环境:
HDP-3.1.5
Ranger-1.2.0
Atlas-1.1.0
启动Atlas报错如下:
Took 0.9533 secondsjava exception
ERROR Java::OrgApacheHadoopHbaseIpc::RemoteWithExtrasException: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.security.AccessControlException: Permission denied.
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.grant(RangerAuthorizationCoprocessor.java:1253)
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.grant(RangerAuthorizationCoprocessor.java:1072)
at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.grant(AccessControlProtos.java:10023)
at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10187)
at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:8243)
at org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:2444)
at org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:2426)
at org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:42198)
at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:413)
at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:132)
at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:324)
at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:304)
Caused by: org.apache.hadoop.security.AccessControlException: Permission denied.
at org.apache.ranger.admin.client.RangerAdminRESTClient.grantAccess(RangerAdminRESTClient.java:225)
at org.apache.ranger.plugin.service.RangerBasePlugin.grantAccess(RangerBasePlugin.java:523)
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.grant(RangerAuthorizationCoprocessor.java:1246)
... 11 more
通过该段日志可以看出是对Hbase服务的访问因为权限问题被Ranger拦截了,我们去Ranger上看下审计记录:
在审计记录中可以看到hbase用户使用grant时被拒绝,我们在Ranger库中尝试添加hbase用户对atlas_janus的grant权限,但是我们会发现,已经存在这个策略了,并且该策略确实是对hbase用户赋权了,但是为什么权限没有生效呢,这也许是ranger服务存在异常,相关解决方案请参考这篇文章《Ranger权限策略不生效或延迟》
当我们解决完Ranger问题后,权限生效,再次重启atlas,正常开启,Ranger审计页面也可以看到hbase用户的grant操作不再被拒绝