Support Questions

Find answers, ask questions, and share your expertise

ranger doesn't show resource based policies

avatar
Rising Star

Hello,

today ranger suddenly doesn't show any resource based policies under "User", but under "Admin" everything work fine.

i sought in log file any errors and found next line:

2018-10-16 11:42:35,234 [http-bio-6080-exec-36] WARN  apache.ranger.security.web.filter.RangerKrbFilter (RangerKrbFilter.java:439) - AuthenticationToken ignored: org.apache.hadoop.security.authentication.util.SignerException: Invalid signature  

in catalina.out more in detail:

org.apache.hadoop.security.authentication.client.AuthenticationException: org.apache.hadoop.security.authentication.util.SignerException: Invalid signature  ││  at org.apache.ranger.security.web.filter.RangerKrbFilter.getToken(RangerKrbFilter.java:391)  ││  at org.apache.ranger.security.web.filter.RangerKrbFilter.doFilter(RangerKrbFilter.java:435)  ││  at org.apache.ranger.security.web.filter.RangerKRBAuthenticationFilter.doFilter(RangerKRBAuthenticationFilter.java:285)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter.doFilter(RangerSSOAuthenticationFilter.java:227)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)  ││  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:106)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)  ││  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  ││  at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)  ││  at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)  ││  at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)  ││  at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)  ││  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)  ││  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)  ││  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)  ││  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)  ││  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)  ││  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)  ││  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)  ││  at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)  ││  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)  ││  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)  ││  at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)  ││  at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)  ││  at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)  ││  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)  ││  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)  ││  at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)  ││  at java.lang.Thread.run(Thread.java:748)  ││Caused by: org.apache.hadoop.security.authentication.util.SignerException: Invalid signature  ││  at org.apache.hadoop.security.authentication.util.Signer.checkSignatures(Signer.java:114)  ││  at org.apache.hadoop.security.authentication.util.Signer.verifyAndExtract(Signer.java:75)  ││  at org.apache.ranger.security.web.filter.RangerKrbFilter.getToken(RangerKrbFilter.java:389)  

What's wrong? please help me...

Which is remarkable - resource based policies is show only for hive and doesn't show for hdfs, hbase, nifi, etc.

Cluster is kerberized, HDP 2.6.4

91717-capture.png

91718-capture1.png

1 ACCEPTED SOLUTION

avatar

Looks like user does not have the right access in ranger.

View solution in original post

2 REPLIES 2

avatar

Looks like user does not have the right access in ranger.

avatar
Rising Star

You are right. I just not carefully was reading documentation, not admin user can't view policy.