Member since
05-23-2016
26
Posts
6
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
3432 | 05-29-2016 07:07 AM |
06-08-2016
08:55 PM
Hi @Dale Bradman Yes, Kerberos is enabled. It was working fine but after 2-3 days, it was start failing while connecting the repo and showing below message:- 2016-06-01 15:09:45,514 DEBUG RangerKmsAuthorizer - <== RangerkmsAuthorizer.hasAccess(GET_KEYS, keyadmin (auth:PROXY) via keyadmin@HDP-TBRND-DEV (auth:KERBEROS) , 😞 false 2016-06-01 15:10:02,625 DEBUG PolicyRefresher - ==> PolicyRefresher(serviceName=tbarnd01_kms).loadPolicy() If I will uninstall and reinstall it then it will work for 1-2 days then again start failing. It seems some principal is required kinit but not sure which one. Do you have any suggestion? Please help me. Thanks in advance.
... View more
06-08-2016
05:07 AM
Hi @Dale Bradman, I am also facing same issue, could you please let me know how did you resolve this issue? Thanks
... View more
06-02-2016
07:41 PM
1 Kudo
Can't we do this along with nifi workflow? Thanks
... View more
06-01-2016
11:26 AM
Hi, I have 4 node kerberos enabled cluster in that I have installed ranger kms. There is hadoop.kms.key.provider.uri property in config file. Can someone please explain me know what is the use of this property? And currently I have set that as dbks://http@localhost:9292/kms. Is that correct in four node cluster? or should I give ranger hostname instead of ranger host? Thanks
... View more
Labels:
- Labels:
-
Apache Ranger
05-28-2016
01:40 PM
Thanks Sagar for your reply!! I have set hadoop.kms.authentication.kerberos.keytab as /etc/security/keytabs/spnego.service.keytab Rest there is no change in the property. I have kept as you suggested. 3-4 days before it was working perfectly but now even test connection is getting failed. It says " Unable to connect repository with given config for cluster_kms". Do I need do kinit on any keytab? Please help me.
... View more
05-28-2016
08:32 AM
Hi, It was working perfectly before but all of sudden it is not allowing to get_keys for keyadmin user. It seems some authorization problem but not sure how to resolve. Please fine below logs:- KMS.log says:- RangerKmsAuthorizer - <== RangerkmsAuthorizer.hasAccess(GET_KEYS, keyadmin (auth:PROXY) via keyadmin@HDP-TBRND-DEV (auth:KERBEROS) , 😞 false xa_portal.log says:- [http-bio-6080-exec-4] ERROR org.apache.ranger.rest.XKeyREST (XKeyREST.java:197) - {
"RemoteException" : {
"message" : "User:keyadmin not allowed to do 'GET_KEYS'",
"exception" : "AuthorizationException",
"javaClassName" : "org.apache.hadoop.security.authorize.AuthorizationException"
}
}
2016-05-28 08:22:34,705 [http-bio-6080-exec-4] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:64) - Request failed. SessionId=9058, loginId=keyadmin, logMessage=User:keyadmin not allowed to do 'GET_KEYS'
javax.ws.rs.WebApplicationException
at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:55)
at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:310)
at org.apache.ranger.rest.XKeyREST.handleError(XKeyREST.java:214)
at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:88)
at org.apache.ranger.rest.XKeyREST$$FastClassByCGLIB$$c5260d52.invoke(<generated>)
at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:191)
at org.springframework.aop.framework.Cglib2AopProxy$CglibMethodInvocation.invokeJoinpoint(Cglib2AopProxy.java:689)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:622)
at org.apache.ranger.rest.XKeyREST$$EnhancerByCGLIB$$59c1dca0.searchKeys(<generated>)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:168)
at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:70)
at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:279)
at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:136)
at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:86)
at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:136)
at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:74)
at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1357)
at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1289)
at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1239)
at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1229)
at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:420)
at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:497)
at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:684)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.apache.ranger.security.web.filter.RangerSecurityContextFormationFilter.doFilter(RangerSecurityContextFormationFilter.java:141)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
2016-05-28 08:22:34,706 [http-bio-6080-exec-4] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:311) - Operation error. response=VXResponse={org.apache.ranger.view.VXResponse@43b0bb40statusCode={1} msgDesc={User:keyadmin not allowed to do 'GET_KEYS'} messageList={[VXMessage={org.apache.ranger.view.VXMessage@7c0ffdd7name={ERROR_SYSTEM} rbKey={xa.error.system} message={System Error. Please try later.} objectId={null} fieldName={null} }]} }
javax.ws.rs.WebApplicationException Can someone please help me on this? Thanks in advance
... View more
Labels:
05-27-2016
05:21 AM
Hi, I want to implement hdfs encryption with nifi but the problem is to create encryption zone as it require super user to create and my nifi is running as different user. Is there anyway to do this? Thanks in advance.
... View more
Labels:
05-25-2016
09:29 AM
Hi, I have one nifi flow in that I am using 8-10 processor. In that 1 processor, I want to execute as superuser and rest as normal user. Can you please help me if is there any way to do this? Thanks
... View more
Labels:
- Labels:
-
Apache NiFi
05-23-2016
10:58 PM
Hi Vipin, In my case also, user name coming as only 'keyadmin" instead of keyadmin@realm but I am giving username as keyadmin@realm in UI:- UNAUTHENTICATED RemoteHost:127.0.0.1 Method:GET URL:http://hostname:9292/kms/v1/keys/names?doAs=keyadmin ErrorMsg:'Authentication required'. which property should I change for this? please help. Thanks in advance
... View more