atlas-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Wallis <graham_wal...@uk.ibm.com>
Subject Re: [jira] [Updated] (ATLAS-1752) Atlas Group mapping for ranger doesn't work if using kerberos authentication
Date Wed, 02 Aug 2017 08:29:08 GMT
Has something odd happened to the JIRA entry for ATLAS-1752? When I click 
the link it doesn't show up.


Best regards,
  Graham

Graham Wallis
IBM Analytics Emerging Technology Center
Internet: graham_wallis@uk.ibm.com 
IBM Laboratories, Hursley Park, Hursley, Hampshire SO21 2JN
Tel: +44-1962-815356    Tie: 7-245356




From:   "Nixon Rodrigues (JIRA)" <jira@apache.org>
To:     dev@atlas.apache.org
Date:   01/08/2017 19:13
Subject:        [jira] [Updated] (ATLAS-1752) Atlas Group mapping for 
ranger doesn't work if using kerberos authentication




     [ 
https://issues.apache.org/jira/browse/ATLAS-1752?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

]

Nixon Rodrigues updated ATLAS-1752:
-----------------------------------
    Description: 
{code}
[XXXXX@XXXXX ~]$ curl --negotiate -u : -X GET "
http://ATLAS_HOST:21000/api/atlas/entities/7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f
" 
<html> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> 
<title>Error 403 {&quot;AuthorizationError&quot;:&quot;You are not 
authorized for READ on [ENTITY] : *&quot;}</title> 
</head> 
<body><h2>HTTP ERROR 403</h2> 
<p>Problem accessing 
/api/atlas/entities/7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f. Reason: 
<pre> {&quot;AuthorizationError&quot;:&quot;You are not authorized for 
READ on [ENTITY] : *&quot;}</pre></p><hr><i><small>Powered
by 
Jetty://</small></i><hr/> 

</body> 
</html> 

I checked ID of the user and they belong to the group that is in ranger.

If he uses ldap authentication then it group mapping works

[XXXX@XXXXX ~]$ curl -u XXXX:xxxxxxxx -X GET "
http://ATLAS_HOST:21000/api/atlas/entities/7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f
" 
{"requestId":"qtp1641313620-23 - 
\/api\/atlas\/entities\/7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f - 
3f71704c-75e4-40dc-9796-4827e5997ea6","definition":{"jsonClass":"org.apache.atlas.typesystem.json.InstanceSerialization$_Reference","id":{"jsonClass":"org.apache.atlas.typesystem.json.InstanceSerialization$_Id","id":"7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f","version":0,"typeName":"hive_db","state":"ACTIVE"},"typeName":"hive_db","values":{"name":"dz_1_disc","location":"hdfs:\/\/xxxx\/data\/discovery\/dz_1\/disc","description":null,"ownerType":{"value":"USER","ordinal":1},"qualifiedName":"XXXX@domain","owner":"hive","clusterName":"xxxxx","parameters":null},"traitNames":[],"traits":{}}}


{code}

  was:
{code}
[XXXXX@XXXXX ~]$ curl --negotiate -u : -X GET "
http://ATLAS_HOST:21000/api/atlas/entities/7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f
" 
<html> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> 
<title>Error 403 {&quot;AuthorizationError&quot;:&quot;You are not 
authorized for READ on [ENTITY] : *&quot;}</title> 
</head> 
<body><h2>HTTP ERROR 403</h2> 
<p>Problem accessing 
/api/atlas/entities/7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f. Reason: 
<pre> {&quot;AuthorizationError&quot;:&quot;You are not authorized for 
READ on [ENTITY] : *&quot;}</pre></p><hr><i><small>Powered
by 
Jetty://</small></i><hr/> 

</body> 
</html> 

I checked ID of the user and they belong to the group that is in ranger.

If he uses ldap authentication then it group mapping works

[XXXX@XXXXX ~]$ curl -u XXXX:xxxxxxxx -X GET "
http://ATLAS_HOST:21000/api/atlas/entities/7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f
" 
{"requestId":"qtp1641313620-23 - 
\/api\/atlas\/entities\/7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f - 
3f71704c-75e4-40dc-9796-4827e5997ea6","definition":{"jsonClass":"org.apache.atlas.typesystem.json.InstanceSerialization$_Reference","id":{"jsonClass":"org.apache.atlas.typesystem.json.InstanceSerialization$_Id","id":"7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f","version":0,"typeName":"hive_db","state":"ACTIVE"},"typeName":"hive_db","values":{"name":"dz_1_disc","location":"hdfs:\/\/devbir1\/data\/discovery\/dz_1\/disc","description":null,"ownerType":{"value":"USER","ordinal":1},"qualifiedName":"XXXX@domain","owner":"hive","clusterName":"xxxxx","parameters":null},"traitNames":[],"traits":{}}}


{code}


> Atlas Group mapping for ranger doesn't work if using kerberos 
authentication
> 
----------------------------------------------------------------------------
>
>                 Key: ATLAS-1752
>                 URL: https://issues.apache.org/jira/browse/ATLAS-1752
>             Project: Atlas
>          Issue Type: Bug
>    Affects Versions: 0.8-incubating
>         Environment: secure
>            Reporter: Nixon Rodrigues
>            Assignee: Nixon Rodrigues
>             Fix For: 0.9-incubating, 0.8.1-incubating
>
>         Attachments: ATLAS-1752.patch
>
>
> {code}
> [XXXXX@XXXXX ~]$ curl --negotiate -u : -X GET "
http://ATLAS_HOST:21000/api/atlas/entities/7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f
" 
> <html> 
> <head> 
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> 
> <title>Error 403 {&quot;AuthorizationError&quot;:&quot;You are not

authorized for READ on [ENTITY] : *&quot;}</title> 
> </head> 
> <body><h2>HTTP ERROR 403</h2> 
> <p>Problem accessing 
/api/atlas/entities/7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f. Reason: 
> <pre> {&quot;AuthorizationError&quot;:&quot;You are not authorized
for 
READ on [ENTITY] : *&quot;}</pre></p><hr><i><small>Powered
by 
Jetty://</small></i><hr/> 
> </body> 
> </html> 
> I checked ID of the user and they belong to the group that is in ranger.
> If he uses ldap authentication then it group mapping works
> [XXXX@XXXXX ~]$ curl -u XXXX:xxxxxxxx -X GET "
http://ATLAS_HOST:21000/api/atlas/entities/7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f
" 
> {"requestId":"qtp1641313620-23 - 
\/api\/atlas\/entities\/7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f - 
3f71704c-75e4-40dc-9796-4827e5997ea6","definition":{"jsonClass":"org.apache.atlas.typesystem.json.InstanceSerialization$_Reference","id":{"jsonClass":"org.apache.atlas.typesystem.json.InstanceSerialization$_Id","id":"7bb9c916-8fd3-40ef-b65f-855ed5bf4f9f","version":0,"typeName":"hive_db","state":"ACTIVE"},"typeName":"hive_db","values":{"name":"dz_1_disc","location":"hdfs:\/\/xxxx\/data\/discovery\/dz_1\/disc","description":null,"ownerType":{"value":"USER","ordinal":1},"qualifiedName":"XXXX@domain","owner":"hive","clusterName":"xxxxx","parameters":null},"traitNames":[],"traits":{}}}


> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)



Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message