Re: ranger doesn't show resource based policies

vperiasamy · ‎11-06-2017

Knox plugin downloads policies upon first Knox request, not during the startup of Knox gateway. Send a Knox request to see if plugin downloads the policies. Information about this should be available in Knox gateway log, so you can check there.

vperiasamy · ‎11-01-2017

What version of Ranger/HDP are you using? See https://issues.apache.org/jira/browse/RANGER-1632 - this fix is available in HDP 2.6.3 In your case, see if you can change the username attribute to sync the names as per your requirement.

vperiasamy · ‎11-01-2017

Glad you resolved the issue. Please note that hostnames should be used for kerberos, ip address will not work.

vperiasamy · ‎10-31-2017

I am glad it is working for you now. Please accept the answer if your issue is resolved.

vperiasamy · ‎10-31-2017

AES NI is a performance accelerator, so it is not required to use HDFS TDE (transparent data encryption).

vperiasamy · ‎10-30-2017

You can refer this tutorial series https://hortonworks.com/hadoop-tutorial/securing-data-lake-auditing-user-access-using-hdp-security/

vperiasamy · ‎10-27-2017

Looks like Nifi is sending the user name as "cn=rverma,ou=People,dc=ex,dc=com", but in ranger access is given to user "rverma". Check if you can sync users in ranger with the full name Nifi is using. You can refer the below articles. https://community.hortonworks.com/articles/58769/hdf-20-enable-ranger-authorization-for-hdf-compone.html https://community.hortonworks.com/articles/57980/hdf-20-apache-nifi-integration-with-apache-ambarir.html https://issues.apache.org/jira/browse/RANGER-1224

vperiasamy · ‎10-27-2017

I see "stderr: Python script has been killed due to timeout after waiting 300 secs" in all the logs attached. So you need to check your kerberos config and investigate why Ambari is taking so much time to complete the kerberization step.

vperiasamy · ‎10-27-2017

Can you please clarify what you are trying to do? Only if you use unix authentication, credValidator needs to be used.

vperiasamy · ‎10-25-2017

If you see groups/users from AD in ranger then that confirms LDAP/AD sync is working. In that case, can you clarify the real issue you are running into?

vperiasamy · ‎10-25-2017

Can you clarify your issue? I don't see any ranger related logs in the attachment.

vperiasamy · ‎10-25-2017

Check the authentication method set on ranger admin. This needs to be LDAP/AD and right properties need to be configured. See https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/bk_security/content/configure_ranger_authentication.html

vperiasamy · ‎10-25-2017

are you setting up the unix authentication?

vperiasamy · ‎10-24-2017

User holger_gov does not have privileges to create policy. User has to have ADMIN role in ranger or needs to be delegated admin for the specified resource. Can you check this? See https://community.hortonworks.com/content/kbentry/88202/apache-ranger-delegated-admin.html for delegated admin feature. Also, ranger version in HDP 2.6.1 should be ranger 0.7.

vperiasamy · ‎10-20-2017

You can create the database yourself or let ranger install scripts to create it for you - in that case you need to provide right privileges to the admin user as mentioned in the docs. Name does not have to "ranger", you can configure it as per your env.

vperiasamy · ‎10-13-2017

You need to fix this issue first. See why hive plugin is not able to download policies from Ranger. Do you see any errors in ranger admin logs? WARN [Thread-14]: client.RangerAdminRESTClient (RangerAdminRESTClient.java:getServicePoliciesIfUpdated(154)) - Error getting policies. secureMode=false, user=hive (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, serviceName=dev_hive

vperiasamy · ‎10-13-2017

Can you please post the resolution here?

vperiasamy · ‎10-13-2017

Can you make sure hive configs are updated correctly with ranger authz enabled?

vperiasamy · ‎10-13-2017

ranger-admin-site.xml will not have the password in plain text, so '_' you see is correct. Make sure your keystore has only one right entry and ranger SSL configs are correct.

vperiasamy · ‎10-10-2017

Can you clear the browser cache and try? This might be a browser issue.

vperiasamy · ‎10-03-2017

Were you able to resolve this? Any error is knox gateway logs?

vperiasamy · ‎10-02-2017

DB audit support will not be available from HDP 2.5. So your best bet is to migrate to Solr based audit.

vperiasamy · ‎10-02-2017

As @Ramesh Mani mentioned above, the best option is to move to use audit on Solr. DB Audit support is not available from HDP 2.5. For this particular case, check if you have any error in xa_portal.log

vperiasamy · ‎10-02-2017

2017-09-29 11:31:21,835 ERROR hadoop.gateway (KnoxLdapRealm.java:doGetAuthenticationInfo(205)) - Shiro unable to login: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580] The above error means there is something wrong in the LDAP config for the knox sso topology. @lmccay might be able to provide more insight here.

vperiasamy · ‎10-02-2017

You can just fill in the password directly.

vperiasamy · ‎09-22-2017

Usually the delete calls for users do a soft delete, i.e. they change the status of the user to be not visible. Try passing forceDelete=true to the URL to achieve hard delete.

vperiasamy · ‎09-18-2017

Hi - you need to provide authentication to ranger for the API call.

vperiasamy · ‎09-12-2017

If it is a kerberos env, you need to make sure loadbalancer hostname is added to spnego keytab as documented in this link - see step 32 onwards.

vperiasamy · ‎09-11-2017

ok, can you elaborate on what the error is? Do you see any error in resource manager logs?

vperiasamy · ‎09-11-2017

Can you post the details on the policies? Do you see any error in hive server log?

Online	Offline
Last Visited	‎05-03-2022 12:07 PM

Date Registered	‎09-10-2015 10:36 PM
Last Visited	‎05-03-2022 12:07 PM
Total Messages Posted	261
Total Kudos Received	84

Re: ranger doesn't show resource based policies

Re: Ranger and Ranger-Kms relation

Re: "Java patch PatchPasswordEncryption_J10001 is ...

Re: Unable to log storm audit events to hdfs (sand...

Re: ranger user sync from text file

Re: Knox policy synchronization

Re: Ranger Active directory Integration showing us...

Re: Fail to refer to policies on Ranger Admin HA a...

Re: Is the AES NI CPU necessary for encryption HDF...

Re: Is the AES NI CPU necessary for encryption HDF...

Re: How to test Ranger authorization?

Re: How to give permissions to users to access Nif...

Re: Fail to refer to policies on Ranger Admin HA a...

Re: Ranger 0.7.2 PasswordValidator FAILED

Re: Ranger 0.7.2 PasswordValidator FAILED

Re: Fail to refer to policies on Ranger Admin HA a...

Re: Ranger 0.7.2 PasswordValidator FAILED

Re: Ranger 0.7.2 PasswordValidator FAILED

Re: Ranger fails with error "Error creating policy...

Re: Is it necessary to create a database ranger?

Re: Hive LDAP Connection is too slow. Ranger Polic...

Re: Error whilesending Ranger 0.6 Audit to log4j K...

Re: Ranger Authorization error in Hive View 2.0

Re: ranger error Keystore password was incorrect a...

Re: Ranger 0.7.0 UI Not Loading Policies

Re: Knox LDAP Integration

Re: Ranger audits in DB

Re: Ranger Audit not available in Ranger UI. Audit...

Re: Setting up Knox with LDAP

Re: How to make a secret --> SECRET:ranger-env:1:r...

Re: delete user REST API in ranger 0.7 is not dele...

Re: Automation of Ranger Policy

Re: Ranger load balancer vip , is not working in s...

Re: Hi, I have a problem with yarn/ranger. I activ...

Re: Restricting combination of dataset is not work...