Hi Sailaja, Did you have the chance to take a look at the logs?
Cheers, Geri On Wed, Dec 2, 2020, 12:51 Gergely Lendvai <gergely.lendva...@gmail.com> wrote: > Hi Sailaja, > > I could see this when the 401s happened, the cookie seems to be invalid > after the 1 hour wait since the first sync. > > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > 2020-12-02 09:30:36,553 [http-bio-6080-Acceptor-0] DEBUG > org.apache.tomcat.util.threads.LimitLatch (LimitLatch.java:113) - Counting > up[http-bio-6080-Acceptor-0] latch=5 > 2020-12-02 09:30:36,554 [http-bio-6080-exec-18] DEBUG > org.apache.tomcat.util.http.Cookies (Cookies.java:184) - Cookies: Parsing > b[]: > $Version=1;RANGERADMINSESSIONID=5CEDC9023EA19CDA63F16A06345616F7;$Path=/ > 2020-12-02 09:30:36,554 [http-bio-6080-exec-18] DEBUG > org.apache.catalina.connector.CoyoteAdapter (CoyoteAdapter.java:1152) - > Requested cookie session id is 5CEDC9023EA19CDA63F16A06345616F7 > 2020-12-02 09:30:36,554 [http-bio-6080-exec-18] DEBUG > org.apache.catalina.authenticator.AuthenticatorBase > (AuthenticatorBase.java:458) - Security checking request POST > /service/users/default > 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG > org.apache.catalina.realm.RealmBase (RealmBase.java:694) - No applicable > constraints defined > 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG > org.apache.catalina.authenticator.AuthenticatorBase > (AuthenticatorBase.java:490) - Not subject to any constraint > 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/login.jsp' > 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/styles/**' > 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/fonts/**' > 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/scripts/prelogin/XAPrelogin.js' > 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/libs/bower/jquery/js/jquery-3.5.1.js' > 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/images/ranger_logo.png' > 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/images/favicon.ico' > 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/service/assets/policyList/*' > 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/service/assets/resources/grant' > 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/service/assets/resources/revoke' > 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/service/plugins/policies/download/*' > 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/service/plugins/services/grant/*' > 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/service/plugins/services/revoke/*' > 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/service/tags/download/*' > 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/service/roles/download/*' > 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/service/metrics/status' > 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 1 of 16 in > additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' > 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.context.SecurityContextPersistenceFilter > (SecurityContextPersistenceFilter.java:94) - Eagerly created session: > 48FDF9BA60D67FCEACE7C6C163398B08 > 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.context.HttpSessionSecurityContextRepository > (HttpSessionSecurityContextRepository.java:186) - HttpSession returned null > object for SPRING_SECURITY_CONTEXT > 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.context.HttpSessionSecurityContextRepository > (HttpSessionSecurityContextRepository.java:116) - No SecurityContext was > available from the HttpSession: > org.apache.catalina.session.StandardSessionFacade@4ac271d4. A new one > will be created. > 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 2 of 16 in > additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' > 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 3 of 16 in > additional filter chain; firing Filter: 'HeaderWriterFilter' > 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 4 of 16 in > additional filter chain; firing Filter: 'LogoutFilter' > 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/logout' > 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 5 of 16 in > additional filter chain; firing Filter: > 'RangerUsernamePasswordAuthenticationFilter' > 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG > springframework.security.web.util.matcher.AntPathRequestMatcher > (AntPathRequestMatcher.java:176) - Checking match of request : > '/service/users/default'; against '/login' > 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 6 of 16 in > additional filter chain; firing Filter: 'BasicAuthenticationFilter' > 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 7 of 16 in > additional filter chain; firing Filter: 'RangerSSOAuthenticationFilter' > 2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 8 of 16 in > additional filter chain; firing Filter: 'RequestCacheAwareFilter' > 2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 9 of 16 in > additional filter chain; firing Filter: > 'SecurityContextHolderAwareRequestFilter' > 2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 10 of 16 > in additional filter chain; firing Filter: 'RangerKRBAuthenticationFilter' > 2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 11 of 16 > in additional filter chain; firing Filter: 'RangerCSRFPreventionFilter' > 2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 12 of 16 > in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' > 2020-12-02 09:30:36,560 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.authentication.AnonymousAuthenticationFilter > (AnonymousAuthenticationFilter.java:100) - Populated SecurityContextHolder > with anonymous token: > 'org.springframework.security.authentication.AnonymousAuthenticationToken@90579aae: > Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; > Details: > org.springframework.security.web.authentication.WebAuthenticationDetails@2eb76: > RemoteIpAddress: 127.0.0.1; SessionId: 48FDF9BA60D67FCEACE7C6C163398B08; > Granted Authorities: ROLE_ANONYMOUS' > 2020-12-02 09:30:36,560 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 13 of 16 > in additional filter chain; firing Filter: 'SessionManagementFilter' > 2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.session.SessionManagementFilter > (SessionManagementFilter.java:124) - Requested session ID > 5CEDC9023EA19CDA63F16A06345616F7 is invalid. > 2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 14 of 16 > in additional filter chain; firing Filter: 'ExceptionTranslationFilter' > 2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.FilterChainProxy$VirtualFilterChain > (FilterChainProxy.java:325) - /service/users/default at position 15 of 16 > in additional filter chain; firing Filter: 'FilterSecurityInterceptor' > 2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG > org.springframework.security.access.intercept.AbstractSecurityInterceptor > (AbstractSecurityInterceptor.java:219) - Secure object: FilterInvocation: > URL: /service/users/default; Attributes: [isAuthenticated()] > 2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG > org.springframework.security.access.intercept.AbstractSecurityInterceptor > (AbstractSecurityInterceptor.java:348) - Previously Authenticated: > org.springframework.security.authentication.AnonymousAuthenticationToken@90579aae: > Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; > Details: > org.springframework.security.web.authentication.WebAuthenticationDetails@2eb76: > RemoteIpAddress: 127.0.0.1; SessionId: 48FDF9BA60D67FCEACE7C6C163398B08; > Granted Authorities: ROLE_ANONYMOUS > 2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG > org.springframework.security.access.vote.AffirmativeBased > (AffirmativeBased.java:66) - Voter: > org.springframework.security.web.access.expression.WebExpressionVoter@46d48e8a, > returned: -1 > 2020-12-02 09:30:36,562 [http-bio-6080-exec-18] DEBUG > org.springframework.context.support.ReloadableResourceBundleMessageSource > (ReloadableResourceBundleMessageSource.java:501) - Loading properties > [messages.properties] > 2020-12-02 09:30:36,563 [http-bio-6080-exec-18] DEBUG > org.springframework.context.support.ReloadableResourceBundleMessageSource > (ReloadableResourceBundleMessageSource.java:457) - No properties file found > for [WEB-INF/classes/internationalization/messages_en] - neither plain > properties nor XML > 2020-12-02 09:30:36,564 [http-bio-6080-exec-18] DEBUG > org.springframework.security.web.access.ExceptionTranslationFilter > (ExceptionTranslationFilter.java:173) - Access is denied (user is > anonymous); redirecting to authentication entry point > org.springframework.security.access.AccessDeniedException: Access is denied > at > org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) > at > org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) > at > org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) > at > org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.apache.ranger.security.web.filter.RangerCSRFPreventionFilter$ServletFilterHttpInteraction.proceed(RangerCSRFPreventionFilter.java:210) > at > org.apache.ranger.security.web.filter.RangerCSRFPreventionFilter.handleHttpInteraction(RangerCSRFPreventionFilter.java:155) > at > org.apache.ranger.security.web.filter.RangerCSRFPreventionFilter.doFilter(RangerCSRFPreventionFilter.java:165) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.apache.ranger.security.web.filter.RangerKRBAuthenticationFilter.doFilter(RangerKRBAuthenticationFilter.java:399) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter.doFilter(RangerSSOAuthenticationFilter.java:259) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:165) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1201) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:654) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:317) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:748) > > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > I'm not sure why anonymousUser is used in this case instead of > rangerusersync. Before the initial sync I could see this: > > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > 2020-12-02 08:29:48,769 [http-bio-6080-exec-7] DEBUG > org.springframework.security.ldap.authentication.BindAuthenticator > (BindAuthenticator.java:172) - Failed to bind as > cn=rangerusersync,cn=users,dc=corp,dc=prezi,dc=com: > org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - > 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, > data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: > [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: > AcceptSecurityContext error, data 52e, v1db1] > 2020-12-02 08:29:48,769 [http-bio-6080-exec-7] DEBUG > org.apache.ranger.security.handler.RangerAuthenticationProvider > (RangerAuthenticationProvider.java:262) - LDAP Authentication > Failed:org.springframework.security.authentication.BadCredentialsException: > Bad credentials > at > org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:101) > at > org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:187) > at > org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85) > at > org.apache.ranger.security.handler.RangerAuthenticationProvider.getLdapAuthentication(RangerAuthenticationProvider.java:255) > at > org.apache.ranger.security.handler.RangerAuthenticationProvider.authenticate(RangerAuthenticationProvider.java:104) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) > at > org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:180) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:165) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1201) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:654) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:317) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:748) > > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Can this be because the user rangerusersync is not in ldap? Although in > spite of the error the initial sync was successful and I could see messages > like this later on: > > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > 2020-12-02 08:29:49,058 [http-bio-6080-exec-7] INFO > org.apache.ranger.security.listener.SpringEventListener > (SpringEventListener.java:70) - Login Successful:rangerusersync | Ip > Address:127.0.0.1 | sessionId=5CEDC9023EA19CDA63F16A06345616F7 | > Epoch=1606897789058 > 2020-12-02 08:29:49,058 [http-bio-6080-exec-7] DEBUG > springframework.security.web.authentication.www.BasicAuthenticationFilter > (BasicAuthenticationFilter.java:183) - Authentication success: > org.springframework.security.authentication.UsernamePasswordAuthenticationToken@836aa06d: > Principal: org.springframework.security.core.userdetails.User@826172bb: > Username: rangerusersync; Password: [PROTECTED]; Enabled: true; > AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: > true; Granted Authorities: ROLE_SYS_ADMIN; Credentials: [PROTECTED]; > Authenticated: true; Details: > org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: > RemoteIpAddress: 127.0.0.1; SessionId: 5CEDC9023EA19CDA63F16A06345616F7; > Granted Authorities: ROLE_SYS_ADMIN > > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Let me know if you need any further details. > > Thanks, > Geri > > Sailaja Polavarapu <spolavar...@cloudera.com> ezt írta (időpont: 2020. > dec. 2., Sze, 2:30): > > > > Hi Geri, > > I haven't seen this issue in my local setup. From the above logs, I see > that "valid cookie is saved" after first sync, but in the next sync cycle > usersync is using credential login which is strange. In Usersync, for every > request to ranger admin, first try with the saved cookie (which is the > rangeradminsessionid). If it fails, then try with credentials. Can you > provide ranger admin logs to see - 1. why the session is invalid, 2. why > the rangerusersync creds login is failing. > > > > Thanks, > > Sailaja. > > > > On Sat, Nov 28, 2020 at 5:45 PM Gergely Lendvai < > gergely.lendva...@gmail.com> wrote: > >> > >> Hi! > >> > >> I am trying to solve this for a while, but with no luck so far. I > managed to set up the usersync plugin with ldap (and without kerberos) and > after starting it the initial users are showing up on Ranger, but all the > upcoming hourly syncs are failing with the following error, which is a bit > misleading since it is just a warning: > >> > ------------------------------------------------------------------------------------------------------------------------------- > >> WARN LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Credentials > response from ranger is 401. > >> > ------------------------------------------------------------------------------------------------------------------------------- > >> > >> I enabled debug logs to get a clearer picture, but what is odd that at > the beginning my credentials are still valid and a new ranger cookie will > be created for the initial sync, but for the next hour something happens. > Here are the first couple of lines from the initial sync: > >> > ------------------------------------------------------------------------------------------------------------------------------- > >> INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of > user/group from source==>sink > >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - > LdapDeltaUserGroupBuilder updateSink started > >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user > search first > >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - > extendedUserSearchFilter = > (&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101000000Z))) > >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal = > 5564and currentDeltaSyncTime = 5564 > >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - INFO: > addPMAccount(awsadmind-906714de98) > >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==> > LdapPolicyMgrUserGroupBuilder.getMUser() > >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==> > LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity() > >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==> > LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred() > >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - USER GROUP > MAPPING{"loginId":"awsadmind-906714de98","firstName":"awsadmind-906714de98","lastName":"awsadmind-906714de98","userRoleList":[null],"otherA > >> ttributes":"{}"} > >> INFO LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - valid cookie > saved > >> > ------------------------------------------------------------------------------------------------------------------------------- > >> > >> And these are the logs for an upcoming hour: > >> > ------------------------------------------------------------------------------------------------------------------------------- > >> INFO UserGroupSync [UnixUserSyncThread] - Begin: update user/group from > source==>sink > >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - > LdapDeltaUserGroupBuilder updateSink started > >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user > search first > >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - > extendedUserSearchFilter = > (&(objectclass=person)(|(uSNChanged>=5631)(modifyTimestamp>=19700101000005Z))) > >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal = > 5564and currentDeltaSyncTime = 5564 > >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - INFO: > addPMAccount(awsadmind-906714de98) > >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==> > LdapPolicyMgrUserGroupBuilder.getMUser() > >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==> > LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity() > >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==> > LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred() > >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - USER GROUP > MAPPING{"loginId":"awsadmind-906714de98","firstName":"awsadmind-906714de98","lastName":"awsadmind-906714de98","userRoleList":[null],"otherA > >> ttributes":"{}"} > >> WARN LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Credentials > response from ranger is 401. > >> > ------------------------------------------------------------------------------------------------------------------------------- > >> > >> Could you help figure this out? I am happy to share more details if > necessary. > >> > >> Thanks, > >> Geri > >>