For anyone who was following along, I believe I found the solution to this issue.
I configured ranger.truststore.file and ranger.https.attrib.keystore.file to point to my $JAVA_HOME cacerts file (which had my AD cert previously imported), and I’m now able to log in to the Ranger-Admin UI with my AD credentials. I’m not sure what other ramifications this may have, but it solved my issue. It’s also raised another question, in that many HortonWorks components each have their own configurations for various keystores. Is there any recommendations or best practices for consolidating all of these keystore locations into one place (like I did with the above solution)? From: Jon Morisi [mailto:[email protected]] Sent: Thursday, April 20, 2017 4:39 PM To: [email protected] Subject: RE: usersync and Ranger UI Login I think there is an issue with a keystore, as you have suggested. I’m looking for the location for the correct keystore where I would import my certificate from AD for Ranger-Admin. Is this the correct location: ranger.credential.provider.path? It seems like the jceks file associated with that, rangeradmin.jceks, has a blank password. Do you know where I would configure that password? Thanks, Jon From: Jon Morisi [mailto:[email protected]] Sent: Thursday, April 20, 2017 1:49 PM To: [email protected]<mailto:[email protected]> Subject: RE: usersync and Ranger UI Login I have enabled debug following this: https://community.hortonworks.com/content/supportkb/49445/how-to-enable-debug-logging-for-ranger-admin.html I do not see any “Bad Credentials” errors in xa_portal.log I will look through https://issues.apache.org/jira/browse/RANGER-840 and attempt to implement any workaround if needed. Unfortunately I’m not familiar with strace. Do you have a good reference I can use to get started on figuring out how to use that? Thanks, Jon From: Sailaja Polavarapu [mailto:[email protected]] Sent: Thursday, April 20, 2017 1:28 PM To: [email protected]<mailto:[email protected]> Subject: Re: usersync and Ranger UI Login Hi Jon, Just an FYI: Usersync and ranger admin are two different processes and can you different trust stores for accessing root certs. These trust store paths are configurable in Ranger as well as in usersync (https://issues.apache.org/jira/browse/RANGER-840). Hence usersync working fine with LDAPS doesn’t guarantee that it will work fine with ranger admin. Do you see any “Bad Credentials” error in xa_portal.log? In any case, please enable debug logs on ranger admin and take strace so that you can know where the exact failure is. Thanks, Sailaja. From: Jon Morisi <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, April 20, 2017 at 12:06 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: usersync and Ranger UI Login Usersync is working, configured with LDAPS. My xa_portal.log file does have errors including this one which seems to have a related JIRA: https://issues.apache.org/jira/browse/RANGER-1073 WARN org.apache.hadoop.fs.ChecksumFileSystem$ChecksumFSInputChecker (ChecksumFileSystem.java:165) - Problem opening checksum file: file:/etc/ranger/admin/rangeradmin.jceks. Ignoring exception: java.io.FileNotFoundException: /etc/ranger/admin/.rangeradmin.jceks.crc (Permission denied) There are some Solr errors that I’m not going to include, because I don’t have Sor setup. (Audit to Solr set to OFF in Ambari) Here are some others WARN messages that may be pertinent: WARN apache.hadoop.security.authentication.server.KerberosAuthenticationHandler (KerberosAuthenticationHandler.java:339) - 'Authorization' does not start with 'Negotiate' : … WARN org.apache.hadoop.util.NativeCodeLoader (NativeCodeLoader.java:62) - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable Thanks, Jon From: Sailaja Polavarapu [mailto:[email protected]] Sent: Thursday, April 20, 2017 12:18 PM To: [email protected]<mailto:[email protected]> Subject: Re: usersync and Ranger UI Login Since you are using ldaps, I am assuming the ssl handshake pass. Have you noticed any errors in ranger admin logs (xa_portal.log)? Can you enable debug level for ranger admin logs? And if possible, can you try strace (if using ldaps) or tcpdump (if using ldap)? The trace will tell exactly what the request sent and what response we are getting. From: Jon Morisi <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, April 20, 2017 at 8:26 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: usersync and Ranger UI Login That is successful. I used my Domain\sAMAccountName for the –D parameter of ldapsearch and received a successful query response from AD. ldapsearch -H ldaps://[myserver]:636 -x -D ‘Domain\sAMAccountName ' -W -b ‘[basedn]' -d 1 Thanks, Jon From: Sailaja Polavarapu [mailto:[email protected]] Sent: Wednesday, April 19, 2017 6:01 PM To: [email protected]<mailto:[email protected]> Subject: Re: usersync and Ranger UI Login Thanks for the clarification. One last question – with ldapsearch, have you tried using your samaccountname as bindDN (in the format DOMAIN\sAMAccountName)? In ranger we first search for the login user using admin bind credentials that are configured and then perform a bind with the login user credentials. Since you mentioned ldapsearch is already working, we can try using the login user as the bind user in the ldapsearch command. Hope this helps. Thanks, Sailaja. From: Jon Morisi <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, April 19, 2017 at 4:02 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: usersync and Ranger UI Login And yes, Ambari. From: Jon Morisi Sent: Wednesday, April 19, 2017 4:55 PM To: [email protected]<mailto:[email protected]> Subject: RE: usersync and Ranger UI Login Sorry typo / misspoke. What I meant was ldap-utils. I am using AD. From: Sailaja Polavarapu [mailto:[email protected]] Sent: Wednesday, April 19, 2017 4:49 PM To: [email protected]<mailto:[email protected]> Subject: Re: usersync and Ranger UI Login Hi Jon, You have OpenLDAP? I thought it is Active Directory). In Ranger for authentication AD and LDAP are treated differently. And the configuration properties are also different. As you can see from the documentation, we have two sections – one for "Configuring Ranger LDAP Authentication<https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/configure_ranger_authentication.html#configuring_ranger_ldap_authentication>” and the other for "Configuring Ranger Active Directory Authentication<https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/configure_ranger_authentication.html#configuring_ranger_active_directory_authentication>”. Can you please confirm which one you are using? And are you using ambari for managing ranger or manual install? From: Jon Morisi <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, April 19, 2017 at 3:43 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: usersync and Ranger UI Login ranger.ldap.ad.base.dn is my domain, for example DC=example,DC=com I do have openLDAP installed and am able to verify that I am using the sAMAccountName via ldapsearch. From: Sailaja Polavarapu [mailto:[email protected]] Sent: Wednesday, April 19, 2017 4:33 PM To: [email protected]<mailto:[email protected]> Subject: Re: usersync and Ranger UI Login Can you also check what is the value assigned to “ranger.ldap.ad.base.dn”? And is the user logging in using sAMAccountName? From: Jon Morisi <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, April 19, 2017 at 3:19 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: usersync and Ranger UI Login Yes, I did. I saw this: https://community.hortonworks.com/questions/21800/can-not-login-to-ranger-using-ldap-user-after-user.html ... and tried various settings for ranger.ldap.ad.user.searchfilter, with no luck. The recommended value from Ambari was “(sAMAccountName={0})”, which I just now tried The original value I had was “objectClass=user” I decided to play with it a bit more and tried a space “ “ as suggested by @Avijeet Dash in the aforementioned link, but that didn’t resolve the issue either. (I still receive “Wrong Password”) Thanks, Jon From: Kashif Khan [mailto:[email protected]] Sent: Wednesday, April 19, 2017 3:36 PM To: [email protected]<mailto:[email protected]> Subject: Re: usersync and Ranger UI Login Hi Jon, Did you setup Ranger Authentication to AD. Here is the doc with steps. https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/configure_ranger_authentication.html Thanks, Kashif On Wed, Apr 19, 2017 at 5:27 PM, Jon Morisi <[email protected]<mailto:[email protected]>> wrote: Hi, I’m currently running HDP-2.5.3.0 / Ranger – 0.6.0 and have Ranger Usersync setup and running with Active Directory. Is it possible for those AD users that come in from usersync to login to the Ranger Admin UI, or do I need to setup “internal” accounts for Ranger Admin UI access? The reason I ask is that I get “Wrong Password” messages in the Ranger Audit > Login Sessions when I try to login with my Active Directory account. (I modified my account to be an “Admin” Role following the initial import from usersync) Thanks, Jon -- Thanks, Kashif
