About dsharma

dsharma · ‎07-09-2016

For moving data between Postgres and some target database, we leave that to the customer to handle the migration (using whatever utility they have available / preference for). Once the data is moved from db1 -> db2, then the we should perform an "ambari-server setup" again and choose to change the advanced database configuration to point to your new database.

dsharma · ‎07-09-2016

Problem: some of the rest call you might not face this issue , but some cases where A service to service call is made , for ex. hbase makes call to ranger admin to download the policy using following rest call. https://localhost:6182/service/plugins/policies/download/ in this case ranger admin trust store should have certificate of Client who is trying to download the policy. so for example if hbase tries to download the policy then since we had already setup the ssl for ranger and plugins and ranger admin is having certificate for hbase plugin in ranger admin trust store so this call will work fine but if you try to make this call using curl from your own rest client then it will fail curl -k -u admin:admin 'https://localhost:6182/service/plugins/policies/download/' it will throw following kind of error: ERROR org.apache.ranger.common.ServiceUtil (ServiceUtil.java:1376) - Unauthorized access. Unable to get client certificate. serviceName=cl1_hadoop 2016-07-06 05:51:46,264 [http-bio-6182-exec-26] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:65) - Request failed. SessionId=null, loginId=hdfs, logMessage=Unauthorized access - unable to get client certificate javax.ws.rs.WebApplicationException at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56) at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:335) at org.apache.ranger.common.ServiceUtil.isValidateHttpsAuthentication(ServiceUtil.java:1377) at org.apache.ranger.rest.ServiceREST.getSecureServicePoliciesIfUpdated(ServiceREST.java:1847) at org.apache.ranger.rest.ServiceREST$FastClassByCGLIB$92dab672.invoke(<generated>) at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:191) at Resolution: to resolve this problem we need to pass key while making curl call , so first you need to generate the key using following steps: 1. using the keystore of ranger hadoop plugin generate the PKCS12 type store as follows: keytool -importkeystore -srckeystore <source keystore path> -destkeystore <PKCS type store path> -srcstorepass <source store password> -srcstoretype jks -deststoretype PKCS12 -srcalias <source keystor alias> -deststorepass <pkcs store password> -destkeypass <key password> 2. now PCKS12 type store will be generated , now use this store and generate the key openssl pkcs12 -in <PKCS type store path> -out <pem key file path> -nodes -passin pass:<key password> Now you can use this key to make curl call as follows: curl -k -u:admin:admin --cert <pem key file path>:<key password> 'https://localhost:6182/service/plugins/policies/download/' Note: same steps can be followed in case you face such exception while making curl call for any other service where server needs a certificate of client to allow the call.

dsharma · ‎07-08-2016

can you please check regionservers are up and running , and please go to the hbase ui and see whether the region that is holding the row is served by any region.

dsharma · ‎07-07-2016

yes we can control on secured channel , even security is must for kafka and storm if you want enable ranger authorization for these two components, following docs may be helpful for you reg. enabling ranger plugin for kafka: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_Ranger_Install_Guide/content/kafka_plugin.html http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_installing_manually_book/content/installing_ranger_plugins.html https://cwiki.apache.org/confluence/display/RANGER/Kafka+Plugin

dsharma · ‎07-06-2016

did it solve the problem ?

dsharma · ‎07-06-2016

can you please refer to this document :http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Ranger_Install_Guide/content/save_audits_to_hdfs.html. and please see the steps to create the following symbolic links: Link /etc/hadoop/conf/hdfs-site.xml file to /etc/knox/conf/hdfs-site.xml Link /etc/hadoop/conf/core-site.xml file to /etc/knox/conf/core-site.xml More

dsharma · ‎07-06-2016

is this HA cluster? can you please provide the knox audit confguration

dsharma · ‎07-04-2016

can you please check if it is caused due to https://issues.apache.org/jira/browse/HBASE-14963

dsharma · ‎07-04-2016

@Surya Rao this documents will tell you what are the service checks available https://gist.github.com/mr-jstraub/0b55de318eeae6695c3f#payload-to-run-all-service-checks and generally in each service checks , basic commands or operation relalted to the corresponding compoenent is executed and if result is successful the service check is passed for more info you can run the service check and see what operation they are doing , for ex: HDFS runs safemode command for service check: safemode_command = format("dfsadmin -fs {namenode_address} -safemode get | grep OFF") you can refer to the following file for hdfs service check: https://github.com/apache/ambari/blob/0aa21bc02822f83ce14f806fc2cb543c66af2f07/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/service_check.py same way there will be option for other components too

dsharma · ‎06-28-2016

can you please add a rule RULE:[2:$1@$0](rangerlookup@EXAMPLE.COM)s/.*/rangerlookup/ and restart and retry once

Online	Offline
Last Visited	‎05-18-2021 01:54 PM

Member Since	‎10-19-2015 10:55 AM
Last Visited	‎05-18-2021 01:54 PM
Posts	279
Kudos received	339

Cloudera Community

Re: Set {USER} user in Ranger policy?

Re: Authentication Issue in Apache Knox ldap

Re: Ranger installation failed

Re: Documentation: Ranger policy json example inco...

Re: Cannot connect to zookeeper server from zooke...

Re: migrate postgres database ambari to mysql

Rest call to ranger on wire encrypted cluster

Re: I have Hive over Hbase table and below select ...

Re: Can we control access control of kafka by Apac...

Re: Ranger cannot record Knox audit log to hdfs

Re: Ranger cannot record Knox audit log to hdfs

Re: Ranger cannot record Knox audit log to hdfs

Re: Caused by: java.lang.IllegalAccessError: tried...

Re: what all the checks covered under service chec...

Re: No rules applied to rangerlookup@EXAMPLE.COM o...