Ranger go to Audit -> Plugins (last policy updates are listed in this table)
  • On the namenode check the directory /etc/ranger/<hdfs repository name>; there should be a Json-file with all the policies inside

Add a second resource path called /data/raw/* and see if it works

Re: Ranger policy is not applied

Guru

Hi @Jonas Straub , thanks for that hint with checking the "Agents" tab. Indeed the timestamp there is pretty old, all entries are from Jan 27th.

Where can I investigate into why the updated policies are not getting updated/synced to the plugins itself ?

Re: Ranger policy is not applied

Check the Ranger and Namenode log. Try to restart ranger and change a policy and check if there are any errors showing up.

Sometimes the HDFS Plugin has not been properly initialized and it helped to disable the HDFS plugin, restart services and enable the plugin again. Although if you have something in the Audit -> Plugins log, then your policy sync did work before. Did you add or change in your cluster recently? SSL?

Re: Ranger policy is not applied

Guru

@Jonas Straub yep, SSL has been enabled/added, good starting point for analyzing the issue

Re: Ranger policy is not applied

Guru

Hi @Jonas Straub ,

enabling SSL seems to cause the troubles, since in the Ranger xa_portal.log I see lots of the following errors:

2016-02-02 00:49:43,512 [http-bio-6182-exec-2] INFO  com.xasecure.common.RESTErrorUtil (RESTErrorUtil.java:282) - Operation error. response=VXResponse={com.xasecure.view.VXResponse@34ca3410statusCode={1} msgDesc={Unauthorized access - unable to get client certificate} messageList={[VXMessage={com.xasecure.view.VXMessage@47202183name={OPER_NOT_ALLOWED_FOR_ENTITY} rbKey={xa.error.oper_not_allowed_for_state} message={Operation not allowed for entity} objectId={null} fieldName={null} }]} }
javax.ws.rs.WebApplicationException

...

2016-02-02 00:49:46,856 [http-bio-6182-exec-4] INFO  com.xasecure.common.RESTErrorUtil (RESTErrorUtil.java:66) - Request failed. SessionId=null, loginId=null, logMessage=Unauthorized access - unable to get client certificate
javax.ws.rs.WebApplicationException

I am a bit lost in how to dive into that issue. The steps to enable SSL for ranger-plugins I made, are:

  1. ranger admin node: created a keystore, exported its key into file 'ranger-admin-trust.cer' and copied it to namenodes
  2. on both namenodes, created a keystore (and remembered the input for the first question) in file 'ranger-plugin-keystore.jks'
  3. imported ranger-admin key from ranger-admin-trust.cer into file 'ranger-plugin-truststore.jks'
  4. exported plugin key from ranger-plugin-keystore.jks into truststore 'ranger-hdfsagent-trust.cer'
  5. copied ranger-hdfsagent-trust.cer to RangerAdmin server
  6. imported ranger-hdfsagent-trust.cer into general keystore 'cacerts' on RangerAdmin server

so that at the end the file 'cacerts' should contain the keys from all the HDFS-/Hive-/HBase plugins I configured.

This is the config. of Ranger-HDFS-Plugin in Ambari:

1725-ambari-hdfs-ranger-plugin-config.png

Especially step 6.) does the file 'cacerts' on the RangerAdmin server (containing all the certs) needs to be configured somehwere? I cannot find that in Ambari config. section?!!

Re: Ranger policy is not applied

Hi @Gerd Koenig Did you fix this issue? I'm having "unable to get client certificate"

Highlighted

Re: Ranger policy is not applied

Guru

Hello @Hajime ,

yes, at the end the problem got solved and I published the steps here

https://community.hortonworks.com/content/kbentry/16373/ranger-ssl-pitfalls.html

HTH, Gerd

Re: Ranger policy is not applied

Thank you!

Don't have an account?
Coming from Hortonworks? Activate your account here