[
https://issues.apache.org/jira/browse/RANGER-840?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sailaja Polavarapu updated RANGER-840:
--------------------------------------
Attachment: 0001-Ranger-840-Regenrating-the-patch-with-merging-both-t.patch
> ranger-admin and ranger-usersync does not honour the SSL truststore property
> ----------------------------------------------------------------------------
>
> Key: RANGER-840
> URL: https://issues.apache.org/jira/browse/RANGER-840
> Project: Ranger
> Issue Type: Bug
> Components: Ranger, usersync
> Affects Versions: 0.5.0, 0.5.1
> Environment: Ranger trying to use AD (running with SSL) for usersync
> and admin UI access
> Reporter: Sailaja Polavarapu
> Assignee: Sailaja Polavarapu
> Fix For: 0.6.0
>
> Attachments:
> 0001-Ranger-840-Honoring-custom-truststore-configuration-.patch,
> 0001-Ranger-840-Regenrating-the-patch-with-merging-both-t.patch
>
>
> While configuring the Ranger usersync with AD over SSL , there is an option
> to specify the truststore i.e. "ranger.usersync.truststore.file". Even if
> this property (and its related password field) is set, the ranger-usersync
> daemon would not honor it and the usersync will not work.
> Similar problem can be seen with ranger-admin daemon.
> ERROR:
> ================================
> In case of the error, the stack trace would be something like this:
> 27 Jan 2016 23:51:16 ERROR UserGroupSync [UnixUserSyncThread] - Failed to
> initialize UserGroup source/sink. Will retry after 3600000 milliseconds.
> Error details:
> javax.naming.CommunicationException: simple bind failed:
> ad01.lab.hortonworks.net:636 [Root exception is
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target]
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
> at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
> at javax.naming.InitialContext.init(InitialContext.java:244)
> at
> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
> at
> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:190)
> at
> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:304)
> at
> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
> at
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426)
> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399)
> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
> ... 14 more
> Steps to RE-CREATE:
> ==========================================
> 1. Have an Active Directory working over SSL. Copy the SSL certificate (say,
> ad.cert) of AD on ranger node.
> 2. Import the AD certificate into truststore (remember the password set here)
> $JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file
> /etc/pki/tls/certs/ad.cert -keystore
> /usr/hdp/current/ranger-usersync/userSyncCACerts
> 3. Install & configure Ranger. In the usersync and admin authentication,
> select 'Active Directory' and give all the required parameters.
> 4. Also, locate the "ranger.usersync.truststore.file" property in the config
> and give the keystore path & password from step#2.
> 5. Restart Ranger daemons.
> 6. Check the usersync log for the above stack trace.
> WORKAROUND:
> ==================================
> To make ranger-usersync work with SSL truststore, one need to manually
> specify the truststore path in the
> /usr/hdp/current/ranger-usersync/ranger-usersync-services.sh script using the
> "-Djavax.net.ssl.trustStore=" flag.
> Then restart the usersync daemon "manually".
> # diff ranger-usersync-services.sh.orig ranger-usersync-services.sh
> 67c67
> < nohup java -Dproc_rangerusersync
> -Dlog4j.configuration=file:/etc/ranger/usersync/conf/log4j.xml ${JAVA_OPTS}
> -Dlogdir="${logdir}" -cp "${cp}"
> org.apache.ranger.authentication.UnixAuthenticationService -enableUnixAuth >
> ${logdir}/auth.log 2>&1 &
> ---
> > nohup java -Dproc_rangerusersync*
> > -Djavax.net.ssl.trustStore=/usr/hdp/current/ranger-usersync/userSyncCACerts
> > *-Dlog4j.configuration=file:/etc/ranger/usersync/conf/log4j.xml
> > ${JAVA_OPTS} -Dlogdir="${logdir}" -cp "${cp}"
> > org.apache.ranger.authentication.UnixAuthenticationService -enableUnixAuth
> > > ${logdir}/auth.log 2>&1 &
> On the other hand, the ranger-admin daemon will not give any error in the log
> file but it won't allow AD user either. To get the same error stack, one need
> to enable debug log level for ranger-admin.
> For ranger-admin, the file to edit would be :
> /usr/hdp/current/ranger-admin/ews/ranger-admin-services.sh.
> # diff ranger-admin-services.sh.orig ranger-admin-services.sh
> 56c56
> < java -Dproc_rangeradmin ${JAVA_OPTS}
> -Dlogdir=${XAPOLICYMGR_EWS_DIR}/logs/ -Dcatalina.base=${XAPOLICYMGR_EWS_DIR}
> -cp
> "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:$CLASSPATH"
> org.apache.ranger.server.tomcat.EmbeddedServer > logs/catalina.out 2>&1 &
> ---
> > java -Dproc_rangeradmin ${JAVA_OPTS}
> > -Djavax.net.ssl.trustStore=/usr/hdp/current/ranger-usersync/userSyncCACerts
> > -Dlogdir=${XAPOLICYMGR_EWS_DIR}/logs/
> > -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} -cp
> > "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:$CLASSPATH"
> > org.apache.ranger.server.tomcat.EmbeddedServer > logs/catalina.out 2>&1 &
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
