Presto: Access control file is not registered

Created on 19 Jun 2017  路  10Comments  路  Source: prestodb/presto

Following the documentation from https://prestodb.io/docs/current/security/built-in-system-access-control.html

When starting the server/nodes, I get the following error:

-- Loading system access control --
2017-06-19T21:20:58.271Z        INFO    main    Bootstrap       node 2017-06-19T21:21:00.155Z        INFO    main    com.facebook.presto. 2017-06-19T21:20:55.893Z        ERROR   main    com.facebook.presto.s
.environment                                                      nu server.PluginManager    Registering type Regressor                   erver.PrestoServer      Access control file is not registered
ll                              dev                                  2017-06-19T21:21:00.157Z        INFO    main    com.facebook.presto. java.lang.IllegalStateException: Access control file is not registere
2017-06-19T21:20:58.271Z        INFO    main    Bootstrap       node server.PluginManager    Registering parametric type Classifier       d
.internal-address-source                                          IP 2017-06-19T21:21:00.174Z        INFO    main    com.facebook.presto.         at com.google.common.base.Preconditions.checkState(Preconditi
                                IP                                   server.PluginManager    Registering functions from com.facebook.pres ons.java:518)
2017-06-19T21:20:58.271Z        INFO    main    Bootstrap       node to.ml.LearnClassifierAggregation                                             at com.facebook.presto.security.AccessControlManager.setSyste
.location                                                         nu 2017-06-19T21:21:00.187Z        INFO    main    com.facebook.presto. mAccessControl(AccessControlManager.java:134)
ll                              null                                 server.PluginManager    Registering functions from com.facebook.pres         at com.facebook.presto.security.AccessControlManager.loadSyst
2017-06-19T21:20:58.271Z        INFO    main    Bootstrap       node to.ml.LearnVarcharClassifierAggregation                              emAccessControl(AccessControlManager.java:116)
.bind-ip                                                          nu 2017-06-19T21:21:00.194Z        INFO    main    com.facebook.presto.         at com.facebook.presto.server.PrestoServer.run(PrestoServer.j
ll                              null                                 server.PluginManager    Registering functions from com.facebook.pres ava:130)
2017-06-19T21:20:58.271Z        INFO    main    Bootstrap       node to.ml.LearnRegressorAggregation                                              at com.facebook.presto.server.

I also double check that the access control file name is correct in the config files, and the actual implementation.
https://github.com/prestodb/presto/blob/b13ea37b0bebcb0445aab57934c2c62a143cff62/presto-main/src/main/java/com/facebook/presto/security/FileBasedSystemAccessControl.java

My following access-control.properties are the ff:

access-control.name=file
security.config-file=etc/rules.json

and rules.json:

{
  "catalogs": [
    {
      "user": "admin",
      "catalog": "(mysql|system)",
      "allow": true
    },
    {
      "catalog": "hive",
      "allow": true
    },
    {
      "catalog": "system",
      "allow": false
    }
  ]
}

Only issue I can think of is the factory is not working as what I would expect it to do?

picture leolorenzoluis

Most helpful comment

The presto home folder on EMR Instance should be /usr/lib/presto/. I tried copy access-control.properties to /usr/lib/presto/etc/, and the access control worked.

And my EMR version is: emr-5.20.0 with presto version 0.214

picture haymanyu on 31 Jan 2019
3

All 10 comments

The error that you see can be encountered when the value of the access-control.name is something else than file. Can you verify that this value is nothing else but file? For example, if there is a character such as a space at the end of the word file (which can be easily overlooked), then this will result in the above error.

amrutagokhale picture amrutagokhale on 20 Jun 2017

Yes I verified and nothing else is there but file.

leolorenzoluis picture leolorenzoluis on 22 Jun 2017

I'm seeing this issue with 0.178 but the exact same config files work with 0.185 (I built docker images using the exact same build directory).

Here is my access-control.properties contents including showing no whitespace on the access-control.name=file line:

~/Dockerfiles/presto-dev$ cat -A etc/access-control.properties 
#  vim:ts=4:sts=4:sw=4:et$
#$
#  Author: Hari Sekhon$
#  Date: 2017-09-14 10:36:13 +0200 (Thu, 14 Sep 2017)$
#$
#  https://github.com/harisekhon/Dockerfiles$
#$
#  License: see accompanying Hari Sekhon LICENSE file$
#$
#  If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish$
#$
#  https://www.linkedin.com/in/harisekhon$
#$
$
# ok for dev, change for prod$
#access-control.name=allow-all$
#access-control.name=read-only$
access-control.name=file$
# searches relative paths of $PRESTO_HOME/etc and node.data-dir (/var/presto/data) from node.properties$
security.config-file=etc/rules.json$
HariSekhon picture HariSekhon on 16 Oct 2017

Rebuilding against versions 0.179 and 0.180 without changing the source at all results in those versions 0.179 and 0.180 starting up normally with the same config files, but rebuilding again with 0.167 and 0.178 those versions fail with this error above even though I am double checking git that these are the committed configurations and not changing between builds (I don't even use separate branches for this docker build unlike all my others because there are so many versions) so it appears to be related to the version rather than my config file, perhaps this is a bug in older versions?

It would be good to find a workaround so can backtest code against previous versions, any ideas?

All of the Presto config I am using is available in my public github Dockerfiles repo from where I build all my docker images:

https://github.com/HariSekhon/Dockerfiles/tree/master/presto-dev

see under etc/ directory.

HariSekhon picture HariSekhon on 16 Oct 2017

Since I have docker images for every version of Presto on Dockerhub and a whole test suite of scripted Presto Nagios Plugins which can be found in that repo under the tests/ directory, I ran test_presto.sh against every version going backwards from 0.188 to 0.100 (it can override versions via command line arguments).

I found that the error appears in versions 0.178 and prior, while versions 0.179 onwards work normally with this exact same config file.

Teradata's 0.167 release doesn't seem to have this issue though even though the corresponding upstream version does.

Since that's a dev container for my CI, I've simply switched from file access control to allow-all to maintain compatibility with older versions and continue to use the same config file for now.

Ultimately this issue appears to be fixed in current releases so it's probably ok to close this issue and leave it as a historical reference in case anyone else is backtesting Presto code against different versions and runs in to this issue.

HariSekhon picture HariSekhon on 10 Nov 2017

Is this still an open issue?

I am using Presto 0.187 and I am trying to set up security roles using the "File Based Authorization", but it doesn't seems to work.

I followed the instructions and created the needed file as follows:

access-control.name=file
security.config-file=/etc/rules.json

from the server.log seems that it is loading the 'allow-all' configuration instead.

2018-05-22T10:28:58.012Z INFO main com.facebook.presto.security.AccessControlManager -- Loading system access control --
2018-05-22T10:28:58.012Z INFO main com.facebook.presto.security.AccessControlManager -- Loaded system access control allow-all --

Hammond95 picture Hammond95 on 22 May 2018

I think the problem may be in this class here https://github.com/prestodb/presto/blob/ffe29e161f706eeca46fd5dccb81c5f713042878/presto-main/src/main/java/com/facebook/presto/security/AccessControlManager.java

private static final File ACCESS_CONTROL_CONFIGURATION = new File("etc/access-control.properties");

The files that presto searches for are under etc/presto; but I was expecting it to search for them in /etc/presto.

Is it assuming that the installation starts from the root folder?

which etc folder does it refers to?

NOTE: he moment I am running presto on an AWS EMR Cluster Instance, so the expected etc folder may not be the same as the one used.

Hammond95 picture Hammond95 on 22 May 2018

The presto home folder on EMR Instance should be /usr/lib/presto/. I tried copy access-control.properties to /usr/lib/presto/etc/, and the access control worked.

And my EMR version is: emr-5.20.0 with presto version 0.214

haymanyu picture haymanyu on 31 Jan 2019
3

Thanks @haymanyu I will try and let you know :D

Hammond95 picture Hammond95 on 31 Jan 2019

Hi

I am also getting error for prestro ranger integration and presto is not starting at all after integration.

Error:
java.lang.IllegalStateException: Access control ranger is not registered

I am following the below URL:
https://cwiki.apache.org/confluence/display/RANGER/Presto+Plugin

Do we have any information which is not mentioned the above URL?

Thanks

bb786112 picture bb786112 on 21 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

electrum picture electrum  路  4Comments
tesseract2048 picture tesseract2048  路  3Comments
talnicolas picture talnicolas  路  3Comments
rajeshd3v picture rajeshd3v  路  3Comments
tomz picture tomz  路  3Comments