Granting privileges on default namespace after enabling Ranger authorization

38 views
Skip to first unread message

Sobhan Ebrahimi

unread,
Mar 30, 2021, 4:12:24 AM3/30/21
to CDAP User
Hey there,

I've been using CDAP 6.3.0. As I followed enabling authorization, I should grant ADMIN on the default namespace to the CDAP master user. As the REST endpoints have only been created for supporting Apache Sentry, I can't use the rest APIs using Apache Ranger as the authorization extension. 
Having no other namespaces available, I cannot add my cdap service instance into the Ranger either (because it gets an empty list as listing namespaces). So, How should I grant privileges on the default namespace considering mentioned states?

Best Regards,
Sobhan

Dennis Li

unread,
Apr 6, 2021, 3:52:51 PM4/6/21
to cdap...@googlegroups.com
Hi Sobhan,

It seems like visibility checks will not pass unless you already have permission to access that namespace, which results in the namespace not showing up. For bootstrapping the namespace permissions, I suspect you will need to directly add the policy to Apache Ranger before you can use it in CDAP.

Cheers,
Dennis

--
You received this message because you are subscribed to the Google Groups "CDAP User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cdap-user+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cdap-user/da701648-67d4-4b3a-946a-2a38620a559dn%40googlegroups.com.


--

Dennis Li

lide...@google.com +1 (937) 838-9404

Software Engineer, Google Cloud


Sobhan Ebrahimi

unread,
Apr 10, 2021, 10:03:01 AM4/10/21
to cdap...@googlegroups.com
Hello Dennis,

As I found out, this issue is still on the board. And that's why authorization was not done successfully. The default namespace was created successfully after I applied v0.1.4 changes. I wish it would be mentioned on the documentation that the cdap security extension is not working properly (with Apache Ranger) on versions later than 0.1.4. Took a long time for me already to figure it out.

Sincerely,
Sobhan

You received this message because you are subscribed to a topic in the Google Groups "CDAP User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/cdap-user/gSOcA3WaVbQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cdap-user+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cdap-user/CADWXYT%2B5F7tYyHZZ4s2ddo5-6xWjbjfUjiUCMxp%2Bg8Oh7ODqyw%40mail.gmail.com.

Dennis Li

unread,
Apr 20, 2021, 6:53:45 PM4/20/21
to CDAP User
Hi Sobhan,

Thanks for following up on this and bringing this to our attention! I'll see if we can add this to our documentation so that users can be aware of it in the future.

Cheers,
Dennis

Reply all
Reply to author
Forward
0 new messages