Thanks for your reply. We are using Ranger 0.7.0 We don't think there is an issue with Ranger SSL and suspect we are doing incomplete or incorrect configuration. Can you please look at our SSL configuration file shared in the previous email and point out if something looks wrong?
Also is there any documentation on how to configure a custom Ranger plugin to talk to SSL enabled Ranger? We were only able to find HortonWorks documentation on how to make existing (hdfs) plugin talk to SSL enabled Ranger. Thanks. Thanks, Rohit Sinha On Sun, Mar 25, 2018 at 11:58 PM, pengjianhua <[email protected]> wrote: > Please tell me which version you are using. I tested the 0.7.0, 0.7.1, > 1.0.0. There are no problems with these versions. Maybe your configuration > is wrong. > > > 在 2018年03月25日 04:48, rohit sinha 写道: > >> *Hello,We have a ranger plugin which works perfectly fine with non-SSL >> Ranger but we turn on SSL for Ranger our plugin fails to talk to Ranger >> Server because some underlying Ranger classes fail to be initialized. We >> see the following error in the logs:2018-03-23 01:34:00,064 - ERROR >> [leader-election-election-master.services:o.a.r.p.u.PolicyRefresher@282] >> - >> PolicyRefresher(serviceName=myServicedev): failed to refresh policies. >> Will >> continue to use last known version of policies >> (-1)java.lang.IllegalArgumentException: SSLContext must not be null at >> >> com.sun.jersey.client.urlconnection.HTTPSProperties.<init>( >> HTTPSProperties.java:106) >> ~[jersey-bundle-1.17.1.jar:1.17.1] at >> org.apache.ranger.plugin.util.RangerRESTClient.buildClient(R >> angerRESTClient.java:200) >> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at >> org.apache.ranger.plugin.util.RangerRESTClient.getClient(Ran >> gerRESTClient.java:175) >> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at >> org.apache.ranger.plugin.util.RangerRESTClient.getResource(R >> angerRESTClient.java:155) >> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at >> org.apache.ranger.admin.client.RangerAdminRESTClient.createW >> ebResource(RangerAdminRESTClient.java:267) >> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at >> org.apache.ranger.admin.client.RangerAdminRESTClient.access$ >> 200(RangerAdminRESTClient.java:47) >> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at >> org.apache.ranger.admin.client.RangerAdminRESTClient$3.run( >> RangerAdminRESTClient.java:107) >> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at >> org.apache.ranger.admin.client.RangerAdminRESTClient$3.run( >> RangerAdminRESTClient.java:105) >> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at >> java.security.AccessController.doPrivileged(Native Method) >> ~[na:1.8.0_112] >> at javax.security.auth.Subject.doAs(Subject.java:360) ~[na:1.8.0_112] at >> org.apache.hadoop.security.UserGroupInformation.doAs(UserGro >> upInformation.java:1849) >> ~[hadoop-common-2.7.3.2.6.4.0-91.jar:na] at >> org.apache.ranger.admin.client.RangerAdminRESTClient.getServ >> icePoliciesIfUpdated(RangerAdminRESTClient.java:114) >> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at >> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfrom >> PolicyAdmin(PolicyRefresher.java:258) >> [ranger-plugins-common-0.7.0.jar:0.7.0] at >> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(Pol >> icyRefresher.java:202) >> [ranger-plugins-common-0.7.0.jar:0.7.0] at >> org.apache.ranger.plugin.util.PolicyRefresher.startRefresher >> (PolicyRefresher.java:149) >> [ranger-plugins-common-0.7.0.jar:0.7.0] at >> org.apache.ranger.plugin.service.RangerBasePlugin.init(Range >> rBasePlugin.java:142) >> [ranger-plugins-common-0.7.0.jar:0.7.0] at >> com.company.myService.security.authorization.ranger.binding. >> RangerAuthorizer.initialize(RangerAuthorizer.java:90) >> [1521768838074-0/:na] at >> com.company.myService.security.authorization.AuthorizerInsta >> ntiator.createAndInitializeAuthorizerInstance(AuthorizerInst >> antiator.java:172) >> [na:na] at >> com.company.myService.security.authorization.AuthorizerInsta >> ntiator.get(AuthorizerInstantiator.java:141) >> [na:na] at >> com.company.myService.security.authorization.DelegatingPrivi >> legeManager.<init>(DelegatingPrivilegeManager.java:41) >> [na:na] .... ....at java.lang.Thread.run(Thread.java:745) >> [na:1.8.0_112]From the log, we see that the RangerRestClient fails to be >> built because SSLContext is null. Looking into the code of these Ranger >> classes we suspect this is because the TrustManger list being returned >> from >> here is >> null.https://github.com/apache/ranger/blob/4370b6b135ca5288b >> f25bd6f7a353b9699821099/agents-common/src/main/java/ >> org/apache/ranger/plugin/util/RangerRESTClient.java#L308 >> <https://github.com/apache/ranger/blob/4370b6b135ca5288bf25b >> d6f7a353b9699821099/agents-common/src/main/java/org/ >> apache/ranger/plugin/util/RangerRESTClient.java#L308>To >> the best of our understanding all our configurations looks good. We also >> checked we are picking up the ranger-myService-policymgr-ssl.xml >> correctly. >> We were able to load it from the classloader and print it. Following is >> our >> configurations:master.services:c.c.c.s.a.r.b.RangerAuthorizer@96] - <?xml >> version="1.0"?><!-- Licensed to the Apache Software Foundation (ASF) >> under >> one or more contributor license agreements. See the NOTICE file >> distributed with this work for additional information regarding copyright >> ownership. The ASF licenses this file to You under the Apache License, >> Version 2.0 (the "License"); you may not use this file except in >> compliance with the License. You may obtain a copy of the License at >> http://www.apache.org/licenses/LICENSE-2.0 >> <http://www.apache.org/licenses/LICENSE-2.0> Unless required by >> applicable >> law or agreed to in writing, software distributed under the License is >> distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY >> KIND, either express or implied. See the License for the specific >> language >> governing permissions and limitations under the >> License.--><?xml-stylesheet type="text/xsl" >> >> href="configuration.xsl"?><configuration >> xmlns:xi="http://www.w3.org/2001/XInclude >> <http://www.w3.org/2001/XInclude>"> <!-- The following properties >> are used for 2-way SSL client server validation --> <property> >> <name>xasecure.policymgr.clientssl.keystore</name> >> <value>/usr/local/ranger-mySer >> vice-conf/ranger-plugin-keystore.jks</value> >> <description> Java Keystore files >> </description> </property> <property> >> <name>xasecure.policymgr.clien >> tssl.keystore.password</name> >> <value>myKeyFilePassword</value> >> <description> password for keystore >> </description> </property> <property> >> <name>xasecure.policymgr.clientssl.truststore</name> >> <value>/usr/local/ranger-mySer >> vice-conf/ranger-plugin-truststore.jks</value> >> <description> java truststore file >> </description> </property> <property> >> <name>xasecure.policymgr.clientssl.truststore.password</ >> name> >> <value>changeit</value> <description> >> java truststore password >> </description> </property> <property> >> <name>xasecure.policymgr.clien >> tssl.keystore.credential.file</name> >> <value>jceks://file/etc/ranger/admin/rangeradmin.jceks</ >> value> >> <description> java keystore >> credential file </description> </property> >> <property> >> <name>xasecure.policymgr.clientssl.truststore.credential. >> file</name> >> <value>jceks://file/etc/ranger/admin/rangeradmin.jceks</ >> value> >> <description> java truststore >> credential file </description> >> </property></configuration>Can you please help us in figuring out >> what are we missing or doing incorrectly?Thanks, Rohit Sinha* >> >> > > >
