Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Storm Plugin Authorization with Ranger

Solved Go to solution

Storm Plugin Authorization with Ranger

Contributor

Hi All,

We have successfully installed Storm Plugin for ranger, and we are also able to create policies within ranger, the problem is authorization of storm via Ranger is not working, which means that policies created in Ranger for storm does not seem to work. For example if we stop a user to submit a topology, he is still able to submit it.

Hadoop Version: 2.3.2

Ranger Version: 0.5.0.2.3

Storm Version: 0.10.0

Any ideas or help in this regard will be appreciated.

Thanks in advance.

Regards,

Hammad

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Storm Plugin Authorization with Ranger

@Hammad Ali I tried this recently on kerborized cluster and ran a test topology as below:

storm jar /usr/hdp/current/storm-client/contrib/storm-starter/storm-starter-topologies-*.jar storm.starter.WordCountTopology WordCountTopology -c localhost

I got the below authorization error:

Caused by: AuthorizationException(msg:getClusterInfo is not authorized) 

Then after creating valid Ranger policy for Storm it worked fine

You can find my steps and screenshots here:

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-ranger-23.md#setup-storm-plugin-fo...

Could you check the above steps and double check in your env:

  1. that kerberos is enabled
  2. the Storm plugin for Ranger was successfully installed (from Ranger UI) and check the steps above?

If it still does not work, you may need to check what the nimbus.authorizer is set to using the command below (if its set to "SimpleACLAuthorizer" there may be something wrong with the setup)

cat /etc/storm/conf/storm.yaml | grep nimbus.authorizer
8 REPLIES 8

Re: Storm Plugin Authorization with Ranger

New Contributor

@Hammad Ali : Is this a secured cluster ? Storm authorization will work with secured cluster only.

Re: Storm Plugin Authorization with Ranger

Contributor

@sneethiraj

Yes its a secured cluster with Kerberos enabled.

Re: Storm Plugin Authorization with Ranger

@Hammad Ali I tried this recently on kerborized cluster and ran a test topology as below:

storm jar /usr/hdp/current/storm-client/contrib/storm-starter/storm-starter-topologies-*.jar storm.starter.WordCountTopology WordCountTopology -c localhost

I got the below authorization error:

Caused by: AuthorizationException(msg:getClusterInfo is not authorized) 

Then after creating valid Ranger policy for Storm it worked fine

You can find my steps and screenshots here:

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-ranger-23.md#setup-storm-plugin-fo...

Could you check the above steps and double check in your env:

  1. that kerberos is enabled
  2. the Storm plugin for Ranger was successfully installed (from Ranger UI) and check the steps above?

If it still does not work, you may need to check what the nimbus.authorizer is set to using the command below (if its set to "SimpleACLAuthorizer" there may be something wrong with the setup)

cat /etc/storm/conf/storm.yaml | grep nimbus.authorizer

Re: Storm Plugin Authorization with Ranger

Contributor

I checked this on my sandbox cluster and it worked, now we are setting up a new cluster with HDP 2.3.4 so i guess it should be work there too, thanks for help.

Re: Storm Plugin Authorization with Ranger

Mentor

@Hammad Ali has this been resolved? Please accept best answer or provide your own solution.

Re: Storm Plugin Authorization with Ranger

New Contributor

9113-ranger-storm.png

Hello @Hammad Ali,I am so sorry to bother you. Now i want to install storm plugin for ranger.But When I click the Test connection button,it shows an error about Kerberos:kerberos.example.com: Name or service not known. So can you tell me how you installed it ?

Re: Storm Plugin Authorization with Ranger

Contributor

@hu bai If you installed the ranger plugin from ambari you need to make sure that you configure the following two properties correctly in the section: "Advanced ranger-storm-plugin-properties"

REPOSITORY_CONFIG_PASSWORD: <password for ranger repository user, you can create it yourself its a good practice>

Ranger repository config user <ranger repository user name >

policy User for STORM <storm> Then you do not need to configure anything from Ranger GUI itself, more importantly run the storm topology and check whether ranger is really doing its work or not, you can check it from the audit logs.

Re: Storm Plugin Authorization with Ranger

New Contributor

@Hammad Ali, The problem has been solved .And I have not install ranger plugin from ambari. Thank for you answer.Thank you.