Please tell me which version you are using. I tested the 0.7.0, 0.7.1,
1.0.0. There are no problems with these versions. Maybe your
configuration is wrong.
在 2018年03月25日 04:48, rohit sinha 写道:
*Hello,We have a ranger plugin which works perfectly fine with non-SSL
Ranger but we turn on SSL for Ranger our plugin fails to talk to Ranger
Server because some underlying Ranger classes fail to be initialized. We
see the following error in the logs:2018-03-23 01:34:00,064 - ERROR
[leader-election-election-master.services:o.a.r.p.u.PolicyRefresher@282] -
PolicyRefresher(serviceName=myServicedev): failed to refresh policies. Will
continue to use last known version of policies
(-1)java.lang.IllegalArgumentException: SSLContext must not be null at
com.sun.jersey.client.urlconnection.HTTPSProperties.<init>(HTTPSProperties.java:106)
~[jersey-bundle-1.17.1.jar:1.17.1] at
org.apache.ranger.plugin.util.RangerRESTClient.buildClient(RangerRESTClient.java:200)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.plugin.util.RangerRESTClient.getClient(RangerRESTClient.java:175)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.plugin.util.RangerRESTClient.getResource(RangerRESTClient.java:155)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.admin.client.RangerAdminRESTClient.createWebResource(RangerAdminRESTClient.java:267)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.admin.client.RangerAdminRESTClient.access$200(RangerAdminRESTClient.java:47)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(RangerAdminRESTClient.java:107)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(RangerAdminRESTClient.java:105)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
java.security.AccessController.doPrivileged(Native Method) ~[na:1.8.0_112]
at javax.security.auth.Subject.doAs(Subject.java:360) ~[na:1.8.0_112] at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1849)
~[hadoop-common-2.7.3.2.6.4.0-91.jar:na] at
org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:114)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:258)
[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:202)
[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.plugin.util.PolicyRefresher.startRefresher(PolicyRefresher.java:149)
[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.plugin.service.RangerBasePlugin.init(RangerBasePlugin.java:142)
[ranger-plugins-common-0.7.0.jar:0.7.0] at
com.company.myService.security.authorization.ranger.binding.RangerAuthorizer.initialize(RangerAuthorizer.java:90)
[1521768838074-0/:na] at
com.company.myService.security.authorization.AuthorizerInstantiator.createAndInitializeAuthorizerInstance(AuthorizerInstantiator.java:172)
[na:na] at
com.company.myService.security.authorization.AuthorizerInstantiator.get(AuthorizerInstantiator.java:141)
[na:na] at
com.company.myService.security.authorization.DelegatingPrivilegeManager.<init>(DelegatingPrivilegeManager.java:41)
[na:na] .... ....at java.lang.Thread.run(Thread.java:745)
[na:1.8.0_112]From the log, we see that the RangerRestClient fails to be
built because SSLContext is null. Looking into the code of these Ranger
classes we suspect this is because the TrustManger list being returned from
here is
null.https://github.com/apache/ranger/blob/4370b6b135ca5288bf25bd6f7a353b9699821099/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java#L308
<https://github.com/apache/ranger/blob/4370b6b135ca5288bf25bd6f7a353b9699821099/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java#L308>To
the best of our understanding all our configurations looks good. We also
checked we are picking up the ranger-myService-policymgr-ssl.xml correctly.
We were able to load it from the classloader and print it. Following is our
configurations:master.services:c.c.c.s.a.r.b.RangerAuthorizer@96] - <?xml
version="1.0"?><!-- Licensed to the Apache Software Foundation (ASF) under
one or more contributor license agreements. See the NOTICE file
distributed with this work for additional information regarding copyright
ownership. The ASF licenses this file to You under the Apache License,
Version 2.0 (the "License"); you may not use this file except in
compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
<http://www.apache.org/licenses/LICENSE-2.0> Unless required by applicable
law or agreed to in writing, software distributed under the License is
distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the specific language
governing permissions and limitations under the
License.--><?xml-stylesheet type="text/xsl"
href="configuration.xsl"?><configuration
xmlns:xi="http://www.w3.org/2001/XInclude
<http://www.w3.org/2001/XInclude>"> <!-- The following properties
are used for 2-way SSL client server validation --> <property>
<name>xasecure.policymgr.clientssl.keystore</name>
<value>/usr/local/ranger-myService-conf/ranger-plugin-keystore.jks</value>
<description> Java Keystore files
</description> </property> <property>
<name>xasecure.policymgr.clientssl.keystore.password</name>
<value>myKeyFilePassword</value>
<description> password for keystore
</description> </property> <property>
<name>xasecure.policymgr.clientssl.truststore</name>
<value>/usr/local/ranger-myService-conf/ranger-plugin-truststore.jks</value>
<description> java truststore file
</description> </property> <property>
<name>xasecure.policymgr.clientssl.truststore.password</name>
<value>changeit</value> <description>
java truststore password
</description> </property> <property>
<name>xasecure.policymgr.clientssl.keystore.credential.file</name>
<value>jceks://file/etc/ranger/admin/rangeradmin.jceks</value>
<description> java keystore
credential file </description> </property>
<property>
<name>xasecure.policymgr.clientssl.truststore.credential.file</name>
<value>jceks://file/etc/ranger/admin/rangeradmin.jceks</value>
<description> java truststore
credential file </description>
</property></configuration>Can you please help us in figuring out
what are we missing or doing incorrectly?Thanks, Rohit Sinha*
