Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

ranger doesn't show resource based policies

Solved Go to solution
Highlighted

ranger doesn't show resource based policies

Expert Contributor

Hello,

today ranger suddenly doesn't show any resource based policies under "User", but under "Admin" everything work fine.

i sought in log file any errors and found next line:

2018-10-16 11:42:35,234 [http-bio-6080-exec-36] WARN  apache.ranger.security.web.filter.RangerKrbFilter (RangerKrbFilter.java:439) - AuthenticationToken ignored: org.apache.hadoop.security.authentication.util.SignerException: Invalid signature  

in catalina.out more in detail:

org.apache.hadoop.security.authentication.client.AuthenticationException: org.apache.hadoop.security.authentication.util.SignerException: Invalid signature  ││  at org.apache.ranger.security.web.filter.RangerKrbFilter.getToken(RangerKrbFilter.java:391)  ││  at org.apache.ranger.security.web.filter.RangerKrbFilter.doFilter(RangerKrbFilter.java:435)  ││  at org.apache.ranger.security.web.filter.RangerKRBAuthenticationFilter.doFilter(RangerKRBAuthenticationFilter.java:285)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter.doFilter(RangerSSOAuthenticationFilter.java:227)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)  ││  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)  ││  at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)  ││  at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)  ││  at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)  ││  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)  ││  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)  ││  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)  ││  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)  ││  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)  ││  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)  ││  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)  ││  at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)  ││  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)  ││  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)  ││  at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)  ││  at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)  ││  at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)  ││  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)  ││  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)  ││  at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)  ││  at java.lang.Thread.run(Thread.java:748)  ││Caused by: org.apache.hadoop.security.authentication.util.SignerException: Invalid signature  ││  at org.apache.hadoop.security.authentication.util.Signer.checkSignatures(Signer.java:114)  ││  at org.apache.hadoop.security.authentication.util.Signer.verifyAndExtract(Signer.java:75)  ││  at org.apache.ranger.security.web.filter.RangerKrbFilter.getToken(RangerKrbFilter.java:389)  

What's wrong? please help me...

Which is remarkable - resource based policies is show only for hive and doesn't show for hdfs, hbase, nifi, etc.

Cluster is kerberized, HDP 2.6.4

91717-capture.png

91718-capture1.png

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ranger doesn't show resource based policies

Looks like user does not have the right access in ranger.

2 REPLIES 2

Re: ranger doesn't show resource based policies

Looks like user does not have the right access in ranger.

Re: ranger doesn't show resource based policies

Expert Contributor

You are right. I just not carefully was reading documentation, not admin user can't view policy.

Don't have an account?
Coming from Hortonworks? Activate your account here