【已解决】Doris2.1.7 Ranger策略下载不到本地cache目录【BUG】

Viewed 83
2.1 permission

描述

1、2024-11-27号从Doris2.1.5升级到2.1.7后,发现Ranger权限下载不到Doris FE的cache目录了,Doris2.1.5版本还没有这个问题,这是BUG吗
2、但是新增策略权限后,hive beeline权限是没有问题的

现象如下

2024-12-05号新增了Ranger权限策略,上一次更新Ranger权限是2024-11-25号(是在升级之前)
image.png

显示Download下载日志
image.png

Doris FE的策略cache目录
image.png

最终导致查询没权限
image.png

Hive Catalog创建语句如下

CREATE CATALOG hive PROPERTIES (
"yarn.resourcemanager.principal" = "rm/_HOST@HUAN.TV",
"uri" = "thrift://ali-odp-master-01.huan.tv:9083,thrift://ali-odp-master-02.huan.tv:9083",
"type" = "hms",
"oss.secret_key" = "",
"oss.endpoint" = "",
"oss.access_key" = "",
"metadata_refresh_interval_sec" = "3600",
"hive.version" = "3.1.3",
"hive.metastore.uris" = "thrift://ali-odp-master-01.huan.tv:9083,thrift://ali-odp-master-02.huan.tv:9083",
"hive.metastore.sasl.enabled" = "true",
"hive.metastore.kerberos.principal" = "hive/_HOST@HUAN.TV",
"hadoop.security.authentication" = "kerberos",
"hadoop.kerberos.principal" = "hive@HUAN.TV",
"hadoop.kerberos.keytab" = "/root/hive.keytab",
"dfs.nameservices" = "ha-nn",
"dfs.namenode.rpc-address.ha-nn.nn2" = "ali-odp-master-02.huan.tv:8020",
"dfs.namenode.rpc-address.ha-nn.nn1" = "ali-odp-master-01.huan.tv:8020",
"dfs.ha.namenodes.ha-nn" = "nn1,nn2",
"dfs.client.failover.proxy.provider.ha-nn" = "org.apache.hadoop.hdfs.server.namenode.ha.ConfiguredFailoverProxyProvider",
"access_controller.properties.ranger.service.name" = "hive",
"access_controller.class" = "org.apache.doris.catalog.authorizer.ranger.hive.RangerHiveAccessControllerFactory"
);
changguowei199
1 Answers

前提:hive catalog集成Ranger
解决:经和SelectDB成员沟通,Doris2.1.5升级到2.1.7后,应该是底层关于集成Ranger代码侧有变动,需要删除ranger-hive-audit.xml中所有配置项才可以解决该问题

ranger-hive-audit.xml配置文件如下

<configuration  xmlns:xi="http://www.w3.org/2001/XInclude">
</configuration>

注意:如果hadoop集群开启了kerberos认证,那么在启动doris fe服务之前需要先kinit过认证,可以将kinit操作放到crontab中做个定时执行

changguowei199