Hi Berry,
Adding “-iv” option to curl command shows that Ranger admin server responds
with HTTP status code 403 – Forbidden.
I'm running with the same kerberos principal as the admin server is using.
Ranger admin server principal doesn’t automatically have privileges necessary
to create a user group. The principal will need either admin role or user/group
permission. I suggest to review the permissions for this principal (under
Settings/Permissions), grant User/Groups permissions (or change role of the
user to Admin) and try.
Thanks,
Madhan
From: Berry Österlund <berry.osterl...@middlecon.se>
Reply-To: "user@ranger.apache.org" <user@ranger.apache.org>
Date: Saturday, December 28, 2024 at 11:21 PM
To: "user@ranger.apache.org" <user@ranger.apache.org>
Subject: Problem with /service/xusers/ugsync/groups REST call
Hi
I'm doing a fresh installation of Ranger. Pulled from git at 2024-12-24. But
I'm running into a problem with the usersync, and I have boiled it down to the
/service/xusers/ugsync/groups REST call.
This is the data I'm trying to send to that interface.
{
"vXGroups": [
{
"name": "test-group",
"description": "The Uber-nice test group",
"groupType": "1",
"isVisible": "1",
"groupSource": "1",
"syncSource": "Unix"
}
]
}
curl -H "Content-Type: application/json" -X POST -d @usersync.json --negotiate
-u : "https://server1.domain:6182/service/xusers/ugsync/groups";
I'm running with the same kerberos principal as the admin server is using.
And this is the response I get.
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE html>
<!--[if lt IE 7]><html class="no-js lt-ie9 lt-ie8 lt-ie7"><![endif]-->
<!--[if IE 7]><html class="no-js lt-ie9 lt-ie8"><![endif]-->
<!--[if IE 8]><html class="no-js lt-ie9"><![endif]-->
<!--[if gt IE 8]><!-->
<html class="no-js">
<!--<![endif]-->
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title> Ranger - Sign In</title>
<meta name="description" content="">
<meta name="viewport" content="width=device-width">
<link rel="shortcut icon" href="images/favicon.ico">
<link href="styles/bootstrap.min.css" media="all" rel="stylesheet"
type="text/css" id="bootstrap-css">
<link rel="stylesheet" href="styles/font-awesome.min.css">
<link href="styles/xa.css" media="all" rel="stylesheet" type="text/css"
>
<script src="libs/bower/jquery/js/jquery-3.5.1.js" ></script>
<script src="scripts/prelogin/XAPrelogin.js" ></script>
<script type="text/javascript">
$(document).ready(function() {
var updateBoxPosition = function() {
$('#signin-container').css({
'margin-top' : ($(window).height() -
$('#signin-container').height()) / 2
});
};
$(window).resize(updateBoxPosition);
var queryParams = JSON.parse('{"' +
decodeURI((location.href.split('?')[1] || 'g=0').replace(/=/g, "\":\"")) +
'"}');
if(queryParams.sessionTimeout){
window.alert('Session Timeout');
location.replace("login.jsp");
}
setTimeout(updateBoxPosition, 50);
});
</script>
</head>
<body class="login" style="">
<!-- Page content
================================================== -->
<section id="signin-container" style="margin-top: 4.5px;">
<div class="l-logo">
<img src="images/ranger_logo.png" alt="Ranger logo">
</div>
<form action="" method="post" accept-charset="utf-8">
<fieldset>
<div class="fields">
<label><i class="fa fa-user"></i> Username:</label>
<input type="text" name="username" id="username"
tabindex="1" autofocus>
<label><i class="fa fa-lock"></i> Password:</label>
<div class="position-relative">
<input type="password" name="password"
id="password" tabindex="2" autocomplete="off">
<i class="fa fa-eye-slash password-icon"
id="show-password"></i>
</div>
</div>
<span id="errorBox" class="help-inline"
style="color:white;display:none;"><span class="errorMsg"></span>
<i class="fa fa-exclamation-triangle"
style="color:#ae2817;"></i>
</span>
<span id="errorBoxUnsynced" class="help-inline"
style="color:white;display:none;">User is not available in Ranger Admin Tool.
Please contact your Administrator.
<i class="fa fa-exclamation-triangle"
style="color:#ae2817;"></i>
</span>
<button type="submit" class="btn btn-primary btn-block"
id="signIn" tabindex="4" >
Sign In
<i id="signInLoading" class="fa fa-spin fa-spinner"
style="display: none;"></i>
</button>
</fieldset>
</form>
</section>
</body>
</html>
The only thing logged in Ranger admin logs is the following, in the
catalina.log file.
Dec 29, 2024 4:13:07 AM com.sun.jersey.spi.container.ContainerResponse
mapMappableContainerException
SEVERE: The RuntimeException could not be mapped to a response, re-throwing to
the HTTP container
org.springframework.security.access.AccessDeniedException: Access is denied
+ a very long stacktrace that I can send on request as well.
Can anybody help me to figure out what is going wrong here?
Regards Berry
____________________________________________
Berry Österlund
Middlecon AB | Saltmätargatan 8A | 113 59 Stockholm
Tfn: +46 0732 314 300
berry.osterl...@middlecon.se
