Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Storm Plugin Authorization with Ranger

Labels:
avatar
author-rank hammad_ali
Rising Star

Created ‎01-22-2016 01:55 PM

Hi All,

We have successfully installed Storm Plugin for ranger, and we are also able to create policies within ranger, the problem is authorization of storm via Ranger is not working, which means that policies created in Ranger for storm does not seem to work. For example if we stop a user to submit a topology, he is still able to submit it.

Hadoop Version: 2.3.2

Ranger Version: 0.5.0.2.3

Storm Version: 0.10.0

Any ideas or help in this regard will be appreciated.

Thanks in advance.

Regards,

Hammad

5,031 Views
1 ACCEPTED SOLUTION

avatar
author-rank abajwa author-rank
Guru

Created ‎01-22-2016 07:31 PM

@Hammad Ali I tried this recently on kerborized cluster and ran a test topology as below:

storm jar /usr/hdp/current/storm-client/contrib/storm-starter/storm-starter-topologies-*.jar storm.starter.WordCountTopology WordCountTopology -c localhost

I got the below authorization error:

Caused by: AuthorizationException(msg:getClusterInfo is not authorized)

Then after creating valid Ranger policy for Storm it worked fine

You can find my steps and screenshots here:

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-ranger-23.md#setup-storm-plugin-fo...

Could you check the above steps and double check in your env:

  1. that kerberos is enabled
  2. the Storm plugin for Ranger was successfully installed (from Ranger UI) and check the steps above?

If it still does not work, you may need to check what the nimbus.authorizer is set to using the command below (if its set to "SimpleACLAuthorizer" there may be something wrong with the setup)

cat /etc/storm/conf/storm.yaml | grep nimbus.authorizer

View solution in original post

3,691 Views
8 REPLIES 8

avatar
author-rank sneethiraj
Contributor

Created ‎01-22-2016 03:40 PM

@Hammad Ali : Is this a secured cluster ? Storm authorization will work with secured cluster only.

3,691 Views
0 Kudos

avatar
author-rank hammad_ali
Rising Star

Created ‎01-22-2016 03:43 PM

@sneethiraj

Yes its a secured cluster with Kerberos enabled.

3,691 Views
0 Kudos

avatar
author-rank abajwa author-rank
Guru

Created ‎01-22-2016 07:31 PM

@Hammad Ali I tried this recently on kerborized cluster and ran a test topology as below:

storm jar /usr/hdp/current/storm-client/contrib/storm-starter/storm-starter-topologies-*.jar storm.starter.WordCountTopology WordCountTopology -c localhost

I got the below authorization error:

Caused by: AuthorizationException(msg:getClusterInfo is not authorized)

Then after creating valid Ranger policy for Storm it worked fine

You can find my steps and screenshots here:

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-ranger-23.md#setup-storm-plugin-fo...

Could you check the above steps and double check in your env:

  1. that kerberos is enabled
  2. the Storm plugin for Ranger was successfully installed (from Ranger UI) and check the steps above?

If it still does not work, you may need to check what the nimbus.authorizer is set to using the command below (if its set to "SimpleACLAuthorizer" there may be something wrong with the setup)

cat /etc/storm/conf/storm.yaml | grep nimbus.authorizer
3,692 Views

avatar
author-rank hammad_ali
Rising Star

Created ‎02-06-2016 08:58 AM

I checked this on my sandbox cluster and it worked, now we are setting up a new cluster with HDP 2.3.4 so i guess it should be work there too, thanks for help.

3,691 Views

avatar
author-rank aervits
Master Mentor

Created ‎02-02-2016 06:08 PM

@Hammad Ali has this been resolved? Please accept best answer or provide your own solution.

3,691 Views
0 Kudos

avatar
author-rank 409556965
Explorer

Created on ‎11-04-2016 03:49 AM - edited ‎08-19-2019 04:41 AM

9113-ranger-storm.png

Hello @Hammad Ali,I am so sorry to bother you. Now i want to install storm plugin for ranger.But When I click the Test connection button,it shows an error about Kerberos:kerberos.example.com: Name or service not known. So can you tell me how you installed it ?

3,691 Views
0 Kudos

avatar
author-rank hammad_ali
Rising Star

Created ‎11-04-2016 10:05 AM

@hu bai If you installed the ranger plugin from ambari you need to make sure that you configure the following two properties correctly in the section: "Advanced ranger-storm-plugin-properties"

REPOSITORY_CONFIG_PASSWORD: <password for ranger repository user, you can create it yourself its a good practice>

Ranger repository config user <ranger repository user name >

policy User for STORM <storm> Then you do not need to configure anything from Ranger GUI itself, more importantly run the storm topology and check whether ranger is really doing its work or not, you can check it from the audit logs.

3,691 Views
0 Kudos

avatar
author-rank 409556965
Explorer

Created ‎11-15-2016 03:00 AM

@Hammad Ali, The problem has been solved .And I have not install ranger plugin from ambari. Thank for you answer.Thank you.

3,691 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements