[ https://issues.apache.org/jira/browse/RANGER-840?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15149192#comment-15149192 ]
Sailaja Polavarapu commented on RANGER-840: ------------------------------------------- Attached the patch that includes the license header for missing file. > ranger-admin and ranger-usersync does not honour the SSL truststore property > ---------------------------------------------------------------------------- > > Key: RANGER-840 > URL: https://issues.apache.org/jira/browse/RANGER-840 > Project: Ranger > Issue Type: Bug > Components: Ranger, usersync > Affects Versions: 0.5.0, 0.5.1 > Environment: Ranger trying to use AD (running with SSL) for usersync > and admin UI access > Reporter: Sailaja Polavarapu > Assignee: Sailaja Polavarapu > Fix For: 0.6.0 > > Attachments: > 0001-Ranger-840-Added-the-license-header-which-was-missed.patch, > 0001-Ranger-840-Honoring-custom-truststore-configuration-.patch > > > While configuring the Ranger usersync with AD over SSL , there is an option > to specify the truststore i.e. "ranger.usersync.truststore.file". Even if > this property (and its related password field) is set, the ranger-usersync > daemon would not honor it and the usersync will not work. > Similar problem can be seen with ranger-admin daemon. > ERROR: > ================================ > In case of the error, the stack trace would be something like this: > 27 Jan 2016 23:51:16 ERROR UserGroupSync [UnixUserSyncThread] - Failed to > initialize UserGroup source/sink. Will retry after 3600000 milliseconds. > Error details: > javax.naming.CommunicationException: simple bind failed: > ad01.lab.hortonworks.net:636 [Root exception is > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target] > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) > at javax.naming.InitialContext.init(InitialContext.java:244) > at > javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) > at > org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:190) > at > org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:304) > at > org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) > at java.lang.Thread.run(Thread.java:745) > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) > at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) > at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) > at > java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) > at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399) > at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) > ... 14 more > Steps to RE-CREATE: > ========================================== > 1. Have an Active Directory working over SSL. Copy the SSL certificate (say, > ad.cert) of AD on ranger node. > 2. Import the AD certificate into truststore (remember the password set here) > $JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file > /etc/pki/tls/certs/ad.cert -keystore > /usr/hdp/current/ranger-usersync/userSyncCACerts > 3. Install & configure Ranger. In the usersync and admin authentication, > select 'Active Directory' and give all the required parameters. > 4. Also, locate the "ranger.usersync.truststore.file" property in the config > and give the keystore path & password from step#2. > 5. Restart Ranger daemons. > 6. Check the usersync log for the above stack trace. > WORKAROUND: > ================================== > To make ranger-usersync work with SSL truststore, one need to manually > specify the truststore path in the > /usr/hdp/current/ranger-usersync/ranger-usersync-services.sh script using the > "-Djavax.net.ssl.trustStore=" flag. > Then restart the usersync daemon "manually". > # diff ranger-usersync-services.sh.orig ranger-usersync-services.sh > 67c67 > < nohup java -Dproc_rangerusersync > -Dlog4j.configuration=file:/etc/ranger/usersync/conf/log4j.xml ${JAVA_OPTS} > -Dlogdir="${logdir}" -cp "${cp}" > org.apache.ranger.authentication.UnixAuthenticationService -enableUnixAuth > > ${logdir}/auth.log 2>&1 & > --- > > nohup java -Dproc_rangerusersync* > > -Djavax.net.ssl.trustStore=/usr/hdp/current/ranger-usersync/userSyncCACerts > > *-Dlog4j.configuration=file:/etc/ranger/usersync/conf/log4j.xml > > ${JAVA_OPTS} -Dlogdir="${logdir}" -cp "${cp}" > > org.apache.ranger.authentication.UnixAuthenticationService -enableUnixAuth > > > ${logdir}/auth.log 2>&1 & > On the other hand, the ranger-admin daemon will not give any error in the log > file but it won't allow AD user either. To get the same error stack, one need > to enable debug log level for ranger-admin. > For ranger-admin, the file to edit would be : > /usr/hdp/current/ranger-admin/ews/ranger-admin-services.sh. > # diff ranger-admin-services.sh.orig ranger-admin-services.sh > 56c56 > < java -Dproc_rangeradmin ${JAVA_OPTS} > -Dlogdir=${XAPOLICYMGR_EWS_DIR}/logs/ -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} > -cp > "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:$CLASSPATH" > org.apache.ranger.server.tomcat.EmbeddedServer > logs/catalina.out 2>&1 & > --- > > java -Dproc_rangeradmin ${JAVA_OPTS} > > -Djavax.net.ssl.trustStore=/usr/hdp/current/ranger-usersync/userSyncCACerts > > -Dlogdir=${XAPOLICYMGR_EWS_DIR}/logs/ > > -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} -cp > > "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:$CLASSPATH" > > org.apache.ranger.server.tomcat.EmbeddedServer > logs/catalina.out 2>&1 & -- This message was sent by Atlassian JIRA (v6.3.4#6332)