Hi Sailaja,
Did you have the chance to take a look at the logs?
Cheers,
Geri
On Wed, Dec 2, 2020, 12:51 Gergely Lendvai <gergely.lendva...@gmail.com>
wrote:
> Hi Sailaja,
>
> I could see this when the 401s happened, the cookie seems to be invalid
> after the 1 hour wait since the first sync.
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 2020-12-02 09:30:36,553 [http-bio-6080-Acceptor-0] DEBUG
> org.apache.tomcat.util.threads.LimitLatch (LimitLatch.java:113) - Counting
> up[http-bio-6080-Acceptor-0] latch=5
> 2020-12-02 09:30:36,554 [http-bio-6080-exec-18] DEBUG
> org.apache.tomcat.util.http.Cookies (Cookies.java:184) - Cookies: Parsing
> b[]:
> $Version=1;RANGERADMINSESSIONID=5CEDC9023EA19CDA63F16A06345616F7;$Path=/
> 2020-12-02 09:30:36,554 [http-bio-6080-exec-18] DEBUG
> org.apache.catalina.connector.CoyoteAdapter (CoyoteAdapter.java:1152) -
> Requested cookie session id is 5CEDC9023EA19CDA63F16A06345616F7
> 2020-12-02 09:30:36,554 [http-bio-6080-exec-18] DEBUG
> org.apache.catalina.authenticator.AuthenticatorBase
> (AuthenticatorBase.java:458) - Security checking request POST
> /service/users/default
> 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
> org.apache.catalina.realm.RealmBase (RealmBase.java:694) - No applicable
> constraints defined
> 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
> org.apache.catalina.authenticator.AuthenticatorBase
> (AuthenticatorBase.java:490) - Not subject to any constraint
> 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/login.jsp'
> 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/styles/**'
> 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/fonts/**'
> 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/scripts/prelogin/XAPrelogin.js'
> 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/libs/bower/jquery/js/jquery-3.5.1.js'
> 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/images/ranger_logo.png'
> 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/images/favicon.ico'
> 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/service/assets/policyList/*'
> 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/service/assets/resources/grant'
> 2020-12-02 09:30:36,555 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/service/assets/resources/revoke'
> 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/service/plugins/policies/download/*'
> 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/service/plugins/services/grant/*'
> 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/service/plugins/services/revoke/*'
> 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/service/tags/download/*'
> 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/service/roles/download/*'
> 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/service/metrics/status'
> 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 1 of 16 in
> additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
> 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.context.SecurityContextPersistenceFilter
> (SecurityContextPersistenceFilter.java:94) - Eagerly created session:
> 48FDF9BA60D67FCEACE7C6C163398B08
> 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.context.HttpSessionSecurityContextRepository
> (HttpSessionSecurityContextRepository.java:186) - HttpSession returned null
> object for SPRING_SECURITY_CONTEXT
> 2020-12-02 09:30:36,556 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.context.HttpSessionSecurityContextRepository
> (HttpSessionSecurityContextRepository.java:116) - No SecurityContext was
> available from the HttpSession:
> org.apache.catalina.session.StandardSessionFacade@4ac271d4. A new one
> will be created.
> 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 2 of 16 in
> additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
> 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 3 of 16 in
> additional filter chain; firing Filter: 'HeaderWriterFilter'
> 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 4 of 16 in
> additional filter chain; firing Filter: 'LogoutFilter'
> 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/logout'
> 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 5 of 16 in
> additional filter chain; firing Filter:
> 'RangerUsernamePasswordAuthenticationFilter'
> 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
> springframework.security.web.util.matcher.AntPathRequestMatcher
> (AntPathRequestMatcher.java:176) - Checking match of request :
> '/service/users/default'; against '/login'
> 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 6 of 16 in
> additional filter chain; firing Filter: 'BasicAuthenticationFilter'
> 2020-12-02 09:30:36,557 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 7 of 16 in
> additional filter chain; firing Filter: 'RangerSSOAuthenticationFilter'
> 2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 8 of 16 in
> additional filter chain; firing Filter: 'RequestCacheAwareFilter'
> 2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 9 of 16 in
> additional filter chain; firing Filter:
> 'SecurityContextHolderAwareRequestFilter'
> 2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 10 of 16
> in additional filter chain; firing Filter: 'RangerKRBAuthenticationFilter'
> 2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 11 of 16
> in additional filter chain; firing Filter: 'RangerCSRFPreventionFilter'
> 2020-12-02 09:30:36,558 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 12 of 16
> in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
> 2020-12-02 09:30:36,560 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.authentication.AnonymousAuthenticationFilter
> (AnonymousAuthenticationFilter.java:100) - Populated SecurityContextHolder
> with anonymous token:
> 'org.springframework.security.authentication.AnonymousAuthenticationToken@90579aae:
> Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
> Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@2eb76:
> RemoteIpAddress: 127.0.0.1; SessionId: 48FDF9BA60D67FCEACE7C6C163398B08;
> Granted Authorities: ROLE_ANONYMOUS'
> 2020-12-02 09:30:36,560 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 13 of 16
> in additional filter chain; firing Filter: 'SessionManagementFilter'
> 2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.session.SessionManagementFilter
> (SessionManagementFilter.java:124) - Requested session ID
> 5CEDC9023EA19CDA63F16A06345616F7 is invalid.
> 2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 14 of 16
> in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
> 2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain
> (FilterChainProxy.java:325) - /service/users/default at position 15 of 16
> in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
> 2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.access.intercept.AbstractSecurityInterceptor
> (AbstractSecurityInterceptor.java:219) - Secure object: FilterInvocation:
> URL: /service/users/default; Attributes: [isAuthenticated()]
> 2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.access.intercept.AbstractSecurityInterceptor
> (AbstractSecurityInterceptor.java:348) - Previously Authenticated:
> org.springframework.security.authentication.AnonymousAuthenticationToken@90579aae:
> Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
> Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@2eb76:
> RemoteIpAddress: 127.0.0.1; SessionId: 48FDF9BA60D67FCEACE7C6C163398B08;
> Granted Authorities: ROLE_ANONYMOUS
> 2020-12-02 09:30:36,561 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.access.vote.AffirmativeBased
> (AffirmativeBased.java:66) - Voter:
> org.springframework.security.web.access.expression.WebExpressionVoter@46d48e8a,
> returned: -1
> 2020-12-02 09:30:36,562 [http-bio-6080-exec-18] DEBUG
> org.springframework.context.support.ReloadableResourceBundleMessageSource
> (ReloadableResourceBundleMessageSource.java:501) - Loading properties
> [messages.properties]
> 2020-12-02 09:30:36,563 [http-bio-6080-exec-18] DEBUG
> org.springframework.context.support.ReloadableResourceBundleMessageSource
> (ReloadableResourceBundleMessageSource.java:457) - No properties file found
> for [WEB-INF/classes/internationalization/messages_en] - neither plain
> properties nor XML
> 2020-12-02 09:30:36,564 [http-bio-6080-exec-18] DEBUG
> org.springframework.security.web.access.ExceptionTranslationFilter
> (ExceptionTranslationFilter.java:173) - Access is denied (user is
> anonymous); redirecting to authentication entry point
> org.springframework.security.access.AccessDeniedException: Access is denied
> at
> org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
> at
> org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
> at
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
> at
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.apache.ranger.security.web.filter.RangerCSRFPreventionFilter$ServletFilterHttpInteraction.proceed(RangerCSRFPreventionFilter.java:210)
> at
> org.apache.ranger.security.web.filter.RangerCSRFPreventionFilter.handleHttpInteraction(RangerCSRFPreventionFilter.java:155)
> at
> org.apache.ranger.security.web.filter.RangerCSRFPreventionFilter.doFilter(RangerCSRFPreventionFilter.java:165)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.apache.ranger.security.web.filter.RangerKRBAuthenticationFilter.doFilter(RangerKRBAuthenticationFilter.java:399)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter.doFilter(RangerSSOAuthenticationFilter.java:259)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:165)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1201)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:654)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:317)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> I'm not sure why anonymousUser is used in this case instead of
> rangerusersync. Before the initial sync I could see this:
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 2020-12-02 08:29:48,769 [http-bio-6080-exec-7] DEBUG
> org.springframework.security.ldap.authentication.BindAuthenticator
> (BindAuthenticator.java:172) - Failed to bind as
> cn=rangerusersync,cn=users,dc=corp,dc=prezi,dc=com:
> org.springframework.ldap.AuthenticationException: [LDAP: error code 49 -
> 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error,
> data 52e, v1db1]; nested exception is javax.naming.AuthenticationException:
> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
> AcceptSecurityContext error, data 52e, v1db1]
> 2020-12-02 08:29:48,769 [http-bio-6080-exec-7] DEBUG
> org.apache.ranger.security.handler.RangerAuthenticationProvider
> (RangerAuthenticationProvider.java:262) - LDAP Authentication
> Failed:org.springframework.security.authentication.BadCredentialsException:
> Bad credentials
> at
> org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:101)
> at
> org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:187)
> at
> org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)
> at
> org.apache.ranger.security.handler.RangerAuthenticationProvider.getLdapAuthentication(RangerAuthenticationProvider.java:255)
> at
> org.apache.ranger.security.handler.RangerAuthenticationProvider.authenticate(RangerAuthenticationProvider.java:104)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)
> at
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:180)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:165)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1201)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:654)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:317)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Can this be because the user rangerusersync is not in ldap? Although in
> spite of the error the initial sync was successful and I could see messages
> like this later on:
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 2020-12-02 08:29:49,058 [http-bio-6080-exec-7] INFO
> org.apache.ranger.security.listener.SpringEventListener
> (SpringEventListener.java:70) - Login Successful:rangerusersync | Ip
> Address:127.0.0.1 | sessionId=5CEDC9023EA19CDA63F16A06345616F7 |
> Epoch=1606897789058
> 2020-12-02 08:29:49,058 [http-bio-6080-exec-7] DEBUG
> springframework.security.web.authentication.www.BasicAuthenticationFilter
> (BasicAuthenticationFilter.java:183) - Authentication success:
> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@836aa06d:
> Principal: org.springframework.security.core.userdetails.User@826172bb:
> Username: rangerusersync; Password: [PROTECTED]; Enabled: true;
> AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked:
> true; Granted Authorities: ROLE_SYS_ADMIN; Credentials: [PROTECTED];
> Authenticated: true; Details:
> org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86:
> RemoteIpAddress: 127.0.0.1; SessionId: 5CEDC9023EA19CDA63F16A06345616F7;
> Granted Authorities: ROLE_SYS_ADMIN
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Let me know if you need any further details.
>
> Thanks,
> Geri
>
> Sailaja Polavarapu <spolavar...@cloudera.com> ezt írta (időpont: 2020.
> dec. 2., Sze, 2:30):
> >
> > Hi Geri,
> > I haven't seen this issue in my local setup. From the above logs, I see
> that "valid cookie is saved" after first sync, but in the next sync cycle
> usersync is using credential login which is strange. In Usersync, for every
> request to ranger admin, first try with the saved cookie (which is the
> rangeradminsessionid). If it fails, then try with credentials. Can you
> provide ranger admin logs to see - 1. why the session is invalid, 2. why
> the rangerusersync creds login is failing.
> >
> > Thanks,
> > Sailaja.
> >
> > On Sat, Nov 28, 2020 at 5:45 PM Gergely Lendvai <
> gergely.lendva...@gmail.com> wrote:
> >>
> >> Hi!
> >>
> >> I am trying to solve this for a while, but with no luck so far. I
> managed to set up the usersync plugin with ldap (and without kerberos) and
> after starting it the initial users are showing up on Ranger, but all the
> upcoming hourly syncs are failing with the following error, which is a bit
> misleading since it is just a warning:
> >>
> -------------------------------------------------------------------------------------------------------------------------------
> >> WARN LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Credentials
> response from ranger is 401.
> >>
> -------------------------------------------------------------------------------------------------------------------------------
> >>
> >> I enabled debug logs to get a clearer picture, but what is odd that at
> the beginning my credentials are still valid and a new ranger cookie will
> be created for the initial sync, but for the next hour something happens.
> Here are the first couple of lines from the initial sync:
> >>
> -------------------------------------------------------------------------------------------------------------------------------
> >> INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of
> user/group from source==>sink
> >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
> LdapDeltaUserGroupBuilder updateSink started
> >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user
> search first
> >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
> extendedUserSearchFilter =
> (&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101000000Z)))
> >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal =
> 5564and currentDeltaSyncTime = 5564
> >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - INFO:
> addPMAccount(awsadmind-906714de98)
> >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
> LdapPolicyMgrUserGroupBuilder.getMUser()
> >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
> LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
> >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
> LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()
> >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - USER GROUP
> MAPPING{"loginId":"awsadmind-906714de98","firstName":"awsadmind-906714de98","lastName":"awsadmind-906714de98","userRoleList":[null],"otherA
> >> ttributes":"{}"}
> >> INFO LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - valid cookie
> saved
> >>
> -------------------------------------------------------------------------------------------------------------------------------
> >>
> >> And these are the logs for an upcoming hour:
> >>
> -------------------------------------------------------------------------------------------------------------------------------
> >> INFO UserGroupSync [UnixUserSyncThread] - Begin: update user/group from
> source==>sink
> >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
> LdapDeltaUserGroupBuilder updateSink started
> >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user
> search first
> >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
> extendedUserSearchFilter =
> (&(objectclass=person)(|(uSNChanged>=5631)(modifyTimestamp>=19700101000005Z)))
> >> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal =
> 5564and currentDeltaSyncTime = 5564
> >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - INFO:
> addPMAccount(awsadmind-906714de98)
> >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
> LdapPolicyMgrUserGroupBuilder.getMUser()
> >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
> LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
> >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
> LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()
> >> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - USER GROUP
> MAPPING{"loginId":"awsadmind-906714de98","firstName":"awsadmind-906714de98","lastName":"awsadmind-906714de98","userRoleList":[null],"otherA
> >> ttributes":"{}"}
> >> WARN LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Credentials
> response from ranger is 401.
> >>
> -------------------------------------------------------------------------------------------------------------------------------
> >>
> >> Could you help figure this out? I am happy to share more details if
> necessary.
> >>
> >> Thanks,
> >> Geri
>
>>
