CDAP Ranger Plugin not working

82 views
Skip to first unread message

Rajat Goel

unread,
Jan 16, 2019, 3:31:53 PM1/16/19
to cdap...@googlegroups.com

Hi,

 

I have a Kerberised HDP (2.6.5) setup with CDAP security enabled. I have configured CDAP Ranger security extension plugin for authorization. However, when I login to CDAP UI, I don’t see any namespace or any entities, even though my user has permission to all namespaces (default namespace as well) as well as all entities in all namespaces.

 

On debugging the issue a bit, I found that the Ranger policy cache json file created on CDAP master node has resources{} section empty for all my policies. Though rest of the properties in policycache json file such as accesses{}, users{} is present. CDAP master logs has messages like:

 

2019-01-16 19:06:25,421 INFO  [leader-election-election-master.services] util.PolicyRefresher: PolicyRefresher(serviceName=platacc003-reflex-platform_cdap): found updated version. lastKnownVersion=-1; newVersion=80

2019-01-16 19:06:25,501 WARN  [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed:  policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)

2019-01-16 19:06:25,514 WARN  [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed:  policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)

2019-01-16 19:06:25,514 WARN  [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed:  policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)

2019-01-16 19:06:25,514 WARN  [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed:  policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)

2019-01-16 19:06:25,515 WARN  [leader-election-election-master.services] policyresourcematcher.RangerDefaultPolicyResourceMatcher: RangerDefaultPolicyResourceMatcher.init() failed:  policyResources is null or empty, or serviceDef is null. (serviceDef=cdap, policyResourceKeys=, validHierarchy=)

 

I checked Ranger Admin access.log file and saw that CDAP REST API request to download policies was successful with 200 response code.

 

Can someone please help here in this regard?

 

Thanks & Regards,

Rajat

                                   

Miraj Godha

unread,
Jan 16, 2019, 11:30:57 PM1/16/19
to cdap...@googlegroups.com
One more thing to add:

When hitting the Ranger directly via curl to fetch the cdap policies, the return json file contains resources{} section properly filled.
If we put this file at policyCache directory location and restart CDAP, CDAP works as expected. 
On the other hand the policyCache file will be replaced by CDAP on next ranger call.

In addition, one question is there a way to replace the CDAP in memory plolicyCahche file without restarting the CDAP master.


Regards,
Miraj


--
You received this message because you are subscribed to the Google Groups "CDAP User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cdap-user+...@googlegroups.com.
To post to this group, send email to cdap...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cdap-user/DC4AF9D9-D4DC-4D23-8319-FDEE664DF968%40guavus.com.
For more options, visit https://groups.google.com/d/optout.

Miraj Godha

unread,
Jan 17, 2019, 12:14:24 PM1/17/19
to CDAP User
For CDAP 5.1.2 -- 

This is solved by using 0.1.4 version jars instead of 0.8.0 version jars.

Ensure the following version of jars are present in your /op/cdap/master/ext/security also use this in your ranger cdap-ranger-lookup-0.1.4-jar-with-dependencies.jar

-rwxr-xr-x 1 root root  13K Jan 17 09:28 cdap-sentry-policy-0.8.0.jar
-rwxr-xr-x 1 root root  20K Jan 17 09:28 cdap-sentry-model-0.8.0.jar
-rwxr-xr-x 1 root root  32M Jan 17 09:28 cdap-sentry-binding-0.8.0.jar
-rwxr-xr-x 1 root root  14M Jan 17 09:28 cdap-ranger-lookup-0.1.4-jar-with-dependencies.jar
-rwxr-xr-x 1 root root 3.5K Jan 17 09:28 cdap-ranger-common-0.1.4.jar
-rwxr-xr-x 1 root root  20K Jan 17 09:28 cdap-ranger-lookup-0.1.4.jar
-rwxr-xr-x 1 root root  36M Jan 17 09:28 cdap-ranger-binding-0.1.4.jar
To unsubscribe from this group and stop receiving emails from it, send an email to cdap-user+unsubscribe@googlegroups.com.

Rohit Sinha

unread,
Jan 17, 2019, 2:03:12 PM1/17/19
to CDAP User
Hello, 
We have reproduced the issue on our end and I have opened a jira to track this. Please follow the the update on the jira for details. 

In the meantime as Miraj suggested please use 0.1.4 version of the plugin if you can. 

Thanks. 
For CDAP 5.1.2 -- 

To unsubscribe from this group and stop receiving emails from it, send an email to cdap-user+...@googlegroups.com.

Miraj Godha

unread,
Jan 18, 2019, 8:37:22 AM1/18/19
to cdap...@googlegroups.com
Thanks team. 

Reply all
Reply to author
Forward
0 new messages