Support Questions

Find answers, ask questions, and share your expertise

Storm Plugin Authorization with Ranger

avatar
Rising Star

Hi All,

We have successfully installed Storm Plugin for ranger, and we are also able to create policies within ranger, the problem is authorization of storm via Ranger is not working, which means that policies created in Ranger for storm does not seem to work. For example if we stop a user to submit a topology, he is still able to submit it.

Hadoop Version: 2.3.2

Ranger Version: 0.5.0.2.3

Storm Version: 0.10.0

Any ideas or help in this regard will be appreciated.

Thanks in advance.

Regards,

Hammad

1 ACCEPTED SOLUTION

avatar

@Hammad Ali I tried this recently on kerborized cluster and ran a test topology as below:

storm jar /usr/hdp/current/storm-client/contrib/storm-starter/storm-starter-topologies-*.jar storm.starter.WordCountTopology WordCountTopology -c localhost

I got the below authorization error:

Caused by: AuthorizationException(msg:getClusterInfo is not authorized) 

Then after creating valid Ranger policy for Storm it worked fine

You can find my steps and screenshots here:

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-ranger-23.md#setup-storm-plugin-fo...

Could you check the above steps and double check in your env:

  1. that kerberos is enabled
  2. the Storm plugin for Ranger was successfully installed (from Ranger UI) and check the steps above?

If it still does not work, you may need to check what the nimbus.authorizer is set to using the command below (if its set to "SimpleACLAuthorizer" there may be something wrong with the setup)

cat /etc/storm/conf/storm.yaml | grep nimbus.authorizer

View solution in original post

8 REPLIES 8

avatar
Contributor

@Hammad Ali : Is this a secured cluster ? Storm authorization will work with secured cluster only.

avatar
Rising Star

@sneethiraj

Yes its a secured cluster with Kerberos enabled.

avatar

@Hammad Ali I tried this recently on kerborized cluster and ran a test topology as below:

storm jar /usr/hdp/current/storm-client/contrib/storm-starter/storm-starter-topologies-*.jar storm.starter.WordCountTopology WordCountTopology -c localhost

I got the below authorization error:

Caused by: AuthorizationException(msg:getClusterInfo is not authorized) 

Then after creating valid Ranger policy for Storm it worked fine

You can find my steps and screenshots here:

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-ranger-23.md#setup-storm-plugin-fo...

Could you check the above steps and double check in your env:

  1. that kerberos is enabled
  2. the Storm plugin for Ranger was successfully installed (from Ranger UI) and check the steps above?

If it still does not work, you may need to check what the nimbus.authorizer is set to using the command below (if its set to "SimpleACLAuthorizer" there may be something wrong with the setup)

cat /etc/storm/conf/storm.yaml | grep nimbus.authorizer

avatar
Rising Star

I checked this on my sandbox cluster and it worked, now we are setting up a new cluster with HDP 2.3.4 so i guess it should be work there too, thanks for help.

avatar
Master Mentor

@Hammad Ali has this been resolved? Please accept best answer or provide your own solution.

avatar
Explorer

9113-ranger-storm.png

Hello @Hammad Ali,I am so sorry to bother you. Now i want to install storm plugin for ranger.But When I click the Test connection button,it shows an error about Kerberos:kerberos.example.com: Name or service not known. So can you tell me how you installed it ?

avatar
Rising Star

@hu bai If you installed the ranger plugin from ambari you need to make sure that you configure the following two properties correctly in the section: "Advanced ranger-storm-plugin-properties"

REPOSITORY_CONFIG_PASSWORD: <password for ranger repository user, you can create it yourself its a good practice>

Ranger repository config user <ranger repository user name >

policy User for STORM <storm> Then you do not need to configure anything from Ranger GUI itself, more importantly run the storm topology and check whether ranger is really doing its work or not, you can check it from the audit logs.

avatar
Explorer

@Hammad Ali, The problem has been solved .And I have not install ranger plugin from ambari. Thank for you answer.Thank you.