Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Ranger policy is not applied

Labels:
avatar
author-rank geko
Guru

Created on ‎02-02-2016 10:43 AM - edited ‎08-19-2019 03:30 AM

Hi,

I created a policy for HDFS in Ranger and gave a dedicated user full permissions to the corresponding folder. But that user is not able to list the contents of that folder due to HDFS-access denied-error. It seems like that the Ranger policy is not really in effect / not applied, see screenshots below for the details.

What I want to do (normally pretty simple 😉 ) grant user w999711 full permissions to HDFS folder /data/raw. Authorization shall be handled completely by Ranger, therefore HDFS permissions on that folder are restrictive (700).

The error

1714-dfs-command-line-error.png

Policy config

1715-hdfs-policy-rawlayer.png

Audit log

1716-hdfs-audit-w999711-access-denied.png

Why isn't the defined policy applied while accessing /data/raw ?!?! It also confuses me that in the Audit log there is enforcer "hadoop-acl", whereas I'd expected "xa-secure-acl" for accessing /data/raw

Any hints highly appreciated.....thanks, Gerd

PS: HDP2.2.4.2, Ambari 2.1.2.1

12,816 Views
8 REPLIES 8

avatar
author-rank jstraub
Guru

Created ‎02-02-2016 10:51 AM

Check if the policies have been synced:

  • In Ranger go to Audit -> Plugins (last policy updates are listed in this table)
  • On the namenode check the directory /etc/ranger/<hdfs repository name>; there should be a Json-file with all the policies inside

Add a second resource path called /data/raw/* and see if it works

8,035 Views

avatar
author-rank geko
Guru

Created ‎02-02-2016 10:58 AM

Hi @Jonas Straub , thanks for that hint with checking the "Agents" tab. Indeed the timestamp there is pretty old, all entries are from Jan 27th.

Where can I investigate into why the updated policies are not getting updated/synced to the plugins itself ?

8,035 Views
0 Kudos

avatar
author-rank jstraub
Guru

Created ‎02-02-2016 11:10 AM

Check the Ranger and Namenode log. Try to restart ranger and change a policy and check if there are any errors showing up.

Sometimes the HDFS Plugin has not been properly initialized and it helped to disable the HDFS plugin, restart services and enable the plugin again. Although if you have something in the Audit -> Plugins log, then your policy sync did work before. Did you add or change in your cluster recently? SSL?

8,035 Views

avatar
author-rank geko
Guru

Created ‎02-02-2016 12:32 PM

@Jonas Straub yep, SSL has been enabled/added, good starting point for analyzing the issue

8,035 Views
0 Kudos

avatar
author-rank geko
Guru

Created on ‎02-02-2016 05:01 PM - edited ‎08-19-2019 03:30 AM

Hi @Jonas Straub ,

enabling SSL seems to cause the troubles, since in the Ranger xa_portal.log I see lots of the following errors:

2016-02-02 00:49:43,512 [http-bio-6182-exec-2] INFO  com.xasecure.common.RESTErrorUtil (RESTErrorUtil.java:282) - Operation error. response=VXResponse={com.xasecure.view.VXResponse@34ca3410statusCode={1} msgDesc={Unauthorized access - unable to get client certificate} messageList={[VXMessage={com.xasecure.view.VXMessage@47202183name={OPER_NOT_ALLOWED_FOR_ENTITY} rbKey={xa.error.oper_not_allowed_for_state} message={Operation not allowed for entity} objectId={null} fieldName={null} }]} }
javax.ws.rs.WebApplicationException

...

2016-02-02 00:49:46,856 [http-bio-6182-exec-4] INFO  com.xasecure.common.RESTErrorUtil (RESTErrorUtil.java:66) - Request failed. SessionId=null, loginId=null, logMessage=Unauthorized access - unable to get client certificate
javax.ws.rs.WebApplicationException

I am a bit lost in how to dive into that issue. The steps to enable SSL for ranger-plugins I made, are:

  1. ranger admin node: created a keystore, exported its key into file 'ranger-admin-trust.cer' and copied it to namenodes
  2. on both namenodes, created a keystore (and remembered the input for the first question) in file 'ranger-plugin-keystore.jks'
  3. imported ranger-admin key from ranger-admin-trust.cer into file 'ranger-plugin-truststore.jks'
  4. exported plugin key from ranger-plugin-keystore.jks into truststore 'ranger-hdfsagent-trust.cer'
  5. copied ranger-hdfsagent-trust.cer to RangerAdmin server
  6. imported ranger-hdfsagent-trust.cer into general keystore 'cacerts' on RangerAdmin server

so that at the end the file 'cacerts' should contain the keys from all the HDFS-/Hive-/HBase plugins I configured.

This is the config. of Ranger-HDFS-Plugin in Ambari:

1725-ambari-hdfs-ranger-plugin-config.png

Especially step 6.) does the file 'cacerts' on the RangerAdmin server (containing all the certs) needs to be configured somehwere? I cannot find that in Ambari config. section?!!

8,035 Views

avatar
author-rank hosako
Guru

Created ‎03-17-2016 02:53 PM

Hi @Gerd Koenig Did you fix this issue? I'm having "unable to get client certificate"

8,035 Views
0 Kudos

avatar
author-rank geko
Guru

Created ‎03-18-2016 07:40 AM

Hello @Hajime ,

yes, at the end the problem got solved and I published the steps here

https://community.hortonworks.com/content/kbentry/16373/ranger-ssl-pitfalls.html

HTH, Gerd

8,035 Views

avatar
author-rank hosako
Guru

Created ‎03-18-2016 01:01 PM

Thank you!

8,035 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements