I've disabled Solr SSL and restarted solr services. I am referencing the ranger-plugin-keystore and ranger-plugin-truststore files. I've set permissions to 777 on those, but I can't seem to get past this error: "Unable to read the necessary SSL Keystore and TrustStore Files".
Should I be referencing the admin keystore / truststore files vs. the plugin keystore / truststore files? From: Ramesh Mani [mailto:rm...@hortonworks.com] Sent: Tuesday, July 03, 2018 12:32 PM To: user@ranger.apache.org Subject: Re: Solr (6.6.2) to Ranger (0.7.0) with SSL enabled Jon, One more thing you might need to check is the SSL configuration on the Ranger side. Please check that ranger-admin-keystore.jks is there Config are correctly having the path to the files and file had correct permission. You can also check with key tool -v -list -keystore /etc/security/clientKeys/ranger-admin-keystore.jks , keystrokes are correct, else export from solr server to trust store of Ranger admin. xasecure.policymgr.clientssl.keystore.credential.file xasecure.policymgr.clientssl.truststore.credential.file These all will help in your debug. Refer this https://community.hortonworks.com/articles/92987/setup-ranger-to-use-ambari-infra-solr-enabled-in-s.html Even thought it is for Solr configuring for ranger audit, in your case also it should help. Regards, Ramesh From: Jon Morisi <jon.mor...@hsc.utah.edu<mailto:jon.mor...@hsc.utah.edu>> Reply-To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" <user@ranger.apache.org<mailto:user@ranger.apache.org>> Date: Tuesday, July 3, 2018 at 10:22 AM To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" <user@ranger.apache.org<mailto:user@ranger.apache.org>> Subject: RE: Solr (6.6.2) to Ranger (0.7.0) with SSL enabled ? This is NOT audit to solr ? I am running solr cloud ? My cluster is kerberized Taken from here: https://community.hortonworks.com/articles/15159/securing-solr-collections-with-ranger-kerberos.html yum -y install ranger_*-solr-plugin.x86_64 ./enable-solr-plugin.sh I'm then editing two files: 1. ranger-policymgr-ssl.xml 2. security.json ranger-policymgr-ssl.xml has my ssl config values for: xasecure.policymgr.clientssl.keystore xasecure.policymgr.clientssl.keystore.credential.file xasecure.policymgr.clientssl.keystore.password xasecure.policymgr.clientssl.truststore xasecure.policymgr.clientssl.truststore.credential.file xasecure.policymgr.clientssl.truststore.password security.json is uploaded to ZK to enable authorization. {"authentication": {"class": "org.apache.solr.security.KerberosPlugin"},"authorization":{"class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}} From: Don Bosco Durai [mailto:bo...@apache.org] Sent: Tuesday, July 03, 2018 11:09 AM To: user@ranger.apache.org<mailto:user@ranger.apache.org> Subject: Re: Solr (6.6.2) to Ranger (0.7.0) with SSL enabled Hi Jon How are you installing the Ranger plugin for Solr? Thanks Bosco From: Jon Morisi <jon.mor...@hsc.utah.edu<mailto:jon.mor...@hsc.utah.edu>> Reply-To: <user@ranger.apache.org<mailto:user@ranger.apache.org>> Date: Tuesday, July 3, 2018 at 9:46 AM To: "user@ranger.apache.org<mailto:user@ranger.apache.org>" <user@ranger.apache.org<mailto:user@ranger.apache.org>> Subject: Solr (6.6.2) to Ranger (0.7.0) with SSL enabled Hi, I'm having a heck of a time getting Solr (6.6.2) to talk to Ranger (0.7.0) when Ranger is SSL enabled. (Solr is also SSL enabled) Anyone seen a walkthrough on configuring this? Are the versions I've mentioned compatible over SSL? I just can't seem to get my settings right in the ranger-policymgr-ssl.xml file. I receive errors like these: org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider (RangerCredentialProvider.java:72) - Unable to get the Credential Provider from the Configuration org.apache.ranger.plugin.util.RangerRESTClient (RangerRESTClient.java:286) - Unable to obtain keystore from file .../ranger-admin-keystore.jks] org.apache.ranger.plugin.util.RangerRESTClient (RangerRESTClient.java:341) - Unable to read the necessary SSL Keystore and TrustStore Files java.io.IOException: Keystore was tampered with, or password was incorrect I received that last one when I know I had the correct password. Thanks, Jon
