Hi Sailaja,
I could see this when the 401s happened, the cookie seems to be invalid
after the 1 hour wait since the first sync.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2020-12-02 09:30:36,553 [http-bio-6080-Acceptor-0] DEBUG
org.apache.tomcat.util.threads.LimitLatch (LimitLatch.java:113) - Counting
up[http-bio-6080-Acceptor-0] latch=5
2020-12-02 09:30:36,554 [http-bio-6080-exec-18] DEBUG
org.apache.tomcat.util.http.Cookies (Cookies.java:184) - Cookies: Parsing
b[]:
$Version=1;RANGERADMINSESSIONID=5CEDC9023EA19CDA63F16A06345616F7;$Path=/
2020-12-02 09:30:36,554 [http-bio-6080-exec-18] DEBUG
org.apache.catalina.connector.CoyoteAdapter (CoyoteAdapter.java:1152) -
Requested cookie session id is 5CEDC9023EA19CDA63F16A06345616F7
2020-12-02 09:30:36,554 [http-bio-6080-exec-18] DEBUG
org.apache.catalina.authenticator.AuthenticatorBase
(AuthenticatorBase.java:458) - Security checking request POST
/service/users/default
2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
org.apache.catalina.realm.RealmBase (RealmBase.java:694) - No applicable
constraints defined
2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
org.apache.catalina.authenticator.AuthenticatorBase
(AuthenticatorBase.java:490) - Not subject to any constraint
2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/login.jsp'
2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/styles/**'
2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/fonts/**'
2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/scripts/prelogin/XAPrelogin.js'
2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/libs/bower/jquery/js/jquery-3.5.1.js'
2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/images/ranger_logo.png'
2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/images/favicon.ico'
2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/service/assets/policyList/*'
2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/service/assets/resources/grant'
2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/service/assets/resources/revoke'
2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/service/plugins/policies/download/*'
2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/service/plugins/services/grant/*'
2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/service/plugins/services/revoke/*'
2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/service/tags/download/*'
2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/service/roles/download/*'
2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/service/metrics/status'
2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 1 of 16 in
additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.context.SecurityContextPersistenceFilter
(SecurityContextPersistenceFilter.java:94) - Eagerly created session:
48FDF9BA60D67FCEACE7C6C163398B08
2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.context.HttpSessionSecurityContextRepository
(HttpSessionSecurityContextRepository.java:186) - HttpSession returned null
object for SPRING_SECURITY_CONTEXT
2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.context.HttpSessionSecurityContextRepository
(HttpSessionSecurityContextRepository.java:116) - No SecurityContext was
available from the HttpSession:
org.apache.catalina.session.StandardSessionFacade@4ac271d4. A new one will
be created.
2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 2 of 16 in
additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 3 of 16 in
additional filter chain; firing Filter: 'HeaderWriterFilter'
2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 4 of 16 in
additional filter chain; firing Filter: 'LogoutFilter'
2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/logout'
2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 5 of 16 in
additional filter chain; firing Filter:
'RangerUsernamePasswordAuthenticationFilter'
2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
springframework.security.web.util.matcher.AntPathRequestMatcher
(AntPathRequestMatcher.java:176) - Checking match of request :
'/service/users/default'; against '/login'
2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 6 of 16 in
additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 7 of 16 in
additional filter chain; firing Filter: 'RangerSSOAuthenticationFilter'
2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 8 of 16 in
additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 9 of 16 in
additional filter chain; firing Filter:
'SecurityContextHolderAwareRequestFilter'
2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 10 of 16
in additional filter chain; firing Filter: 'RangerKRBAuthenticationFilter'
2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 11 of 16
in additional filter chain; firing Filter: 'RangerCSRFPreventionFilter'
2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 12 of 16
in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2020-12-02 09:30:36,560 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.authentication.AnonymousAuthenticationFilter
(AnonymousAuthenticationFilter.java:100) - Populated SecurityContextHolder
with anonymous token:
'org.springframework.security.authentication.AnonymousAuthenticationToken@90579aae:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@2eb76:
RemoteIpAddress: 127.0.0.1; SessionId: 48FDF9BA60D67FCEACE7C6C163398B08;
Granted Authorities: ROLE_ANONYMOUS'
2020-12-02 09:30:36,560 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 13 of 16
in additional filter chain; firing Filter: 'SessionManagementFilter'
2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.session.SessionManagementFilter
(SessionManagementFilter.java:124) - Requested session ID
5CEDC9023EA19CDA63F16A06345616F7 is invalid.
2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 14 of 16
in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.FilterChainProxy$VirtualFilterChain
(FilterChainProxy.java:325) - /service/users/default at position 15 of 16
in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG
org.springframework.security.access.intercept.AbstractSecurityInterceptor
(AbstractSecurityInterceptor.java:219) - Secure object: FilterInvocation:
URL: /service/users/default; Attributes: [isAuthenticated()]
2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG
org.springframework.security.access.intercept.AbstractSecurityInterceptor
(AbstractSecurityInterceptor.java:348) - Previously Authenticated:
org.springframework.security.authentication.AnonymousAuthenticationToken@90579aae:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@2eb76:
RemoteIpAddress: 127.0.0.1; SessionId: 48FDF9BA60D67FCEACE7C6C163398B08;
Granted Authorities: ROLE_ANONYMOUS
2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG
org.springframework.security.access.vote.AffirmativeBased
(AffirmativeBased.java:66) - Voter:
org.springframework.security.web.access.expression.WebExpressionVoter@46d48e8a,
returned: -1
2020-12-02 09:30:36,562 [http-bio-6080-exec-18] DEBUG
org.springframework.context.support.ReloadableResourceBundleMessageSource
(ReloadableResourceBundleMessageSource.java:501) - Loading properties
[messages.properties]
2020-12-02 09:30:36,563 [http-bio-6080-exec-18] DEBUG
org.springframework.context.support.ReloadableResourceBundleMessageSource
(ReloadableResourceBundleMessageSource.java:457) - No properties file found
for [WEB-INF/classes/internationalization/messages_en] - neither plain
properties nor XML
2020-12-02 09:30:36,564 [http-bio-6080-exec-18] DEBUG
org.springframework.security.web.access.ExceptionTranslationFilter
(ExceptionTranslationFilter.java:173) - Access is denied (user is
anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at
org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.apache.ranger.security.web.filter.RangerCSRFPreventionFilter$ServletFilterHttpInteraction.proceed(RangerCSRFPreventionFilter.java:210)
at
org.apache.ranger.security.web.filter.RangerCSRFPreventionFilter.handleHttpInteraction(RangerCSRFPreventionFilter.java:155)
at
org.apache.ranger.security.web.filter.RangerCSRFPreventionFilter.doFilter(RangerCSRFPreventionFilter.java:165)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.apache.ranger.security.web.filter.RangerKRBAuthenticationFilter.doFilter(RangerKRBAuthenticationFilter.java:399)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter.doFilter(RangerSSOAuthenticationFilter.java:259)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:165)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1201)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:654)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:317)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I'm not sure why anonymousUser is used in this case instead of
rangerusersync. Before the initial sync I could see this:
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2020-12-02 08:29:48,769 [http-bio-6080-exec-7] DEBUG
org.springframework.security.ldap.authentication.BindAuthenticator
(BindAuthenticator.java:172) - Failed to bind as
cn=rangerusersync,cn=users,dc=corp,dc=prezi,dc=com:
org.springframework.ldap.AuthenticationException: [LDAP: error code 49 -
80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error,
data 52e, v1db1]; nested exception is javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1]
2020-12-02 08:29:48,769 [http-bio-6080-exec-7] DEBUG
org.apache.ranger.security.handler.RangerAuthenticationProvider
(RangerAuthenticationProvider.java:262) - LDAP Authentication
Failed:org.springframework.security.authentication.BadCredentialsException:
Bad credentials
at
org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:101)
at
org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:187)
at
org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
at
org.apache.ranger.security.handler.RangerAuthenticationProvider.getLdapAuthentication(RangerAuthenticationProvider.java:255)
at
org.apache.ranger.security.handler.RangerAuthenticationProvider.authenticate(RangerAuthenticationProvider.java:104)
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)
at
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:180)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:165)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1201)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:654)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:317)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Can this be because the user rangerusersync is not in ldap? Although in
spite of the error the initial sync was successful and I could see messages
like this later on:
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2020-12-02 08:29:49,058 [http-bio-6080-exec-7] INFO
org.apache.ranger.security.listener.SpringEventListener
(SpringEventListener.java:70) - Login Successful:rangerusersync | Ip
Address:127.0.0.1 | sessionId=5CEDC9023EA19CDA63F16A06345616F7 |
Epoch=1606897789058
2020-12-02 08:29:49,058 [http-bio-6080-exec-7] DEBUG
springframework.security.web.authentication.www.BasicAuthenticationFilter
(BasicAuthenticationFilter.java:183) - Authentication success:
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@836aa06d:
Principal: org.springframework.security.core.userdetails.User@826172bb:
Username: rangerusersync; Password: [PROTECTED]; Enabled: true;
AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked:
true; Granted Authorities: ROLE_SYS_ADMIN; Credentials: [PROTECTED];
Authenticated: true; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86:
RemoteIpAddress: 127.0.0.1; SessionId: 5CEDC9023EA19CDA63F16A06345616F7;
Granted Authorities: ROLE_SYS_ADMIN
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Let me know if you need any further details.
Thanks,
Geri
Sailaja Polavarapu <spolavar...@cloudera.com> ezt írta (időpont: 2020. dec.
2., Sze, 2:30):
>
> Hi Geri,
> I haven't seen this issue in my local setup. From the above logs, I see
that "valid cookie is saved" after first sync, but in the next sync cycle
usersync is using credential login which is strange. In Usersync, for every
request to ranger admin, first try with the saved cookie (which is the
rangeradminsessionid). If it fails, then try with credentials. Can you
provide ranger admin logs to see - 1. why the session is invalid, 2. why
the rangerusersync creds login is failing.
>
> Thanks,
> Sailaja.
>
> On Sat, Nov 28, 2020 at 5:45 PM Gergely Lendvai <
gergely.lendva...@gmail.com> wrote:
>>
>> Hi!
>>
>> I am trying to solve this for a while, but with no luck so far. I
managed to set up the usersync plugin with ldap (and without kerberos) and
after starting it the initial users are showing up on Ranger, but all the
upcoming hourly syncs are failing with the following error, which is a bit
misleading since it is just a warning:
>>
-------------------------------------------------------------------------------------------------------------------------------
>> WARN LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Credentials
response from ranger is 401.
>>
-------------------------------------------------------------------------------------------------------------------------------
>>
>> I enabled debug logs to get a clearer picture, but what is odd that at
the beginning my credentials are still valid and a new ranger cookie will
be created for the initial sync, but for the next hour something happens.
Here are the first couple of lines from the initial sync:
>>
-------------------------------------------------------------------------------------------------------------------------------
>> INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of
user/group from source==>sink
>> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
LdapDeltaUserGroupBuilder updateSink started
>> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user
search first
>> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
extendedUserSearchFilter =
(&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101000000Z)))
>> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal =
5564and currentDeltaSyncTime = 5564
>> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - INFO:
addPMAccount(awsadmind-906714de98)
>> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
LdapPolicyMgrUserGroupBuilder.getMUser()
>> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
>> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()
>> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - USER GROUP
MAPPING{"loginId":"awsadmind-906714de98","firstName":"awsadmind-906714de98","lastName":"awsadmind-906714de98","userRoleList":[null],"otherA
>> ttributes":"{}"}
>> INFO LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - valid cookie
saved
>>
-------------------------------------------------------------------------------------------------------------------------------
>>
>> And these are the logs for an upcoming hour:
>>
-------------------------------------------------------------------------------------------------------------------------------
>> INFO UserGroupSync [UnixUserSyncThread] - Begin: update user/group from
source==>sink
>> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
LdapDeltaUserGroupBuilder updateSink started
>> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user
search first
>> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
extendedUserSearchFilter =
(&(objectclass=person)(|(uSNChanged>=5631)(modifyTimestamp>=19700101000005Z)))
>> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal =
5564and currentDeltaSyncTime = 5564
>> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - INFO:
addPMAccount(awsadmind-906714de98)
>> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
LdapPolicyMgrUserGroupBuilder.getMUser()
>> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
>> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()
>> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - USER GROUP
MAPPING{"loginId":"awsadmind-906714de98","firstName":"awsadmind-906714de98","lastName":"awsadmind-906714de98","userRoleList":[null],"otherA
>> ttributes":"{}"}
>> WARN LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Credentials
response from ranger is 401.
>>
-------------------------------------------------------------------------------------------------------------------------------
>>
>> Could you help figure this out? I am happy to share more details if
necessary.
>>
>> Thanks,
>> Geri
>
