环境:
HDP-3.1.5
Ranger-1.2.0
Atlas-1.1.0
启动Atlas报错如下:
Took 0.9533 secondsjava exception ERROR Java::OrgApacheHadoopHbaseIpc::RemoteWithExtrasException: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.security.AccessControlException: Permission denied. at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.grant(RangerAuthorizationCoprocessor.java:1253) at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.grant(RangerAuthorizationCoprocessor.java:1072) at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.grant(AccessControlProtos.java:10023) at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10187) at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8243) at org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceonRegion(RSRpcServices.java:2444) at org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2426) at org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService.callBlockingMethod(ClientProtos.java:42198) at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:413) at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:132) at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:324) at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:304) Caused by: org.apache.hadoop.security.AccessControlException: Permission denied. at org.apache.ranger.admin.client.RangerAdminRESTClient.grantAccess(RangerAdminRESTClient.java:225) at org.apache.ranger.plugin.service.RangerbasePlugin.grantAccess(RangerbasePlugin.java:523) at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.grant(RangerAuthorizationCoprocessor.java:1246) ... 11 more
通过该段日志可以看出是对Hbase服务的访问因为权限问题被Ranger拦截了,我们去Ranger上看下审计记录:
在审计记录中可以看到hbase用户使用grant时被拒绝,我们在Ranger库中尝试添加hbase用户对atlas_janus的grant权限,但是我们会发现,已经存在这个策略了,并且该策略确实是对hbase用户赋权了,但是为什么权限没有生效呢,这也许是ranger服务存在异常,相关解决方案请参考这篇文章《Ranger权限策略不生效或延迟》
当我们解决完Ranger问题后,权限生效,再次重启atlas,正常开启,Ranger审计页面也可以看到hbase用户的grant *** 作不再被拒绝
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)