[Step5]Ranger HBase Repository 创建失败修复
# Ranger HBase Repository 创建失败修复(缺失 atlas 用户导致 400 拒绝)
# 一、故障现象:HBase 仓库一直创建失败
在 Ambari 的自动化安装/启用 Ranger Plugin 过程中,会尝试在 Ranger Admin 上创建 abc_hbase 仓库(Repository)。从 Ambari
侧日志看,流程是:
- 先 GET 查询:确认仓库不存在(返回
[]) - 再 POST 创建:创建 HBase repo(返回 400)
- Repository creation failed:进入重试
下面日志片段可以看到 GET 返回 [],POST 直接返回 400 并拒绝创建:
2026-02-15 21:58:33,476 - call['ambari-sudo.sh su hbase -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/4a33d5d3-feb4-4661-bbcc-c5f219ec2031 -c /var/lib/ambari-agent/tmp/cookies/4a33d5d3-feb4-4661-bbcc-c5f219ec2031 '"'"'http://dev2.test.com:6080/service/public/v2/api/service?serviceName=abc_hbase&serviceType=hbase&isEnabled=true'"'"' --connect-timeout 10 --max-time 12 -X GET 1>/tmp/tmpryqhyv3u 2>/tmp/tmpp21_xp6u''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hbase_cc_8604de46ba37388cb4dc89f4565b0bd6b7f8ad780f0b1f64fae17a6f'}}
2026-02-15 21:58:33,754 - call returned (0, '')
2026-02-15 21:58:33,755 - get_user_call_output returned (0, '[]', ' % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 2 0 2 0 0 58 0 --:--:-- --:--:-- --:--:-- 58')
2026-02-15 21:58:33,756 - call['/usr/bin/klist -s /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hbase_cc_8604de46ba37388cb4dc89f4565b0bd6b7f8ad780f0b1f64fae17a6f'] {'user': 'hbase'}
2026-02-15 21:58:33,989 - call returned (0, '')
2026-02-15 21:58:33,991 - call['ambari-sudo.sh su hbase -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/727c7f35-04d8-4740-8bf6-887582385add -c /var/lib/ambari-agent/tmp/cookies/727c7f35-04d8-4740-8bf6-887582385add http://dev2.test.com:6080/service/public/v2/api/service --connect-timeout 10 --max-time 12 -H '"'"'Content-Type: application/json'"'"' -X POST -d '"'"'{"isEnabled": "true", "configs": {"username": "hbase", "password": "hbase", "hadoop.security.authentication": "kerberos", "hbase.security.authentication": "kerberos", "hbase.zookeeper.property.clientPort": "2181", "hbase.zookeeper.quorum": "dev1.test.com,dev2.test.com,dev3.test.com", "zookeeper.znode.parent": "/hbase-secure", "commonNameForCertificate": "", "hbase.master.kerberos.principal": "hbase/_HOST@TEST.COM", "policy.download.auth.users": "hbase", "tag.download.auth.users": "hbase", "policy.grantrevoke.auth.users": "hbase", "setup.additional.default.policies": "true", "default-policy.1.name": "Service Check User Policy for Hbase", "default-policy.1.resource.table": "ambarismoketest", "default-policy.1.resource.column-family": "*", "default-policy.1.resource.column": "*", "default-policy.1.policyItem.1.users": "ambari-qa", "default-policy.1.policyItem.1.accessTypes": "read,write,create", "default-policy.2.name": "Atlas - table, column-family, column", "default-policy.2.resource.table": "ATLAS_ENTITY_AUDIT_EVENTS,atlas_janus", "default-policy.2.resource.column-family": "*", "default-policy.2.resource.column": "*", "default-policy.2.policyItem.1.users": "atlas", "default-policy.2.policyItem.1.accessTypes": "read,write,create"}, "description": "hbase repo", "name": "abc_hbase", "type": "hbase"}'"'"' 1>/tmp/tmpjprrs1rg 2>/tmp/tmpjhohar_0''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hbase_cc_8604de46ba37388cb4dc89f4565b0bd6b7f8ad780f0b1f64fae17a6f'}}
2026-02-15 21:58:34,493 - call returned (0, '')
2026-02-15 21:58:34,493 - get_user_call_output returned (0, '{"statusCode":400,"msgDesc":"Operation denied. User name: atlas specified in policy does not exist in ranger admin."}', ' % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 1434 0 117 100 1317 417 4703 --:--:-- --:--:-- --:--:-- 5121\r100 1434 0 117 100 1317 417 4703 --:--:-- --:--:-- --:--:-- 5103')
2026-02-15 21:58:34,494 - Repository creation failed
2026-02-15 21:59:04,516 - checked_call['/usr/bin/kinit -c /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hbase_cc_8604de46ba37388cb4dc89f4565b0bd6b7f8ad780f0b1f64fae17a6f -kt /etc/security/keytabs/hbase.service.keytab hbase/dev1.test.com@TEST.COM > /dev/null'] {'user': 'hbase'}
2026-02-15 21:59:04,756 - checked_call returned (0, '')
2026-02-15 21:59:04,757 - call['ambari-sudo.sh su hbase -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/8a536ddb-15be-4015-9d82-bbc96271a67a -c /var/lib/ambari-agent/tmp/cookies/8a536ddb-15be-4015-9d82-bbc96271a67a '"'"'http://dev2.test.com:6080/service/public/v2/api/service?serviceName=abc_hbase&serviceType=hbase&isEnabled=true'"'"' --connect-timeout 10 --max-time 12 -X GET 1>/tmp/tmpnleopjuf 2>/tmp/tmpmrxqfi0g''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hbase_cc_8604de46ba37388cb4dc89f4565b0bd6b7f8ad780f0b1f64fae17a6f'}}
2026-02-15 21:59:05,031 - call returned (0, '')
2026-02-15 21:59:05,032 - get_user_call_output returned (0, '[]', ' % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 2 0 2 0 0 51 0 --:--:-- --:--:-- --:--:-- 52')
2026-02-15 21:59:05,033 - checked_call['/usr/bin/kinit -c /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hbase_cc_8604de46ba37388cb4dc89f4565b0bd6b7f8ad780f0b1f64fae17a6f -kt /etc/security/keytabs/hbase.service.keytab hbase/dev1.test.com@TEST.COM > /dev/null'] {'user': 'hbase'}
2026-02-15 21:59:05,271 - checked_call returned (0, '')
2026-02-15 21:59:05,272 - call['ambari-sudo.sh su hbase -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/a44cf509-6a46-41dc-8121-0047dfd2de82 -c /var/lib/ambari-agent/tmp/cookies/a44cf509-6a46-41dc-8121-0047dfd2de82 http://dev2.test.com:6080/service/public/v2/api/service --connect-timeout 10 --max-time 12 -H '"'"'Content-Type: application/json'"'"' -X POST -d '"'"'{"isEnabled": "true", "configs": {"username": "hbase", "password": "hbase", "hadoop.security.authentication": "kerberos", "hbase.security.authentication": "kerberos", "hbase.zookeeper.property.clientPort": "2181", "hbase.zookeeper.quorum": "dev1.test.com,dev2.test.com,dev3.test.com", "zookeeper.znode.parent": "/hbase-secure", "commonNameForCertificate": "", "hbase.master.kerberos.principal": "hbase/_HOST@TEST.COM", "policy.download.auth.users": "hbase", "tag.download.auth.users": "hbase", "policy.grantrevoke.auth.users": "hbase", "setup.additional.default.policies": "true", "default-policy.1.name": "Service Check User Policy for Hbase", "default-policy.1.resource.table": "ambarismoketest", "default-policy.1.resource.column-family": "*", "default-policy.1.resource.column": "*", "default-policy.1.policyItem.1.users": "ambari-qa", "default-policy.1.policyItem.1.accessTypes": "read,write,create", "default-policy.2.name": "Atlas - table, column-family, column", "default-policy.2.resource.table": "ATLAS_ENTITY_AUDIT_EVENTS,atlas_janus", "default-policy.2.resource.column-family": "*", "default-policy.2.resource.column": "*", "default-policy.2.policyItem.1.users": "atlas", "default-policy.2.policyItem.1.accessTypes": "read,write,create"}, "description": "hbase repo", "name": "abc_hbase", "type": "hbase"}'"'"' 1>/tmp/tmpci6_nvcj 2>/tmp/tmprcf0fmi3''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hbase_cc_8604de46ba37388cb4dc89f4565b0bd6b7f8ad780f0b1f64fae17a6f'}}
2026-02-15 21:59:05,771 - call returned (0, '')
2026-02-15 21:59:05,772 - get_user_call_output returned (0, '{"statusCode":400,"msgDesc":"Operation denied. User name: atlas specified in policy does not exist in ranger admin."}', ' % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 1434 0 117 100 1317 434 4895 --:--:-- --:--:-- --:--:-- 5330')
2026-02-15 21:59:05,772 - Repository creation failed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
与 HDFS 场景的差异
- HDFS 常见是
{"statusCode":1},更像会话/用户解析问题 - HBase 这里是明确的 400 + msgDesc 指向用户不存在,属于“策略校验拒绝”
# 二、核心报错:默认策略引用 atlas,但 Ranger Admin 侧不存在该用户
错误信息非常直白:
{"statusCode":400,"msgDesc":"Operation denied. User name: atlas specified in policy does not exist in ranger admin."}
1
这说明 HBase Repository 创建请求里携带了“默认策略”(default policies),其中某条 policyItem.users 指定了 atlas,而 Ranger
Admin 在校验策略时发现该用户不存在,于是直接拒绝创建。
# 1、从请求 JSON 中定位到策略字段
在 Ambari 的 POST payload 里可以看到(关键段落):
default-policy.2.name = "Atlas - table, column-family, column"default-policy.2.policyItem.1.users = "atlas"
"default-policy.2.name": "Atlas - table, column-family, column",
"default-policy.2.resource.table": "ATLAS_ENTITY_AUDIT_EVENTS,atlas_janus",
"default-policy.2.policyItem.1.users": "atlas",
"default-policy.2.policyItem.1.accessTypes": "read,write,create"
1
2
3
4
2
3
4
结论
不是 Ranger Admin “不通” 或 “Kerberos 不对”,而是 创建请求内置策略无法通过校验,触发硬拒绝(400)。
# 三、定位路径:把 Ambari 自动化行为还原成可复现证据
Ambari 日志中已经给出了完整调用链,关键在于把它读成“标准 API 行为”,便于排查时快速对齐。
# 1、GET 确认 repo 不存在
curl ... \
"http://dev2.test.com:6080/service/public/v2/api/service?serviceName=abc_hbase&serviceType=hbase&isEnabled=true"
# 返回 []
1
2
3
2
3
日志证据:
2026-02-15 21:58:33,755 - get_user_call_output returned (0, '[]', ...)
1
# 2、POST 创建 repo,返回 400
日志证据(节选,保留原始返回):
2026-02-15 21:58:34,493 - get_user_call_output returned (0, '{"statusCode":400,"msgDesc":"Operation denied. User name: atlas specified in policy does not exist in ranger admin."}', ...)
1
这类报错不要直接重试
重试不会自动修复“用户不存在”的校验条件,只会让安装过程卡住更久。
# 五、验收:组件侧重试成功 + Ranger Admin 可见 HBase repo
完成 atlas 用户补齐并同步后,组件侧重新触发创建流程(示例中通过重启 HBase Master 触发相关链路),可以看到创建成功。
# 1、组件侧成功(HBase Master 重启后触发)
# 2、Ranger Admin 页面确认 HBase Repository 已创建
- 03
- Ranger Admin 证书快速导入脚本02-15