Hi Ramesh, I solved my problem.
I added JAAS settings to ranger-admin-site.xml: xasecure.audit.jaas.Client.loginModuleName: com.sun.security.auth.module.Krb5LoginModule xasecure.audit.jaas.Client.loginModuleControlFlag: required xasecure.audit.jaas.Client.option.useKeyTab: true xasecure.audit.jaas.Client.option.storeKey: true xasecure.audit.jaas.Client.option.useTicketCache: true xasecure.audit.jaas.Client.option.keyTab: /opt/mr3-run/ranger/key/rangeradmin.keytab xasecure.audit.jaas.Client.option.principal: rangeradmin/indigo21@RED c.f.) InMemoryJAASConfiguration.java:44~117: https://github.com/apache/ranger/blob/ranger-1.2/agents-audit/src/main/java/org/apache/ranger/audit/utils/InMemoryJAASConfiguration.java#L44 The main reason why Ranger used basic authentication was, ranger-admin-site.xml was containing ‘ranger.solr.audit.user’ and ‘ranger.solr.audit.user.password’ (even though their values were empty). Ranger recognized the empty user and password as non-null values, and thus set basic authentication. ‘setup.sh’ script in Ranger admin generates ‘ranger.solr.audit.user’ and ‘ranger.solr.audit.user.password’ even if ‘audit_solr_user’ and ‘audit_solr_password’ in install.properties are empty. They must be removed from ranger-admin-site.xml manually. c.f.) SolrUtil.java:75~82: https://github.com/apache/ranger/blob/ranger-1.2/security-admin/src/main/java/org/apache/ranger/solr/SolrUtil.java#L75 Thanks, Junseung From: Ramesh Mani Sent: Saturday, May 4, 2019 3:01 AM To: user@ranger.apache.org Subject: Re: Ranger fails to query to Kerberized Solr Hi Junseung, <ranger-admin>/conf folder is the one which I am referring. Even <ranger-admin>/ews/webapp/WEB-INF/classes/conf will refer to the same. Also please check in ranger-admin-site.xml following properties. ranger-admin-site.xml- <property> ranger-admin-site.xml- <name>ranger.admin.kerberos.keytab</name> ranger-admin-site.xml- <value>/opt/mr3-run/ranger/key/rangeradmin.keytab</value> ranger-admin-site.xml- </property> ranger-admin-site.xml- ranger-admin-site.xml- <property> ranger-admin-site.xml: <name>ranger.admin.kerberos.principal</name> ranger-admin-site.xml- <value>rangeradmin/_HOST@RED</value> ranger-admin-site.xml- </property> Thanks, Ramesh From: 황준승 <j5hw...@gmail.com> Reply-To: "user@ranger.apache.org" <user@ranger.apache.org> Date: Thursday, May 2, 2019 at 12:33 AM To: "user@ranger.apache.org" <user@ranger.apache.org> Subject: RE: Ranger fails to query to Kerberized Solr Hi Ramesh, Is the conf directory of Ranger <ranger-admin>/ews/webapp/WEB-INF/classes/conf/ , does the jaas file name matter, and are there any other related configurations (e.g. java.security.auth.login.config)? Thanks, Junseung. From: Ramesh Mani Sent: Thursday, May 2, 2019 3:25 PM To: user@ranger.apache.org Subject: Re: Ranger fails to query to Kerberized Solr Hi Try adding solr JAAS config in the conf folder of ranger > cat ranger_solr_jaas.conf Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab=“/opt/mr3-run/ranger/key/rangeradmin.keytab" principal=“rangeradmin/indigo21@RED"; } Thanks, Ramesh From: QQQ QQQ <j5hw...@gmail.com> Reply-To: "user@ranger.apache.org" <user@ranger.apache.org> Date: Wednesday, May 1, 2019 at 11:12 PM To: "user@ranger.apache.org" <user@ranger.apache.org> Subject: Ranger fails to query to Kerberized Solr Hi, I’m trying to dockerize Ranger and Solr in standalone mode for audit store, and I want Solr to be secure (with Kerberized authentication and authorization). I tried: Ranger 1.2.0 + Solr 6.6.6 Ranger 1.2.0 + Solr 8.0.0 Ranger 2.0.0 + Solr 8.0.0 (Ranger 2.0.0 is compiled from the master branch (8202ed4aed53ad93a21b27dcf83cdf7102678fa0)) I succeeded to open Solr UI with Firefox, and Hive-plugin-enabled HiveServer2 succeeded to log audits to Solr. However, Ranger Admin fails to query to Kerberized Solr. Especially, When I login Ranger Admin UI with an admin account, and go to Audit-Access, the following error message pops up: Error running solr query, please check solr configs. Error from server at https://indigo21:6083/solr/ranger_audits: Expected mime type application/octet-stream but got text/html. <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Error 401 Authentication required</title> </head> <body><h2>HTTP ERROR 401</h2> <p>Problem accessing /solr/ranger_audits/select. Reason: <pre> Authentication required</pre></p> </body> </html> Then, Solr log gives the following error: (I think Ranger Admin tries to authenticate itself with ID/PW instead of Kerberos, but why?) 2019-05-01 14:52:19,629 [qtp380936215-17] WARN [ ] apache.hadoop.security.authentication.server.KerberosAuthenticationHandler (KerberosAuthenticationHandler.java:338) - 'Authorization' does not start with 'Negotiate' : Basic Og== Here are my settings: ------------- install.properties for Ranger Admin ------------- … audit_solr_urls=https://indigo21:6083/solr/ranger_audits audit_solr_user= audit_solr_password= audit_solr_zookeepers= … spnego_principal=HTTP/indigo21@RED spnego_keytab=/opt/mr3-run/ranger/key/spnego.service.keytab.indigo21 token_valid=30 cookie_domain=indigo21 cookie_path=/ admin_principal=rangeradmin/indigo21@RED admin_keytab=/opt/mr3-run/ranger/key/rangeradmin.keytab lookup_principal=rangerlookup/indigo21@RED lookup_keytab=/opt/mr3-run/ranger/key/rangerlookup.keytab hadoop_conf=/opt/mr3-run/ranger/conf … ------------- /opt/mr3-run/ranger/conf/core-site.xml ------------- <configuration> <property> <name>hadoop.security.authentication</name> <value>kerberos</value> </property> </configuration> -------------------------- What am I missing? Is there any compatibility issue? Best regards, Junseung P.S. How can I log into Ranger Admin UI with Kerberos ticket? I found out I can log in with Kerberos ticket in some cases.
