Limitations

This topic describes the limitations of using Ranger RAZ to authorize access to Amazon S3-compatible object stores.

In a multiple Kerberos realm/domain setup (for example, a Cloudera hybrid setup), the RAZ service fails to process requests coming from any realm/domain other than the one in which the RAZ service is deployed. The root cause of this issue is the hard-coded DEFAULT value of the ranger.raz.auth.method.dt.params.kerberos.name.rules configuration in the ranger-raz-site.xml file, which does not reflect the actual auth-to-local rules.

Workaround:

Log in to Cloudera Manager with admin access.
Go to HDFS > Instances > NameNode > Processes.

Search for the hadoop.security.auth_to_local property in the core-site.xml file and copy the value.

Example

This example shows a sample configuration and value.

<property>
<name>hadoop.security.auth_to_local</name>
<value>RULE:[2:$1@$0](rangeradmin@ROOT.COMOPS.SITE)s/(.*)@ROOT.COMOPS.SITE/ranger/
RULE:[2:$1@$0](rangertagsync@ROOT.COMOPS.SITE)s/(.*)@ROOT.COMOPS.SITE/rangertagsync/
RULE:[2:$1@$0](rangerusersync@ROOT.COMOPS.SITE)s/(.*)@ROOT.COMOPS.SITE/rangerusersync/
RULE:[2:$1@$0](rangerkms@ROOT.COMOPS.SITE)s/(.*)@ROOT.COMOPS.SITE/keyadmin/
RULE:[2:$1@$0](atlas@ROOT.COMOPS.SITE)s/(.*)@ROOT.COMOPS.SITE/atlas/
DEFAULT</value>
</property>

Go to Ranger RAZ > Configuration.
Search for the ranger.raz.auth.method.dt.params.kerberos.name.rules property, and add the same value you entered for the hadoop.security.auth_to_local property.
Save and restart the cluster to remove stale configurations.
note
If the custom principle is used for a user who has a Ranger policy, you must update those Ranger policies as well.