You are getting into very dangerous territory now J
1. Make sure the user principal and password is working from command line
and you are also able to use HDFS cli client from the same box and same login
shell and same java executable.
2. Add Kerberos debug properties while starting Ranger Admin
(-Dsun.security.krb5.debug=true ). There are few more params that can be used.
I need to search for them.
3. Check the logs to see if there are more logs in ranger log file. Also
check the logs on your Kerberos server.
To update startup params of Ranger Admin, you can do the following:
1. Create a new file in the ranger admin conf folder starting with
“ranger-admin-env-“. E.g. ranger-admin-env-kerberos-debug.sh
2. Add the following line
a. export JAVA_OPTS=" ${JAVA_OPTS} -Dsun.security.krb5.debug=true"
3. Chmod to a+rx to the file
4. Restart ranger admin
5. You can check the params are in effect by running: ps -eafww | grep
proc_rangeradmin
Bosco
From: Aneela Saleem <ane...@platalytics.com>
Reply-To: <user@ranger.incubator.apache.org>
Date: Friday, August 12, 2016 at 11:33 PM
To: <user@ranger.incubator.apache.org>
Subject: Re: Ranger-0.6 HDFS authentication failed in secure mode
Thanks Bosco,
I have already installed JCE unlimited strength package and Kerberos is already
working fine. Also i tried with Kerberos principal instead of just admin, it
did not work either.
On Sat, Aug 13, 2016 at 8:12 AM, Don Bosco Durai <bo...@apache.org> wrote:
I don’t have the full context, but there are few things you can look into:
1. The user should be full Kerberos principal and not just “admin”
2. If you are using Kebereros and Sun JDK, then you need to additional
JCE unlimited strength package. But if Kerberos is already working for on the
same box and you are using the same java, then it might not be the issue.
3. Just make sure you are using FQDN everywhere. Kerberos is very
sensitive to hostname and current time.
4. With Ranger 0.6, Ranger admin itself is kerberized, it will just take
the ranger-lookup prinicipal. I know, in the Ambari world these are done
automatically, but in manual install, there might be a bit of keytab generation
and configuration required.
Bosco
From: Aneela Saleem <ane...@platalytics.com>
Reply-To: <user@ranger.incubator.apache.org>
Date: Friday, August 12, 2016 at 3:02 AM
To: <user@ranger.incubator.apache.org>
Subject: Re: Ranger-0.6 HDFS authentication failed in secure mode
Hi Sailaja,
I set these configuration parameters, still i get the following error on Ranger
UI as well as in ranger_admin.log file
Unable to retrieve any files using given parameters, You can still save the
repository and start creating policies, but you would not be able to use
autocomplete for resource names. Check ranger_admin.log for more info.
org.apache.ranger.plugin.client.HadoopException: Unable to login to Hadoop
environment [hdfs].
Unable to login to Hadoop environment [hdfs].
Unable to decrypt password due to error.
Input length must be multiple of 8 when decrypting with padded cipher.
Following are the configurations:
Service Name hdfs
username admin
password admin
Namenode URL hdfs://hadoop-master:8020
Authorization Enabled ===> true
Authentication Type ==> kerberos
hadoop.security.auth_to_local ====> RULE:[2:$1@$0]([nd]n@.*realm)s/.*/hdfs/
RULE:[2:$1@$0](hbase@.*realm)s/.*/hbase/
RULE:[2:$1@$0](mapred@.*realm)s/.*/mapred/
RULE:[2:$1@$0](yarn@.*realm)s/@.*/yarn/ DEFAULT
dfs.datanode.kerberos.principal ====> dn/_HOST@platalyticsrealm
dfs.namenode.kerberos.principal ===> nn/_HOST@platalyticsrealm
dfs.secondary.namenode.kerberos.principal ==> nn/_HOST@platalyticsrealm
RPC Protection Type ==> authentication
On Fri, Aug 12, 2016 at 3:11 AM, Sailaja Polavarapu
<spolavar...@hortonworks.com> wrote:
Hi Aneela,
As far as I know the following properties should be same as the once
configured under HDFS configuration and should not be empty:
hadoop.security.auth_to_local ====> empty
dfs.datanode.kerberos.principal ====> empty
dfs.namenode.kerberos.principal ===> empty
dfs.secondary.namenode.kerberos.principal ==> empty
RPC Protection Type ==> privacy
From: Aneela Saleem <ane...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
Date: Thursday, August 11, 2016 at 12:01 PM
To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
Subject: Re: Ranger-0.6 HDFS authentication failed in secure mode
Hi,
When I test connection, following error is shown
Unable to retrieve any files using given parameters, You can still save the
repository and start creating policies, but you would not be able to use
autocomplete for resource names. Check ranger_admin.log for more info.
org.apache.ranger.plugin.client.HadoopException: Unable to login to Hadoop
environment [hdfs].
Unable to login to Hadoop environment [hdfs].
Unable to decrypt password due to error.
Input length must be multiple of 8 when decrypting with padded cipher.
Here are configurations of my repository.
Service Name hdfs
username admin
password admin
Namenode URL hdfs://192.168.23.206:8020
Authorization Enabled ===> true
Authentication Type ==> kerberos
hadoop.security.auth_to_local ====> empty
dfs.datanode.kerberos.principal ====> empty
dfs.namenode.kerberos.principal ===> empty
dfs.secondary.namenode.kerberos.principal ==> empty
RPC Protection Type ==> privacy
In ranger 0.6 there is no xa_portal log file. Ranger-admin.log file has no
error when i start ranger admin.
On Thu, Aug 11, 2016 at 11:15 PM, Velmurugan Periasamy
<vperias...@hortonworks.com> wrote:
Error you posted seems to be related to test connection failing, not download
policy issue. @Sailaja – can you please chime in for the decrypt password
issue?
Can you please share 1] your HDFS repository configuration 2] any errors in
ranger log during the download policy from HDFS plugin
Thanks,
Vel
From: Aneela Saleem <ane...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
Date: Thursday, August 11, 2016 at 11:32 PM
To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
Subject: Re: Ranger-0.6 HDFS authentication failed in secure mode
Hi Folks!
I have tried different options like kinit using nn/hadoop-master principal. And
then enable hdfs plugin and start hadoop. But I am still facing the same issue.
Any help related to above issue will be appreciable.
Thanks
On Mon, Aug 8, 2016 at 8:47 PM, Aneela Saleem <ane...@platalytics.com> wrote:
Madhan!
I can see following exception in ranger-admin.log file
2016-08-08 17:42:43,501 [timed-executor-pool-0] ERROR
apache.ranger.services.hdfs.client.HdfsResourceMgr (HdfsResourceMgr.java:49) -
<== HdfsResourceMgr.testConnection Error: Unable to login to Hadoop environment
[hdfs]
org.apache.ranger.plugin.client.HadoopException: Unable to login to Hadoop
environment [hdfs]
at org.apache.ranger.plugin.client.BaseClient.login(BaseClient.java:136)
at org.apache.ranger.plugin.client.BaseClient.<init>(BaseClient.java:59)
at
org.apache.ranger.services.hdfs.client.HdfsClient.<init>(HdfsClient.java:52)
at
org.apache.ranger.services.hdfs.client.HdfsClient.connectionTest(HdfsClient.java:221)
at
org.apache.ranger.services.hdfs.client.HdfsResourceMgr.connectionTest(HdfsResourceMgr.java:47)
at
org.apache.ranger.services.hdfs.RangerServiceHdfs.validateConfig(RangerServiceHdfs.java:58)
at
org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:560)
at
org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:547)
at
org.apache.ranger.biz.ServiceMgr$TimedCallable.call(ServiceMgr.java:508)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unable to decrypt password due to error
at
org.apache.ranger.plugin.util.PasswordUtils.decryptPassword(PasswordUtils.java:128)
at org.apache.ranger.plugin.client.BaseClient.login(BaseClient.java:113)
... 12 more
Caused by: javax.crypto.IllegalBlockSizeException: Input length must be
multiple of 8 when decrypting with padded cipher
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:750)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:676)
at com.sun.crypto.provider.PBECipherCore.doFinal(PBECipherCore.java:422)
at
com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316)
at javax.crypto.Cipher.doFinal(Cipher.java:2131)
at
org.apache.ranger.plugin.util.PasswordUtils.decryptPassword(PasswordUtils.java:112)
... 13 more
On Mon, Aug 8, 2016 at 8:16 PM, Madhan Neethiraj <mad...@apache.org> wrote:
Aneela,
Do you see any errors reported in Ranger Admin log file xa_portal.log, for the
download request from the HDFS plugin?
Thanks,
Madhan
From: Aneela Saleem <ane...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
Date: Monday, August 8, 2016 at 6:05 AM
To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
Subject: Ranger-0.6 HDFS authentication failed in secure mode
Hi all,
I have installed Ranger-0.6 version, i successfully installed the usersync
process. Now i'm trying to enable HDFS plugin on Kerberized Hadoop Cluster.
When is restart Hadoop after enabling the plugin, i get the following error:
2016-08-08 17:56:55,675 ERROR
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies.
secureMode=true, user=nn/hadoop-master@platalyticsrealm (auth:KERBEROS),
response={"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication
Failed"}, serviceName=hdfs
2016-08-08 17:56:55,675 ERROR org.apache.ranger.plugin.util.PolicyRefresher:
PolicyRefresher(serviceName=hdfs): failed to refresh policies. Will continue to
use last known version of policies (-1)
java.lang.Exception: Authentication Failed
at
org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:126)
at
org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:217)
at
org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:185)
at org.apache.ranger.plugin.util.PolicyRefresher.run(PolicyRefresher.java:158)
2016-08-08 17:56:55,676 WARN org.apache.ranger.plugin.util.PolicyRefresher:
cache file does not exist or not readable
'/etc/ranger/hdfs/policycache/hdfs_hdfs.json'
Although i have a running Kerberized Hadoop cluster and
nn/hadoop-master@platalyticsrealm user authenticates successfully within
Hadoop, then why the authentication is failed here ?
