Hi Ramesh,
Is the conf directory of Ranger <ranger-admin>/ews/webapp/WEB-INF/classes/conf/
, does the jaas file name matter, and are there any other related
configurations (e.g. java.security.auth.login.config)?
Thanks,
Junseung.
From: Ramesh Mani
Sent: Thursday, May 2, 2019 3:25 PM
To: user@ranger.apache.org
Subject: Re: Ranger fails to query to Kerberized Solr
Hi
Try adding solr JAAS config in the conf folder of ranger
> cat ranger_solr_jaas.conf
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab=“/opt/mr3-run/ranger/key/rangeradmin.keytab"
principal=“rangeradmin/indigo21@RED";
}
Thanks,
Ramesh
From: QQQ QQQ <j5hw...@gmail.com>
Reply-To: "user@ranger.apache.org" <user@ranger.apache.org>
Date: Wednesday, May 1, 2019 at 11:12 PM
To: "user@ranger.apache.org" <user@ranger.apache.org>
Subject: Ranger fails to query to Kerberized Solr
Hi,
I’m trying to dockerize Ranger and Solr in standalone mode for audit store, and
I want Solr to be secure (with Kerberized authentication and authorization).
I tried:
Ranger 1.2.0 + Solr 6.6.6
Ranger 1.2.0 + Solr 8.0.0
Ranger 2.0.0 + Solr 8.0.0 (Ranger 2.0.0 is compiled from the master branch
(8202ed4aed53ad93a21b27dcf83cdf7102678fa0))
I succeeded to open Solr UI with Firefox, and Hive-plugin-enabled HiveServer2
succeeded to log audits to Solr. However, Ranger Admin fails to query to
Kerberized Solr.
Especially, When I login Ranger Admin UI with an admin account, and go to
Audit-Access, the following error message pops up:
Error running solr query, please check solr configs. Error from server at
https://indigo21:6083/solr/ranger_audits: Expected mime type
application/octet-stream but got text/html. <html> <head> <meta
http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Error 401
Authentication required</title> </head> <body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/ranger_audits/select. Reason: <pre> Authentication
required</pre></p> </body> </html>
Then, Solr log gives the following error:
(I think Ranger Admin tries to authenticate itself with ID/PW instead of
Kerberos, but why?)
2019-05-01 14:52:19,629 [qtp380936215-17] WARN [ ]
apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
(KerberosAuthenticationHandler.java:338) - 'Authorization' does not start with
'Negotiate' : Basic Og==
Here are my settings:
------------- install.properties for Ranger Admin -------------
…
audit_solr_urls=https://indigo21:6083/solr/ranger_audits
audit_solr_user=
audit_solr_password=
audit_solr_zookeepers=
…
spnego_principal=HTTP/indigo21@RED
spnego_keytab=/opt/mr3-run/ranger/key/spnego.service.keytab.indigo21
token_valid=30
cookie_domain=indigo21
cookie_path=/
admin_principal=rangeradmin/indigo21@RED
admin_keytab=/opt/mr3-run/ranger/key/rangeradmin.keytab
lookup_principal=rangerlookup/indigo21@RED
lookup_keytab=/opt/mr3-run/ranger/key/rangerlookup.keytab
hadoop_conf=/opt/mr3-run/ranger/conf
…
------------- /opt/mr3-run/ranger/conf/core-site.xml -------------
<configuration>
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
</configuration>
--------------------------
What am I missing? Is there any compatibility issue?
Best regards,
Junseung
P.S. How can I log into Ranger Admin UI with Kerberos ticket? I found out I can
log in with Kerberos ticket in some cases.
