Re: ranger doesn't show resource based policies

vperiasamy · ‎12-13-2016

https://issues.apache.org/jira/browse/RANGER-1214 is planned for next release.

vperiasamy · ‎12-07-2016

please note Hive CLI is not supported by Ranger.

vperiasamy · ‎12-02-2016

see ranger audit logs to figure out whether ranger-acl or hadoop-acl is granting access to the user.

vperiasamy · ‎12-01-2016

Access will be granted with native HDFS permissions if there is no ranger policy. You can check ranger audit to confirm.

vperiasamy · ‎11-22-2016

Hbase generates large amount of audit logs, so consider that when storing them in audit DB. Audit to DB support is removed from HDP 2.5, so you should consider Solr sooner rather than later.

vperiasamy · ‎11-15-2016

Ranger plugins refresh policies from ranger admin every 30 seconds. You can monitor this in Ranger UI -> Audit -> plugins screen and notice when the changes have been downloaded.

vperiasamy · ‎10-26-2016

Ranger plugin works with Hive Server2. Can you use beeline?

vperiasamy · ‎10-14-2016

Usually there will be some output in Ambari UI console. Check in the output of HDFS service start.

vperiasamy · ‎10-13-2016

If using Ambari Infra Solr, collection will be automatically created when you restart ranger from ambari. There is no need to create explicitly. Can you clean up that, clear the cookies in your browser, restart ranger service and try again?

vperiasamy · ‎10-07-2016

I don't think underscores will present an issue. Do you see any errors in the component logs?

vperiasamy · ‎06-09-2016

Provided Hive also is configured to use AD to get the right groups. Please see this -- http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/

vperiasamy · ‎06-09-2016

Groups stored in Ranger DB are used only for displaying in Ranger UI and at the time of policy authoring. At run time, component (in your example Hive) should pass along the group information of the authenticated user to ranger plugin. Typically you can run "hdfs groups <user>" to find out what groups does the user belong to. Expectation is that Components will use the same source as Ranger to provide users/groups mapping.

vperiasamy · ‎06-08-2016

Yes, modify web.xml directly on Ranger admin host.

vperiasamy · ‎05-05-2016

any errors being shown catalina.out? are there entries in kms-audit.log? as what user are you trying to copy the files?

vperiasamy · ‎04-26-2016

You can use DB replication to keep both policy DB in sync.

vperiasamy · ‎03-31-2016

In Kerberized environments, repository config user should be a valid kerberos principal. Please create a valid principal like keyadmin@DOMAIN.COM with password and configure this in KMS repo - this needs to be done in ranger UI. Steps are listed here. Although this is from latest documentation, these steps should work. After repository is updated, Ranger and KMS needs to be restarted. Also make sure you have a link to core-site.xml under /etc/ranger/kms/conf as described here

vperiasamy · ‎03-22-2016

@Richard Xu - Can you please execute the below command in MySQL and retry the install? SET GLOBAL log_bin_trust_function_creators = 1 If you'd like to roll back to the default value of 0, you can do that after the install goes through.

vperiasamy · ‎03-22-2016

@ARUNKUMAR RAMASAMY - Ranger UI will show audit data from either Solr or DB. Since DB support will be deprecated from future releases, you are recommended to move to Solr. Audit to HDFS is for long term storage and this can be done in addition to Solr.

vperiasamy · ‎03-04-2016

Restarting is the only way

vperiasamy · ‎03-01-2016

@Anna Shaverdian Can you please share your blueprint? Ranger Admin's DB password settings should go in "admin-properties" section.

vperiasamy · ‎02-24-2016

@Anna Shaverdian DB pre-requisites need to be met before creating the cluster through the blueprint.

vperiasamy · ‎02-11-2016

Yes, if the users are removed from Ranger DB, service users also need to be re-sync'ed.

vperiasamy · ‎02-11-2016

1] Did the DB also get cleaned up? Otherwise, I don't see why repo is not there. 2] If ranger service is deleted, plugin should have been disabled also, so that it does not try to communicate to ranger. 3] After ranger is added again, if using the same DB, repo should be there. If using diff. DB, it should get created when hive plugin is enabled again and hive is restarted

vperiasamy · ‎02-11-2016

@Anna Shaverdian 1] For this, existing keys need to be imported into Ranger KMS (using a script provided by Ranger KMS) 2] Please check your KMS repo configuration. Looks like you are using kerberos, but the repo config user name is not a valid kerberos user. Please refer the docs here. http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_KMS_Admin_Guide/content/ch02s01s03.html Since KMS repo is already created, username needs to be changed directly in the ranger UI, not in Ambari.

vperiasamy · ‎02-08-2016

Please see my suggestion at https://community.hortonworks.com/questions/14329/hiveserver2-wont-start-after-changing-rangers-admi.html

vperiasamy · ‎02-08-2016

@Adi Jabkowsky There are two users involved - admin (advanced ranger-env) and amb_ranger_admin (admin settings). Can you verify both users password are correct in ranger and ambari UI?

vperiasamy · ‎12-21-2015

Hi @Gerd Koenig Do any of the users sync'ed part of hadoop-admins group? Thanks,

vperiasamy · ‎11-12-2015

Policy created by ranger hbase plugin (when it was enabled) should have granted permission for ambari-qa user. Please check if this policy got deleted. And yes, you can add the user to policy.

vperiasamy · ‎10-31-2015

As long as LDAP server's certificate is imported into the truststore used by usersync process, you need not have to edit the scripts or manually restart the services. Restarting from Ambari should just work.

vperiasamy · ‎10-27-2015

In this case, you need to disable the plugin and it will fall back to default AclsAuthz

Online	Offline
Last Visited	‎05-03-2022 12:07 PM

Date Registered	‎09-10-2015 10:36 PM
Last Visited	‎05-03-2022 12:07 PM
Total Messages Posted	261
Total Kudos Received	84

Re: ranger doesn't show resource based policies

Re: Ranger and Ranger-Kms relation

Re: "Java patch PatchPasswordEncryption_J10001 is ...

Re: Unable to log storm audit events to hdfs (sand...

Re: ranger user sync from text file

Re: Is there a way to bulk dump ranger policy usin...

Re: How to access Hive in CLI using non Root users...

Re: Kerberos HDFS security issue

Re: Kerberos HDFS security issue

Re: Ranger Audit DB size?

Re: How long does it take for ranger policies to r...

Re: Hive Ranger policy is not applied

Re: How to troubleshoot creation of default servic...

Re: Ranger audit to Solr problem

Re: Ranger Group Permissions issue - AD and SSSD

Re: While using Ranger authorization (through poli...

Re: While using Ranger authorization (through poli...

Re: What is the best way to modify session timeout...

Re: KMS Unable to decrypt

Re: Ranger policy replication across clusters

Re: "Test Connection" for ranger kms repository fa...

Re: Ranger admin install fails with "007-updateBla...

Re: Ranger is not able to audit and polices are no...

Re: Is there a way to force Ranger user-sync to ru...

Re: Ranger Installation Through Blueprints

Re: Ranger Installation Through Blueprints

Re: How to Remove all External Users from the Rang...

Re: Ranger delete process and Hive errors

Re: Updating to Ranger KMS after previously used H...

Re: Namenode unable to start - Ranger issue in nam...

Re: HiveServer2 won't start after changing Ranger'...

Re: Ranger 0.4 usersync, missing local linux group...

Re: Ranger blocks ambari-qa user from Hbase smoke ...

Re: How to Configure Ranger and Usersync for LDAP ...

Re: Is there a Default Strategie for Ranger Knox P...