In fact, it uses by default the JDK cacert.
https://issues.apache.org/jira/browse/AMBARI-15917
So I'm wondering if I'm not using the wrong truststore for ranger admin in
fact.
BR.
Lune
On Wed, May 18, 2016 at 9:27 AM, Lune Silver <lunescar.ran...@gmail.com>
wrote:
> In fact, I'm wondering.
> What is the truststore used by default by Ranger Admin ?
>
> I can find a property for the truststore of Ranger User-Sync, but not for
> Ranger Admin.
>
> BR.
>
>
> Lune.
>
> On Wed, May 18, 2016 at 9:16 AM, Lune Silver <lunescar.ran...@gmail.com>
> wrote:
>
>> Re Ramesh.
>>
>> I investigated more my problem and I'm sorry for the confusion.
>> I checked the policy cache directory on the namenode, and also the logs
>> of the namenode.
>>
>> The policycache dir contains an empty file.
>> And the namenode log contains the following error message :
>> ###
>> 2016-05-18 08:53:50,129 ERROR client.RangerAdminRESTClient
>> (RangerAdminRESTClient.java:getServicePoliciesIfUpdated(79)) - Error
>> getting policies. request=https://<RANGER HOST FQDN>:<RANGER ADMIN
>> PORT>/service/plugins/policies/download/<HDFS
>> REPO>?lastKnownVersion=-1&pluginId=hdfs@<NAMENODE HOST FQDN>-<HDFS
>> REPO>,
>> response={"httpStatusCode":400,"statusCode":1,"msgDesc":"Unauthorized
>> access - unable to get client
>> certificate","messageList":[{"name":"OPER_NOT_ALLOWED_FOR_ENTITY","rbKey":"xa.error.oper_not_allowed_for_state","message":"Operation
>> not allowed for entity"}]}, serviceName=<HDFS REPO>
>> 2016-05-18 08:53:50,130 ERROR util.PolicyRefresher
>> (PolicyRefresher.java:loadPolicyfromPolicyAdmin(228)) -
>> PolicyRefresher(serviceName=<HDFS REPO>): failed to refresh policies. Will
>> continue to use last known version of policies (-1)
>> java.lang.Exception: Unauthorized access - unable to get client
>> certificate
>> at
>> org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:81)
>> at
>> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:205)
>> at
>> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:175)
>> at
>> org.apache.ranger.plugin.util.PolicyRefresher.startRefresher(PolicyRefresher.java:132)
>> at
>> org.apache.ranger.plugin.service.RangerBasePlugin.init(RangerBasePlugin.java:106)
>> at
>> org.apache.ranger.authorization.hadoop.RangerHdfsPlugin.init(RangerHdfsAuthorizer.java:399)
>> at
>> org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer.start(RangerHdfsAuthorizer.java:83)
>> at
>> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.startCommonServices(FSNamesystem.java:1062)
>> at
>> org.apache.hadoop.hdfs.server.namenode.NameNode.startCommonServices(NameNode.java:763)
>> at
>> org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:687)
>> at
>> org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:896)
>> at
>> org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:880)
>> at
>> org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1586)
>> at
>> org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1652)
>> ###
>>
>> What does OPER_NOT_ALLOWED_FOR_ENTITY means ?
>> Which user is the operator for the hdfs plugin ?
>> Is it the user created for the plugin (in the property Ranger repository
>> config user) ?
>>
>> I enabled the SSL for HDFS plugin following the HW doc here :
>>
>> http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/ch04s18s02s04s01.html
>>
>> Do you think my problem could come from an error from my SSL
>> configuration ?
>>
>> If I summarize what i did :
>>
>> I have :
>> - one node with the namenode
>> - one node with ranger (admin + usersync)
>>
>> On the namenode host, I created a plugin keystore.
>> This keystore contains the certificate for the alias rangerHdfsAgent.
>> ###
>> cd /etc/hadoop/conf
>> keytool -genkey -keyalg RSA -alias rangerHdfsAgent -keystore
>> /etc/hadoop/conf/ranger-plugin-keystore.jks -validity 3600 -keysize 2048
>> -dname
>> 'cn=HdfsPlugin,ou=<mycompany>,o=<mycompany>,l=<mycity>,st=<mycountry>,c=<idcountry>'
>> chown hdfs:hdfs /etc/hadoop/conf/ranger-plugin-keystore.jks
>> chmod 400 /etc/hadoop/conf/ranger-plugin-keystore.jks
>> ###
>>
>> On the Ranger host, I exported the certificate for the alias rangeradmin
>> from the admin keystore.
>> ###
>> keytool -export -keystore
>> /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias rangeradmin -file
>> /etc/ranger/admin/conf/ranger-admin-trust.cer
>> ###
>>
>> Then I transfered the cer file from the ranger host to the namenode host.
>>
>> On the namenode host, I imported the certificate of the alias rangeradmin
>> into the plugin truststore. (the truststore was not yet existing)
>> ###
>> keytool -import -file /etc/hadoop/conf/ranger-admin-trust.cer -alias
>> rangeradmintrust -keystore /etc/hadoop/conf/ranger-plugin-truststore.jks
>> chown hdfs:hdfs /etc/hadoop/conf/ranger-plugin-truststore.jks
>> chmod 400 /etc/hadoop/conf/ranger-plugin-truststore.jks
>> ###
>>
>> On the namenode host, I exported the certificate for the alias
>> rangerHdfsAgent from the plugin keystore.
>> ###
>> keytool -export -keystore /etc/hadoop/conf/ranger-plugin-keystore.jks
>> -alias rangerHdfsAgent -file /etc/hadoop/conf/ranger-hdfsAgent-trust.cer
>> ###
>>
>> Then I transfered the ranger-hdfsAgent-trust.cer file from the namenode
>> host to the ranger host.
>>
>> On the ranger host, I imported the certificate for the alias
>> rangerHdfsAgent in the admin truststore (the truststore was not yet
>> existing).
>> ###
>> keytool -import -file /etc/ranger/admin/conf/ranger-hdfsAgent-trust.cer
>> -alias rangerHdfsAgentTrust -keystore
>> /etc/ranger/admin/conf/ranger-admin-truststore.jks
>> chown ranger:ranger /etc/ranger/admin/conf/ranger-admin-truststore.jks
>> chmod 400 /etc/ranger/admin/conf/ranger-admin-truststore.jks
>> ###
>>
>> In the Ambari UI, I added the CN HdfsPlugin in the property "Common Name
>> For Certificate".
>>
>> In the Ranger Admin UI, I checked that, in the repository definition,
>> there is also this property with the right value.
>>
>> Do you think Is there something wrong ?
>>
>> BR.
>>
>> Lune.
>>
>>
>> On Tue, May 17, 2016 at 3:45 PM, Lune Silver <lunescar.ran...@gmail.com>
>> wrote:
>>
>>> Hello !
>>>
>>> I just enabled the HDFS plugin for Ranger.
>>> The repository was created by Ambari (2.2.1 with HDP cluster 2.3.2).
>>>
>>> In the Ranger Admin UI, in the repository edit window, when I check on
>>> the button "test connection", I have the following error message :
>>> ###
>>> Unable to connect repository with given config for <MYCLUSTER>_hadoop
>>> ###
>>>
>>> And I can see this in the logs :
>>> ###
>>> 2016-05-17 15:41:49,895 [http-bio-6182-exec-5] ERROR
>>> org.apache.ranger.biz.ServiceMgr (ServiceMgr.java:120) - ==>
>>> ServiceMgr.validateConfig Error:java.util.concurrent.ExecutionException:
>>> org.apache.ranger.plugin.client.HadoopException: listFilesInternal: Unable
>>> to get listing of files for directory /null] from Hadoop environment
>>> [<MYCLUSTER>_hadoop].
>>> ###
>>>
>>> Any idea about why this test connection fails ?
>>>
>>> BR.
>>>
>>> Lune.
>>>
>>
>>
>
