Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

ranger doesn't show resource based policies

Labels:
avatar
author-rank ururu
Rising Star

Created on ‎10-16-2018 12:11 PM - edited ‎08-17-2019 07:29 PM

Hello,

today ranger suddenly doesn't show any resource based policies under "User", but under "Admin" everything work fine.

i sought in log file any errors and found next line:

2018-10-16 11:42:35,234 [http-bio-6080-exec-36] WARN  apache.ranger.security.web.filter.RangerKrbFilter (RangerKrbFilter.java:439) - AuthenticationToken ignored: org.apache.hadoop.security.authentication.util.SignerException: Invalid signature

in catalina.out more in detail:

org.apache.hadoop.security.authentication.client.AuthenticationException: org.apache.hadoop.security.authentication.util.SignerException: Invalid signature  ││  at org.apache.ranger.security.web.filter.RangerKrbFilter.getToken(RangerKrbFilter.java:391)  ││  at org.apache.ranger.security.web.filter.RangerKrbFilter.doFilter(RangerKrbFilter.java:435)  ││  at org.apache.ranger.security.web.filter.RangerKRBAuthenticationFilter.doFilter(RangerKRBAuthenticationFilter.java:285)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter.doFilter(RangerSSOAuthenticationFilter.java:227)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)  ││  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)  ││  at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)  ││  at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)  ││  at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)  ││  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)  ││  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)  ││  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)  ││  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)  ││  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)  ││  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)  ││  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)  ││  at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)  ││  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)  ││  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)  ││  at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)  ││  at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)  ││  at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)  ││  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)  ││  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)  ││  at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)  ││  at java.lang.Thread.run(Thread.java:748)  ││Caused by: org.apache.hadoop.security.authentication.util.SignerException: Invalid signature  ││  at org.apache.hadoop.security.authentication.util.Signer.checkSignatures(Signer.java:114)  ││  at org.apache.hadoop.security.authentication.util.Signer.verifyAndExtract(Signer.java:75)  ││  at org.apache.ranger.security.web.filter.RangerKrbFilter.getToken(RangerKrbFilter.java:389)

What's wrong? please help me...

Which is remarkable - resource based policies is show only for hive and doesn't show for hdfs, hbase, nifi, etc.

Cluster is kerberized, HDP 2.6.4

91717-capture.png

91718-capture1.png

3,255 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank vperiasamy author-rank
Guru

Created ‎11-15-2018 10:21 PM

Looks like user does not have the right access in ranger.

View solution in original post

3,121 Views
0 Kudos
2 REPLIES 2

avatar
author-rank vperiasamy author-rank
Guru

Created ‎11-15-2018 10:21 PM

Looks like user does not have the right access in ranger.

3,122 Views
0 Kudos

avatar
author-rank ururu
Rising Star

Created ‎01-15-2019 01:21 PM

You are right. I just not carefully was reading documentation, not admin user can't view policy.

3,121 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements