[
https://issues.apache.org/jira/browse/RANGER-2604?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Berger updated RANGER-2604:
---------------------------------
Description:
We are running Presto with TLS enabled
[https://prestosql.github.io/docs.prestosql.io/current/security/tls.html#server-java-keystore]
When connecting to Presto via a JDBC client it works fine by enabling SSL and
passing the trust store details like below
jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/Users/david.berger/git/tactical-edl-hr/presto/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123
But using the same connection string when setting up the Presto Repo in Ranger
it doesn't work because Ranger assumes you're running Kerberos now, which isn't
right.
*See the Ranger REST call we use to create the repo below:*
curl -iv -u ${RANGER_ADMIN_USER}:${RANGER_ADMIN_PWD} -H "Content-Type:
application/json" -d '{"configs":
{"username": "LDAPADM", "password": "<PASSWORD>", "jdbc.driverClassName":
"io.prestosql.jdbc.PrestoDriver", "jdbc.url":
"jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/plugins_tls/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123"}
, "description": "PrestoTestRepo", "isEnabled": true, "name": "PrestoTestRepo",
"type": "presto", "version": 1 }' -X POST ${URL}/service/public/v2/api/service
*The error in the Ranger log preventing us from logging in:*
2019-10-06 07:47:44,562 [timed-executor-pool-0] WARN
org.apache.hadoop.security.SecureClientLogin (SecureClientLogin.java:126) -
Can't find keyTab Path : null
2019-10-06 07:47:44,562 [timed-executor-pool-0] WARN
org.apache.hadoop.security.SecureClientLogin (SecureClientLogin.java:130) -
Can't find principal : null
2019-10-06 07:47:44,567 [timed-executor-pool-0] INFO
org.apache.ranger.plugin.client.BaseClient (BaseClient.java:126) - Init Login:
security not enabled, using username
was:
We are running Presto with TLS enabled
[https://prestosql.github.io/docs.prestosql.io/current/security/tls.html#server-java-keystore]
When connecting to Presto via a JDBC client it works fine by enabling SSL and
passing the trust store details like below
jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/Users/david.berger/git/tactical-edl-hr/presto/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123
But using the same connection string when setting up the Presto Repo in Ranger
it doesn't work because Ranger assumes you're running Kerberos now, which isn't
right.
*See the Ranger REST call we use to create the repo below:*
curl -iv -u ${RANGER_ADMIN_USER}:${RANGER_ADMIN_PWD} -H "Content-Type:
application/json" -d '\{"configs": {"username": "LDAPADM", "password":
"<PASSWORD>", "jdbc.driverClassName": "io.prestosql.jdbc.PrestoDriver",
"jdbc.url":
"jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/plugins_tls/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123"},
"description": "PrestoTestRepo", "isEnabled": true, "name": "PrestoTestRepo",
"type": "presto", "version": 1 }' -X POST ${URL}/service/public/v2/api/service
*The error in the Ranger log preventing us from logging in:*
019-10-06 07:47:44,562 [timed-executor-pool-0] WARN
org.apache.hadoop.security.SecureClientLogin (SecureClientLogin.java:126) -
*Can't find keyTab Path : null*019-10-06 07:47:44,562 [timed-executor-pool-0]
WARN org.apache.hadoop.security.SecureClientLogin (SecureClientLogin.java:126)
- *Can't find keyTab Path : null*2019-10-06 07:47:44,562
[timed-executor-pool-0] WARN org.apache.hadoop.security.SecureClientLogin
(SecureClientLogin.java:130) - Can't find principal : null2019-10-06
07:47:44,567 [timed-executor-pool-0] INFO
org.apache.ranger.plugin.client.BaseClient (BaseClient.java:126) - Init Login:
security not enabled, using username2019-10-06 07:47:46,716
[timed-executor-pool-0] ERROR
apache.ranger.services.presto.client.PrestoClient$2 (PrestoClient.java:213) -
<== PrestoClient getCatalogList() :Unable to get the Database
Listorg.apache.ranger.plugin.client.HadoopException: Unable to execute SQL
[SHOW CATALOGS]. at
org.apache.ranger.services.presto.client.PrestoClient.getCatalogs(PrestoClient.java:190)
at
org.apache.ranger.services.presto.client.PrestoClient.access$100(PrestoClient.java:45)
at
org.apache.ranger.services.presto.client.PrestoClient$2.run(PrestoClient.java:211)
at
org.apache.ranger.services.presto.client.PrestoClient$2.run(PrestoClient.java:206)
at java.security.AccessController.doPrivileged(Native Method) at
javax.security.auth.Subject.doAs(Subject.java:360) at
org.apache.ranger.services.presto.client.PrestoClient.getCatalogList(PrestoClient.java:206)
at
org.apache.ranger.services.presto.client.PrestoClient.connectionTest(PrestoClient.java:497)
at
org.apache.ranger.services.presto.client.PrestoResourceManager.connectionTest(PrestoResourceManager.java:48)
at
org.apache.ranger.services.presto.RangerServicePresto.validateConfig(RangerServicePresto.java:48)
at
org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:660)
at
org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:647)
at org.apache.ranger.biz.ServiceMgr$TimedCallable.call(ServiceMgr.java:608) at
java.util.concurrent.FutureTask.run(FutureTask.java:266) at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)Caused by: java.sql.SQLException:
Authentication failed: Access Denied: Invalid credentials at
io.prestosql.jdbc.PrestoStatement.internalExecute(PrestoStatement.java:271) at
io.prestosql.jdbc.PrestoStatement.execute(PrestoStatement.java:227) at
io.prestosql.jdbc.PrestoStatement.executeQuery(PrestoStatement.java:76) at
org.apache.ranger.services.presto.client.PrestoClient.getCatalogs(PrestoClient.java:173)
... 16 moreCaused by: io.prestosql.jdbc.$internal.client.ClientException:
Authentication failed: Access Denied: Invalid credentials at
io.prestosql.jdbc.$internal.client.StatementClientV1.requestFailedException(StatementClientV1.java:459)
at
io.prestosql.jdbc.$internal.client.StatementClientV1.<init>(StatementClientV1.java:135)
at
io.prestosql.jdbc.$internal.client.StatementClientFactory.newStatementClient(StatementClientFactory.java:24)
at io.prestosql.jdbc.QueryExecutor.startQuery(QueryExecutor.java:46) at
io.prestosql.jdbc.PrestoConnection.startQuery(PrestoConnection.java:700) at
io.prestosql.jdbc.PrestoStatement.internalExecute(PrestoStatement.java:239) ...
19 more2019-10-06 07:47:46,719 [timed-executor-pool-0] ERROR
apache.ranger.services.presto.client.PrestoResourceManager
(PrestoResourceManager.java:50) - <== PrestoResourceManager.connectionTest
Error: org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL
[SHOW CATALOGS].2019-10-06 07:47:46,719 [timed-executor-pool-0] ERROR
org.apache.ranger.services.presto.RangerServicePresto
(RangerServicePresto.java:50) - <== RangerServicePresto.validateConfig
Error:org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL
[SHOW CATALOGS].2019-10-06 07:47:46,719 [timed-executor-pool-0] ERROR
org.apache.ranger.biz.ServiceMgr$TimedCallable (ServiceMgr.java:610) -
TimedCallable.call: Error:org.apache.ranger.plugin.client.HadoopException:
Unable to execute SQL [SHOW CATALOGS].2019-10-06 07:47:46,720
[http-bio-6080-exec-11] ERROR org.apache.ranger.biz.ServiceMgr
(ServiceMgr.java:198) - ==> ServiceMgr.validateConfig
Error:org.apache.ranger.plugin.client.HadoopException:
org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [SHOW
CATALOGS].
> Can't connect to Presto Pugin when TLS is enabled on Presto
> -----------------------------------------------------------
>
> Key: RANGER-2604
> URL: https://issues.apache.org/jira/browse/RANGER-2604
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 2.0.0
> Reporter: David Berger
> Priority: Major
>
> We are running Presto with TLS enabled
> [https://prestosql.github.io/docs.prestosql.io/current/security/tls.html#server-java-keystore]
>
> When connecting to Presto via a JDBC client it works fine by enabling SSL and
> passing the trust store details like below
> jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/Users/david.berger/git/tactical-edl-hr/presto/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123
>
> But using the same connection string when setting up the Presto Repo in
> Ranger it doesn't work because Ranger assumes you're running Kerberos now,
> which isn't right.
>
> *See the Ranger REST call we use to create the repo below:*
> curl -iv -u ${RANGER_ADMIN_USER}:${RANGER_ADMIN_PWD} -H "Content-Type:
> application/json" -d '{"configs":
> {"username": "LDAPADM", "password": "<PASSWORD>", "jdbc.driverClassName":
> "io.prestosql.jdbc.PrestoDriver", "jdbc.url":
> "jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/plugins_tls/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123"}
> , "description": "PrestoTestRepo", "isEnabled": true, "name":
> "PrestoTestRepo", "type": "presto", "version": 1 }' -X POST
> ${URL}/service/public/v2/api/service
>
> *The error in the Ranger log preventing us from logging in:*
> 2019-10-06 07:47:44,562 [timed-executor-pool-0] WARN
> org.apache.hadoop.security.SecureClientLogin (SecureClientLogin.java:126) -
> Can't find keyTab Path : null
> 2019-10-06 07:47:44,562 [timed-executor-pool-0] WARN
> org.apache.hadoop.security.SecureClientLogin (SecureClientLogin.java:130) -
> Can't find principal : null
> 2019-10-06 07:47:44,567 [timed-executor-pool-0] INFO
> org.apache.ranger.plugin.client.BaseClient (BaseClient.java:126) - Init
> Login: security not enabled, using username
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
