- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Float this Question for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Storm Plugin Authorization with Ranger
- Labels:
-
Apache Ranger
-
Apache Storm
Created ‎01-22-2016 01:55 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
We have successfully installed Storm Plugin for ranger, and we are also able to create policies within ranger, the problem is authorization of storm via Ranger is not working, which means that policies created in Ranger for storm does not seem to work. For example if we stop a user to submit a topology, he is still able to submit it.
Hadoop Version: 2.3.2
Ranger Version: 0.5.0.2.3
Storm Version: 0.10.0
Any ideas or help in this regard will be appreciated.
Thanks in advance.
Regards,
Hammad
Created ‎01-22-2016 07:31 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Hammad Ali I tried this recently on kerborized cluster and ran a test topology as below:
storm jar /usr/hdp/current/storm-client/contrib/storm-starter/storm-starter-topologies-*.jar storm.starter.WordCountTopology WordCountTopology -c localhost
I got the below authorization error:
Caused by: AuthorizationException(msg:getClusterInfo is not authorized)
Then after creating valid Ranger policy for Storm it worked fine
You can find my steps and screenshots here:
Could you check the above steps and double check in your env:
- that kerberos is enabled
- the Storm plugin for Ranger was successfully installed (from Ranger UI) and check the steps above?
If it still does not work, you may need to check what the nimbus.authorizer is set to using the command below (if its set to "SimpleACLAuthorizer" there may be something wrong with the setup)
cat /etc/storm/conf/storm.yaml | grep nimbus.authorizer
Created ‎01-22-2016 03:40 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Hammad Ali : Is this a secured cluster ? Storm authorization will work with secured cluster only.
Created ‎01-22-2016 03:43 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes its a secured cluster with Kerberos enabled.
Created ‎01-22-2016 07:31 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Hammad Ali I tried this recently on kerborized cluster and ran a test topology as below:
storm jar /usr/hdp/current/storm-client/contrib/storm-starter/storm-starter-topologies-*.jar storm.starter.WordCountTopology WordCountTopology -c localhost
I got the below authorization error:
Caused by: AuthorizationException(msg:getClusterInfo is not authorized)
Then after creating valid Ranger policy for Storm it worked fine
You can find my steps and screenshots here:
Could you check the above steps and double check in your env:
- that kerberos is enabled
- the Storm plugin for Ranger was successfully installed (from Ranger UI) and check the steps above?
If it still does not work, you may need to check what the nimbus.authorizer is set to using the command below (if its set to "SimpleACLAuthorizer" there may be something wrong with the setup)
cat /etc/storm/conf/storm.yaml | grep nimbus.authorizer
Created ‎02-06-2016 08:58 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I checked this on my sandbox cluster and it worked, now we are setting up a new cluster with HDP 2.3.4 so i guess it should be work there too, thanks for help.
Created ‎02-02-2016 06:08 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Hammad Ali has this been resolved? Please accept best answer or provide your own solution.
Created on ‎11-04-2016 03:49 AM - edited ‎08-19-2019 04:41 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Hammad Ali,I am so sorry to bother you. Now i want to install storm plugin for ranger.But When I click the Test connection button,it shows an error about Kerberos:kerberos.example.com: Name or service not known. So can you tell me how you installed it ?
Created ‎11-04-2016 10:05 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@hu bai If you installed the ranger plugin from ambari you need to make sure that you configure the following two properties correctly in the section: "Advanced ranger-storm-plugin-properties"
REPOSITORY_CONFIG_PASSWORD: <password for ranger repository user, you can create it yourself its a good practice>
Ranger repository config user <ranger repository user name >
policy User for STORM <storm> Then you do not need to configure anything from Ranger GUI itself, more importantly run the storm topology and check whether ranger is really doing its work or not, you can check it from the audit logs.
Created ‎11-15-2016 03:00 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Hammad Ali, The problem has been solved .And I have not install ranger plugin from ambari. Thank for you answer.Thank you.
