Hi Lune, Some of the answers as per my understanding: >>Q1 - Do you have any idea what could be my problem ? From the code (security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java) and my understanding is that ranger admin first tries to authenticate with the configured authentication method (LDAP/AD/UNIX). If none of these are successful, it falls back to db authentication. In case of system users like rangerusersync, admin, etc…, we have these users in ranger db and eventually should succeed. In this case we still see the “Bad Credentials” error message in the logs.
>>Q2 - Is usersync used when a user try to log in the Ranger Admin UI ? No. usersync syncs the users from the configured sync source periodically and updates ranger admin. As part of of updates to ranger admin, user sync user (rangerusersync) has to go through the authentication process as well. >>In Ambari UI, in the User info tab, in the User Configs sub-tab, the "Group >>User map Sync" is enabled. What is the usage of this property ? For 2.3.2, this flag is used for computing group membership of the user. From 2.3.4 onwards, this flag is not used in the backend (https://issues.apache.org/jira/browse/RANGER-767). >> So first thing first, where do I have to enter the password for this user >> rangerusersync in the ranger configuration ? For rangerusersync user, we first check if “ranger.usersync.policymgr.username”, “ranger.usersync.policymgr.password” and “ranger.usersync.policymgr.alias” are configured. If not we use the default values for username and password.(ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java). If you haven’t changed the default password for rangerusesync user, these properties are not needed. Thanks, Sailaja. From: Lune Silver <lunescar.ran...@gmail.com<mailto:lunescar.ran...@gmail.com>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Friday, May 13, 2016 at 6:39 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Cannot log in the Ranger Admin UI Sorry there is a typo in my last sentence. I wanted to write : So first thing first, where do I have to enter the password for this user rangerusersync in the ranger configuration ? BR. Lune On Fri, May 13, 2016 at 3:37 PM, Lune Silver <lunescar.ran...@gmail.com<mailto:lunescar.ran...@gmail.com>> wrote: Hello guys. Sorry, I had only a few elements before. Now I increase the log level to debug and I see the following error in xa_portal.log : I saw that there was first an error with the user rangerusersync which was missing in my LDAP. So I created it and I set up a password for it. The password works fine when I try to perform an ldap_search on the LDAP by using the user rangerusersync. But in the logs, here is what I can see ### 2016-05-13 15:30:07,582 [http-bio-6182-exec-2] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator (BindAuthenticator.java:152) - Failed to bind as uid=rangerusersync,cn=users,cn=accounts,dc=<myrealm>: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] 2016-05-13 15:30:07,582 [http-bio-6182-exec-2] DEBUG org.apache.ranger.security.handler.RangerAuthenticationProvider (RangerAuthenticationProvider.java:238) - LDAP Authentication Failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:95) at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:178) at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61) at org.apache.ranger.security.handler.RangerAuthenticationProvider.getLdapAuthentication(RangerAuthenticationProvider.java:231) at org.apache.ranger.security.handler.RangerAuthenticationProvider.authenticate(RangerAuthenticationProvider.java:91) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) ### So first thing first, when do I have to enter the password for this user rangerusersync in the ranger configuration ? BR. Lune. On Fri, May 13, 2016 at 12:11 PM, Don Bosco Durai <bo...@apache.org<mailto:bo...@apache.org>> wrote: Sailaja, would you know what is going here? Thanks Bosco From: Lune Silver <lunescar.ran...@gmail.com<mailto:lunescar.ran...@gmail.com>> Reply-To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Thursday, May 12, 2016 at 3:39 AM To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Cannot log in the Ranger Admin UI As a note, I have : - User Sync enabled - In Ambari UI, in the User info tab, in the User Configs sub-tab, the "Group User map Sync" is enabled. What is the usage of this property ? - In Ambari UI, in the User info tab, in the Group Configs sub-tab, Group Sync is enabled. BR. Lune. On Thu, May 12, 2016 at 12:33 PM, Lune Silver <lunescar.ran...@gmail.com<mailto:lunescar.ran...@gmail.com>> wrote: Hello everyone ! I am using HDP 2.3.2 with Ambari 2.2.1. I installed Ranger Admin and Ranger Usersync with SSL. They are both green in Ambari UI and there is no error in the logs of both component. The thing is, when I try to log in the Ranger Admin UI, I always have the following error : ### 2016-05-12 12:14:57,165 [http-bio-6182-exec-8] INFO org.apache.ranger.security.listener.SpringEventListener (SpringEventListener.java:87) - Login Unsuccessful:admin | Ip Address:< IP FROM WHERE I TRY TO CONNECT>| Bad Credentials ### I'm using an LDAP for the user/group management. I performed a test with : - admin, the admin user normally locally defined in Ranger. I got the Bad Credentials error. - admin, an admin user that I already have in the LDAP, I got the Bad Credentials error - amb_ranger_admin, the user created in ranger admin in order to allow ambari to create repositories (if I understood well), and I got the Bad Credentials error - a user lambda in the LDAP, I got the Bad Credentials error In the "Advanced" tab in Ambari, I have the following configuration : - Authentication method : LDAP - LDAP Settings -- ranger.ldap.base.dn : dc=<myrealm> -- Bind user : {{ranger_ug_ldap_bind_dn}} : uid=<myuser>,cn=users,cn=accounts,dc= <myrealm> -- Bind User Password : the password of the bind user (I checked and this password is right) -- ranger.ldap.group.roleattribute : cn (the attribute to retrieve group, right ?) -- ranger.ldap.referral : ignore (because I have only one ldap) -- LDAP URL : {{ranger_ug_ldap_url}} : ldap://<MY LDAP HOST>:389 -- ranger.ldap.user.dnpattern : uid={0},cn=users,cn=accounts,dc=<myrealm> -- User Search Filter = {{ranger_ug_ldap_user_searchfilter}} : empty (I kept a space character) Q1 - Do you have any idea what could be my problem ? Q2 - Is usersync used when a user try to log in the Ranger Admin UI ? BR. Lune.
