Loïc, Thanks. Please file the JIRA.
Regards Bosco From: Loïc Chanel <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Thursday, July 16, 2015 at 6:08 PM To: "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Subject: Re: Issues with UserSync > Hi all ! > > As I was working on the subject with a colleague of mine, he found out the > handshake exception in UserSync logs that comes every minutes is actually > linked to Ambari metrics that just checks that UserSync is alive but does not > perform a complete handshake before returning. > > I will fill a JIRA later about this issue. > > Regards, > > > Loïc > > Loïc CHANEL > Engineering student at TELECOM Nancy > Trainee at Worldline - Villeurbanne > > 2015-06-12 14:54 GMT+02:00 Loïc Chanel <[email protected]>: >> Dilli, >> >> Sorry for answering this late, but yes that is actually exactly what I want >> to do, and no matter what its configuration is Ranger UserSync keep returning >> me the same error I talked about in my first eMail. >> >> As I know this Handshake exception is often linked to certificate issues, I >> triple-checked that LDAP certificates are in the certificates trusted by >> Java, but it seems that the error persists. >> Do you have an idea about where it might come from ? >> >> Thanks, >> >> >> Loïc >> >> Loïc CHANEL >> Engineering student at TELECOM Nancy >> Trainee at Worldline - Villeurbanne >> >> 2015-06-09 21:36 GMT+02:00 Dilli Arumugam <[email protected]>: >>> Assuming your users are in LDAP, what you need to do is: >>> Make user Ranger UserSync and NameNode ldap group mapping provider point to >>> the same LDAP. >>> >>> Please see the following for some help. >>> http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/ >>> >>> Thanks >>> Dilli >>> >>> From: Loïc Chanel <[email protected]> >>> Reply-To: "[email protected]" >>> <[email protected]> >>> Date: Tuesday, June 9, 2015 8:29 AM >>> To: "[email protected]" <[email protected]> >>> Subject: Re: Issues with UserSync >>> >>> Hi Dilli, >>> >>> First of all, thanks for answering so fast. >>> >>> Actually, I would like to have some synchronization between RangerAdmin UI >>> and NameNode users, in order to manage Users and authorizations directly >>> from RangerAdmin UI. >>> >>> Is it possible somehow via Ranger UserSync ? >>> >>> Thanks, >>> >>> >>> Loïc >>> >>> Loïc CHANEL >>> Engineering student at TELECOM Nancy >>> Trainee at Worldline - Villeurbanne >>> >>> 2015-06-09 17:18 GMT+02:00 Dilli Arumugam <[email protected]>: >>>> Please note that user/group mapping that you see in RangerAdmin UI is only >>>> used for policy definition time. >>>> At policy enforcement time, user group membership is computed by NameNode >>>> based on group mapping provider defined in NameNode. >>>> >>>> You can check what NameNode sees as groups that a user belongs to by >>>> issuing command >>>> >>>> hdfs groups sam >>>> >>>> Sam is sample username here. >>>> You would use your username in its place. >>>> Thanks >>>> Dilli >>>> >>>> From: Loïc Chanel <[email protected]> >>>> Reply-To: "[email protected]" >>>> <[email protected]> >>>> Date: Tuesday, June 9, 2015 7:39 AM >>>> To: "[email protected]" <[email protected]> >>>> Subject: Issues with UserSync >>>> >>>> Hi All, >>>> >>>> As I am using Ranger with Unix authentication to manage the security of >>>> HDFS on my cluster, I could not help but notice that even if I add users to >>>> groups in the Ranger console, Ranger cannot find to which groups they >>>> belong, and therefore do not authorize them to perform actions they should >>>> be able to do. >>>> >>>> As I thought this issue came from UserSync, I noticed that in its logs the >>>> following exception is printed every minute : >>>> >>>> ERROR PasswordValidator [Thread-22] - Response [FAILED: unable to validate >>>> due to error javax.net.ssl.SSLHandshakeException: Remote host closed >>>> connection during handshake] for user: null >>>> javax.net.ssl.SSLHandshakeException: Remote host closed connection during >>>> handshake >>>> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) >>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown >>>> Source) >>>> at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source) >>>> at sun.security.ssl.AppInputStream.read(Unknown Source) >>>> at sun.nio.cs.StreamDecoder.readBytes(Unknown Source) >>>> at sun.nio.cs.StreamDecoder.implRead(Unknown Source) >>>> at sun.nio.cs.StreamDecoder.read(Unknown Source) >>>> at java.io.InputStreamReader.read(Unknown Source) >>>> at java.io.BufferedReader.fill(Unknown Source) >>>> at java.io.BufferedReader.readLine(Unknown Source) >>>> at java.io.BufferedReader.readLine(Unknown Source) >>>> at >>>> com.xasecure.authentication.PasswordValidator.run(PasswordValidator.java:58>>>> ) >>>> at java.lang.Thread.run(Unknown Source) >>>> Caused by: java.io.EOFException: SSL peer shut down incorrectly >>>> at sun.security.ssl.InputRecord.read(Unknown Source) >>>> ... 13 more >>>> >>>> As usually this is the sign of a problem of missing certificate, I ensured >>>> the certificate corresponding to Unix authentication (<host>:5151) is in >>>> Java trustore and restarted the NameNode and Ranger, but nothing changed. >>>> >>>> When looking a little bit more into RangerAdmin and RangerUserSync logs, it >>>> seems that RangerAdmin is the source of the problem, closing the connection >>>> before handshake is fully established, but I have no idea about how to >>>> correct it. >>>> >>>> Did someone encountered this error too ? Did I miss something ? >>>> >>>> Thanks in advance for your help, >>>> >>>> >>>> Loïc >>>> >>>> Loïc CHANEL >>>> Engineering student at TELECOM Nancy >>>> Trainee at Worldline - Villeurbanne >>> >> >
