Presto ranger integration error

[bb786112]

HI All,

I am working to integrate ranger and presto and following this URL but ended with error and integration is not successful.

Steps:

1. Created a ranger-${RANGER_VERSION}-presto-plugin.tar.gz file.
2. Extracted tar file to ranger-presto-plugin
3. Changed install.properies file.
4. Run ./enable-presto-plugin.sh

It was successful run but It did not create access-control.properties & rules.json file. And I created these files manually in /etc/presto. Now presto is not starting and failed with the below error.

2019-06-21T04:59:21.731Z ERROR main com.facebook.presto.server.PrestoServer Access control ranger is not registered java.lang.IllegalStateException: Access control ranger is not registered at com.google.common.base.Preconditions.checkState(Preconditions.java:585) at com.facebook.presto.security.AccessControlManager.setSystemAccessControl(AccessControlManager.java:136) at com.facebook.presto.security.AccessControlManager.loadSystemAccessControl(AccessControlManager.java:118) at com.facebook.presto.server.PrestoServer.run(PrestoServer.java:142) at com.facebook.presto.server.PrestoServer.main(PrestoServer.java:73)

---

Do we need to use ranger-servicedef-presto.json anywhere because its not mentioned in ranger presto integration URL.

OR any another link which I can follow which is having all information.

Thanks Bharat Bhushan

[shixuan-fan]

Though I'm not familiar with Ranger, I guess you would also need to make sure the plugin contains systemAccessControlFactories per my understanding here: https://github.com/prestodb/presto/blob/6796a1eeaffb76f8e2afd042915bf415aace4920/presto-main/src/main/java/com/facebook/presto/server/PluginManager.java#L223-L226

See if https://prestodb.github.io/docs/current/develop/system-access-control.html helps

[bb786112]

Yes, I have created access-control.properties in pestro etc directory manually. But I am not sure what should be the name of access-control.name=<What Name>. And how I can configure control name while installing ranger plugin.

Do we need to do anything else after executing ./enable-presto-plugin.sh to enable ranger plugin with presto?

I am not sure if I need to do any changes in ranger UI (port 6080) for presto?

Thanks in Advance

[tooptoop4]

it works for me, u need to build ranger from source (master branch) as ranger-admin jar will change and .sh will change in ranger, then u will see presto in Ranger UI. don't manually create any rules.json, the enable-presto-plugin.sh will create files in plugins subfolder of presto's install folder. Note that it works for prestosql not prestodb.

[bb786112]

do you mean prestodb does not support ranger integration at all?

[tooptoop4]

@bb786112 you can change references from prestosql.io to com.facebook.presto... in ranger master branch, worked for me

[bradhill99]

@tooptoop4 I have the same issue to install ranger plugin as describe by @bb786112 . I built ranger admin from master branch that includes presto plugin change, and run the steps described by URL. Could you please detail what's your step and configuration? Like presto version(is using prestodb or prestosql),any changes need to take care?

[tooptoop4]

@bradhill99 i'm using prestodb 0.220, needed to change all prestosql references. see https://github.com/apache/ranger/pull/36 it has discussion with my folder structure

[rushidmarne]

I have PrestoSQL-326 to configure it with Ranger and following these steps: https://cwiki.apache.org/confluence/display/RANGER/Presto+Plugin

But I am getting below error:

io.prestosql.server.PrestoServer        Access control 'ranger' is not registered
java.lang.IllegalStateException: Access control 'ranger' is not registered
        at com.google.common.base.Preconditions.checkState(Preconditions.java:588)
        at io.prestosql.security.AccessControlManager.setSystemAccessControl(AccessControlManager.java:148)
        at io.prestosql.security.AccessControlManager.loadSystemAccessControl(AccessControlManager.java:135)
        at io.prestosql.server.PrestoServer.run(PrestoServer.java:141)
        at io.prestosql.$gen.Presto_326____20191205_190712_1.run(Unknown Source)
        at io.prestosql.server.PrestoServer.main(PrestoServer.java:73)

Can someone help me through this issue?

[tooptoop4]

@rushidmarne echo ranger > etc/access-control.properties

[findepi]

I have PrestoSQL-326 to configure it with Ranger and following these steps: https://cwiki.apache.org/confluence/display/RANGER/Presto+Plugin

But I am getting below error: ...

Presto 3xx releases are maintained at https://github.com/prestosql/presto. Also, there is the #troubleshooting channel on Presto Community Slack (https://prestosql.io/slack.html)

[rushidmarne]

The moment I put file /usr/lib/presto/etc/access-control.properties presto breaks and fails to connect catalogs.

access-control.properties access-control.name=ranger ranger.username=admin ranger.password=admin ranger.hive.security-config-xml=/usr/lib/presto/etc/hive_ranger.xml

hive_ranger.xml <configuration> <property> <name>ranger.plugin.hive.service.name</name> <value>Hive_EDP_Nonprod</value> </property> <property> <name>ranger.plugin.hive.policy.pollIntervalMs</name> <value>5000</value> </property> <property> <name>ranger.service.store.rest.url</name> <value>http://{IP}:6080</value> </property> <property> <name>ranger.plugin.hive.policy.rest.url</name> <value>http://{IP}:6080</value> </property> </configuration>

Seems like presto is not understanding : access-control.name=ranger

Are the contents of access-control.properties file are correct?

[tooptoop4]

error msg? access-control.properties should just have access-control.name=ranger

[rushidmarne]

@tooptoop4
This is the error I am getting: io.prestosql.server.PrestoServer Access control 'ranger' is not registered java.lang.IllegalStateException: Access control 'ranger' is not registered at com.google.common.base.Preconditions.checkState(Preconditions.java:588) at io.prestosql.security.AccessControlManager.setSystemAccessControl(AccessControlManager.java:148) at io.prestosql.security.AccessControlManager.loadSystemAccessControl(AccessControlManager.java:135) at io.prestosql.server.PrestoServer.run(PrestoServer.java:141) at io.prestosql.$gen.Presto_326____20191205_190712_1.run(Unknown Source) at io.prestosql.server.PrestoServer.main(PrestoServer.java:73)

[rushidmarne]

@tooptoop4 : Thanks, it went ahead when I removed username and password from access-control.properties file.

And now getting other error: Error injecting constructor, java.lang.RuntimeException: java.lang.reflect.InvocationTargetException at org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl.<init>(RangerSystemAccessControl.java:40) at org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControlFactory.lambda$create$0(RangerSystemAccessControlFactory.java:45) while locating org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl

Do we need to do any changes at ranger side/server? because I had done all the changes on presto server only.

[rushidmarne]

Yeeahhhh....!!! Now I can see the presto plugin in the Ranger. Thanks @tooptoop4 , @findepi

I had to add below few additional jars to : ranger-presto-plugin commons-codec commons-codec-1.12 com.kstruct gethostname4j-0.0.3 com.sun jna-3.0.9.jar

[rushidmarne]

Presto-Ranger integration is done, I am seeing Presto plugin in Ranger but whenever I am trying to access hive schema I am getting error : "Access Denied: Cannot access catalog hive".

I tried configuring Ranger service with Hive driver: 'org.apache.hive.jdbc.HiveDriver' and also with Presto driver 'io.prestosql.jdbc.PrestoDriver' but still getting access denied error.

Any idea what I am missing?

[findepi]

and also with Presto driver 'io.prestosql.jdbc.PrestoDriver'

@rushidmarne If you're using prestosql, you should report bugs at https://github.com/prestosql/presto. Also, there is the #troubleshooting channel on Presto Community Slack (https://trino.io/slack.html)

[AvianshKumar]

Presto-Ranger integration is done, I am seeing Presto plugin in Ranger but whenever I am trying to access hive schema I am getting error : "Access Denied: Cannot access catalog hive".

I tried configuring Ranger service with Hive driver: 'org.apache.hive.jdbc.HiveDriver' and also with Presto driver 'io.prestosql.jdbc.PrestoDriver' but still getting access denied error.

Any idea what I am missing?

I am still getting this same problem any solution for this?

[SessionBest]

What is the solution?

2021-01-18T18:39:02.459+0800 ERROR main com.facebook.presto.server.PrestoServer Access control ranger is not registered java.lang.IllegalStateException: Access control ranger is not registered at com.google.common.base.Preconditions.checkState(Preconditions.java:588) at com.facebook.presto.security.AccessControlManager.setSystemAccessControl(AccessControlManager.java:148) at com.facebook.presto.security.AccessControlManager.loadSystemAccessControl(AccessControlManager.java:134) at com.facebook.presto.security.AccessControlManager.loadSystemAccessControl(AccessControlManager.java:121) at com.facebook.presto.server.PrestoServer.run(PrestoServer.java:155) at com.facebook.presto.server.PrestoServer.main(PrestoServer.java:79)

[yechangyao]

I have the same problem too. @rushidmarne How did you fix it? just added som jars?

java.lang.IllegalStateException: Access control ranger is not registered
        at com.google.common.base.Preconditions.checkState(Preconditions.java:588)
        at com.facebook.presto.security.AccessControlManager.setSystemAccessControl(AccessControlManager.java:148)
        at com.facebook.presto.security.AccessControlManager.loadSystemAccessControl(AccessControlManager.java:134)
        at com.facebook.presto.security.AccessControlManager.loadSystemAccessControl(AccessControlManager.java:121)
        at com.facebook.presto.server.PrestoServer.run(PrestoServer.java:155)
        at com.facebook.presto.server.PrestoServer.main(PrestoServer.java:79)

[sanchibansal123]

I am also facing the same problem. @rushidmarne how did you resolve it?

[Sanikadze]

@rushidmarne +1 The same problem (

[drummerglen]

Yeeahhhh....!!! Now I can see the presto plugin in the Ranger. Thanks @tooptoop4 , @findepi

I had to add below few additional jars to : ranger-presto-plugin commons-codec commons-codec-1.12 com.kstruct gethostname4j-0.0.3 com.sun jna-3.0.9.jar

@rushidmarne Would you please tell me all the full names of those jars?

I installed presto 0.276.1, and still encountered ranger-presto-plugin integration problem: 2022-09-18T23:10:37.102+0800 INFO main com.facebook.presto.security.AccessControlManager -- Loading system access control -- 2022-09-18T23:10:37.103+0800 ERROR main com.facebook.presto.server.PrestoServer Access control ranger is not registered java.lang.IllegalStateException: Access control ranger is not registered at com.google.common.base.Preconditions.checkState(Preconditions.java:588) at com.facebook.presto.security.AccessControlManager.setSystemAccessControl(AccessControlManager.java:150) at com.facebook.presto.security.AccessControlManager.loadSystemAccessControl(AccessControlManager.java:136) at com.facebook.presto.security.AccessControlManager.loadSystemAccessControl(AccessControlManager.java:123) at com.facebook.presto.server.PrestoServer.run(PrestoServer.java:169) at com.facebook.presto.server.PrestoServer.main(PrestoServer.java:85)