[jira] [Created] (RANGER-840) ranger-admin and ranger-usersync does not honour the SSL truststore property

Tue, 09 Feb 2016 10:29:09 -0800 

Sailaja Polavarapu created RANGER-840:
-----------------------------------------

             Summary: ranger-admin and ranger-usersync does not honour the SSL 
truststore property
                 Key: RANGER-840
                 URL: https://issues.apache.org/jira/browse/RANGER-840
             Project: Ranger
          Issue Type: Bug
          Components: Ranger, usersync
    Affects Versions: 0.5.0, 0.5.1
         Environment: Ranger trying to use AD (running with SSL) for usersync 
and admin UI access
            Reporter: Sailaja Polavarapu
            Assignee: Sailaja Polavarapu
             Fix For: 0.6.0


While configuring the Ranger usersync with AD over SSL , there is an option to 
specify the truststore i.e. "ranger.usersync.truststore.file". Even if this 
property (and its related password field) is set, the ranger-usersync daemon 
would not honor it and the usersync will not work.
Similar problem can be seen with ranger-admin daemon.

ERROR:
================================
In case of the error, the stack trace would be something like this:
27 Jan 2016 23:51:16 ERROR UserGroupSync [UnixUserSyncThread] - Failed to 
initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error 
details:
javax.naming.CommunicationException: simple bind failed: 
ad01.lab.hortonworks.net:636 [Root exception is 
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
        at 
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
        at 
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at 
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
        at javax.naming.InitialContext.init(InitialContext.java:244)
        at 
javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
        at 
org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:190)
        at 
org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:304)
        at 
org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
        at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
        at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
        at 
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426)
        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399)
        at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
        ... 14 more

Steps to RE-CREATE:
==========================================
1. Have an Active Directory working over SSL. Copy the SSL certificate (say, 
ad.cert) of AD on ranger node.
2. Import the AD certificate into truststore (remember the password set here)
$JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file 
/etc/pki/tls/certs/ad.cert -keystore 
/usr/hdp/current/ranger-usersync/userSyncCACerts
3. Install & configure Ranger. In the usersync and admin authentication, select 
'Active Directory' and give all the required parameters.
4. Also, locate the "ranger.usersync.truststore.file" property in the config 
and give the keystore path & password from step#2.
5. Restart Ranger daemons.
6. Check the usersync log for the above stack trace.

WORKAROUND:
==================================
To make ranger-usersync work with SSL truststore, one need to manually specify 
the truststore path in the 
/usr/hdp/current/ranger-usersync/ranger-usersync-services.sh script using the 
"-Djavax.net.ssl.trustStore=" flag.
Then restart the usersync daemon "manually".

# diff ranger-usersync-services.sh.orig ranger-usersync-services.sh
67c67
<       nohup java -Dproc_rangerusersync 
-Dlog4j.configuration=file:/etc/ranger/usersync/conf/log4j.xml ${JAVA_OPTS} 
-Dlogdir="${logdir}" -cp "${cp}" 
org.apache.ranger.authentication.UnixAuthenticationService -enableUnixAuth > 
${logdir}/auth.log 2>&1 &
---
>       nohup java -Dproc_rangerusersync* 
> -Djavax.net.ssl.trustStore=/usr/hdp/current/ranger-usersync/userSyncCACerts 
> *-Dlog4j.configuration=file:/etc/ranger/usersync/conf/log4j.xml ${JAVA_OPTS} 
> -Dlogdir="${logdir}" -cp "${cp}" 
> org.apache.ranger.authentication.UnixAuthenticationService -enableUnixAuth > 
> ${logdir}/auth.log 2>&1 &

On the other hand, the ranger-admin daemon will not give any error in the log 
file but it won't allow AD user either. To get the same error stack, one need 
to enable debug log level for ranger-admin.

For ranger-admin, the file to edit would be : 
/usr/hdp/current/ranger-admin/ews/ranger-admin-services.sh.

# diff ranger-admin-services.sh.orig ranger-admin-services.sh
56c56
<       java -Dproc_rangeradmin ${JAVA_OPTS} 
-Dlogdir=${XAPOLICYMGR_EWS_DIR}/logs/ -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} 
-cp 
"${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:$CLASSPATH"
 org.apache.ranger.server.tomcat.EmbeddedServer > logs/catalina.out 2>&1 &
---
>       java -Dproc_rangeradmin ${JAVA_OPTS} 
> -Djavax.net.ssl.trustStore=/usr/hdp/current/ranger-usersync/userSyncCACerts 
> -Dlogdir=${XAPOLICYMGR_EWS_DIR}/logs/ -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} 
> -cp 
> "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:$CLASSPATH"
>  org.apache.ranger.server.tomcat.EmbeddedServer > logs/catalina.out 2>&1 &



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to