[
https://issues.apache.org/jira/browse/RANGER-3602?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17483108#comment-17483108
]
kirby zhou commented on RANGER-3602:
------------------------------------
Errors in catalina.out
{code:java}
Jan 27, 2022 12:51:46 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [REST Service] in context with path []
threw exception
java.lang.NullPointerException
at
org.apache.ranger.rest.ServiceREST.getServicePoliciesIfUpdated(ServiceREST.java:3054)
at
org.apache.ranger.rest.ServiceREST$$FastClassBySpringCGLIB$$92dab672.invoke(<generated>)
at
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:779)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
at
org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:123)
at
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:388)
at
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:119)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
at
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:692)
at
org.apache.ranger.rest.ServiceREST$$EnhancerBySpringCGLIB$$85e8a5a6.getServicePoliciesIfUpdated(<generated>)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
at
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
at
com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at
com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at
com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542)
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473)
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409)
at
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409)
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:558)
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:733)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:232)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:167)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:194)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:167)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:204)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:194)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:167)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:698)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:364)
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:624)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1651)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
{code}
> Can not access RestAPI when Ranger authenticated with Kerberos.
> ---------------------------------------------------------------
>
> Key: RANGER-3602
> URL: https://issues.apache.org/jira/browse/RANGER-3602
> Project: Ranger
> Issue Type: Bug
> Components: admin
> Affects Versions: 2.2.0
> Reporter: kirby zhou
> Priority: Major
>
> When I configured Ranger with Kerberos. I can not access its Restful API with
> ranger.admin.allow.unauthenticated.access = false
>
> {code:java}
> # ranger.admin.allow.unauthenticated.access = false in ranger-admin-site.xml
> ]$ curl -v 'http://localhost:6080/service/plugins/policies/download/kmsdev'
> < HTTP/1.1 200 OK
> # ranger.admin.allow.unauthenticated.access = true in ranger-admin-site.xml
> ]$ kinit freeman@SA
> Password for freeman@SA:
> ]$ klist
> Ticket cache: KCM:1000
> Default principal: freeman@SA
> ]$ curl -v -u: --negotiate
> 'http://localhost:6080/service/plugins/policies/download/kmsdev'
> * Trying ::1...
> * TCP_NODELAY set
> * Connected to localhost (::1) port 6080 (#0)
> > GET /service/plugins/policies/download/kmsdev HTTP/1.1
> > Host: localhost:6080
> > User-Agent: curl/7.61.1
> > Accept: */*
> >
> < HTTP/1.1 404 Not Found
> < Content-Length: 0
> < Date: Thu, 27 Jan 2022 12:30:26 GMT
> < Server: Apache Ranger
> <
> * Connection #0 to host localhost left intact{code}
>
>
> CURL even do not have chance to do Authenticaion.
>
> My configurations:
> core-site.xml
>
> {code:java}
> <configuration>
> <property>
> <name>hadoop.security.authentication</name>
> <value>kerberos</value>
> </property>
> <property>
> <name>hadoop.security.authorization</name>
> <value>true</value>
> </property>
> <property>
> <name>hadoop.security.auth_to_local</name>
> <value>
> RULE:[1:$1@$0](^.*$)s/^(.*)@.*$/$1/
> RULE:[2:$1@$0](^.*$)s/^(.*)@.*$/$1/
> DEFAULT
> </value>
> </property>
> </configuration> {code}
>
>
> ranger-admin-kms.xml
>
> {code:java}
> <configuration>
> ...
> <property>
> <name>ranger.service.https.attrib.ssl.enabled</name>
> <value>false</value>
> </property>
> <property>
> <name>ranger.service.host</name>
> <value>localhost</value>
> </property>
> <property>
> <name>ranger.service.http.port</name>
> <value>6080</value>
> </property>
> <property>
> <name>ranger.admin.kerberos.keytab</name>
>
> <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
> </property>
> <property>
> <name>ranger.spnego.kerberos.principal</name>
> <value>HTTP/kirbytest01.sa@SA</value>
> </property>
> <property>
> <name>ranger.spnego.kerberos.keytab</name>
>
> <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
> </property>
> <property>
> <name>ranger.lookup.kerberos.principal</name>
> <value>rangerlookup/kirbytest01.sa@SA</value>
> </property>
> <property>
> <name>ranger.lookup.kerberos.keytab</name>
>
> <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
> </property>
> <property>
> <name>ranger.admin.allow.unauthenticated.access</name>
> <value>false</value>
> <!-- it is default -->
> </property>
> ...
> </configuration> {code}
>
> Workaround:
> set "ranger.admin.allow.unauthenticated.access" = "true" in
> ranger-admin-site.xml
>
> I have no idea now.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
