Thank you @adhishankarit for sharing this with us. This will be useful for other person as well. Many reader will get benefit from this. ... View more

Hello @RajeshReddy , DataSteward role would usually grant “environments/adminRanger” permission which makes user Ranger and Atlas admin. This would suffice to create a tag based policy. Can we get more info on the error you are getting? Any screenshot or error messages would help us greatly to help you further. Thanks. ... View more

Hello, In order to assist with this, I'd need to check more python code which you are running. Could you please share the snippet around the POST call? Also, I noticed the RangerPDPKnoxFilter in the stack trace. This means that your Knox topology (cdp-proxy-api) has Ranger Knox plugin enabled for authorization. Can you please disable the plugin (only for testing) and try again? Hope this helps. Thanks. ... View more

Hello @Vidya Sagar S, I think I see your problem. It's with the key of HTTP/RANGER_FQDN principal. Most probably, the key of Ranger SPNEGO principal (HTTP/RANGER_FQDN) has been changed/updated in Kerberos database but not in the spnego.service.keytab on Ranger node. Hence "checksum failed" error. To confirm this, please get the output of these commands on Ranger host: # klist -kt /etc/security/keytabs/spnego.service.keytab # kinit <any-working-principal> # kvno HTTP/<RANGER_FQDN> If the Key Version Number (kvno) in the first command output and last command output doesn't match, then that's the issue. To fix this, get the key of HTTP/RANGER_FQDN out in a new keytab and replace spnego.service.keytab on Ranger host. Restart Ranger admin from Ambari. Hope this helps! ... View more

+1 for detailed answer ! ... View more

@Bhushan Kandalkar, Can you login to Zeppelin as 'bhushan-kandalkar' instead of 'bhushan-kandalkar@test.com'? You may need to set "activeDirectoryRealm.principalSuffix = @test.com" if you are using "org.apache.zeppelin.realm.ActiveDirectoryGroupRealm". With this set, you should be able to login as 'bhushan-kandalkar' and same would appear in notebook permission. Hope this helps. ... View more

@Bhushan Kandalkar, Please let us know the value of "zeppelin.notebook.storage" property in Zeppelin. If you can attach your zeppelin-site.xml from Zeppelin node ("after scrubbing your env. specific details"), that will be even better. What Felix is suggesting here, may actually work if done correctly. ... View more

Hello@Sami Ahmad, CAUTION: Retrieving the keytab resets the secret for the Kerberos principal. This renders all other keytabs for that principal invalid. The correct answer depends on which Kerberos implementation you are using. For MIT KDC, a system admin would use an interface, known as "kadmin" (or an alternative "kadmin.local"), to create keytab for users using 'ktadd' command. ktadd will regenerate key with a random password and then add it to keytab: # ktadd -k </path/to/file.keytab> <principal-name> For FreeIPA, an admin would use ipa-getkeytab command. This command can generate keytab with a random or provided password: # ipa-getkeytab -s <ipaserver.example.com> -p <principal-name> -k </path/to/file.keytab> For Microsoft AD, an admin should use ktpass command. This command is really useful when you want to generate a keytab for AD service principal to be used in Linux environment. This can also use a given password or a random password (+rndpass): # ktpass /princ hive/sandbox.hortonworks.com@HWX.COM /pass <password> /mapuser hiveservice /pType KRB5_NT_PRINCIPAL /crypto ALL /out c:\temp\hive.service.keytab Hope this helps! ... View more

@Karthik Palanisamy, This is really a good piece of information. Thanks for sharing. Keep them coming ! ... View more