==error from namenode logs=== 2018-01-18 15:06:29,087 ERROR client.RangerAdminRESTClient (RangerAdminRESTClient.java:getServicePoliciesIfUpdated(124)) - Error getting policies. secureMode=false, user=hdfs (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":1,"msgDesc":"Unauthorized access - unable to get client certificate","messageList":[{"name":"OPER_NOT_ALLOWED_FOR_ENTITY","rbKey":"xa.error.oper_not_allowed_for_state","message":"Operation not allowed for entity"}]}, serviceName=blueprint-c1_hadoop 2018-01-18 15:06:29,087 ERROR util.PolicyRefresher (PolicyRefresher.java:loadPolicyfromPolicyAdmin(255)) - PolicyRefresher(serviceName=blueprint-c1_hadoop): failed to refresh policies. Will continue to use last known version of policies (4) java.lang.Exception: Unauthorized access - unable to get client certificate at org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:126) at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:232) at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:188) at org.apache.ranger.plugin.util.PolicyRefresher.run(PolicyRefresher.java:158) 2018-01-18 15:06:30,056 INFO BlockStateChange (UnderReplicatedBlocks.java:chooseUnderReplicatedBlocks(395)) - chooseUnderReplicatedBlocks selected 2 blocks at priority level 0; Total=2 Reset bookmarks? false Certs exchanged between the applications HDFS-plugin & Ranger : certs from hdfs plugin verified and highlighted in blue available in ranger's truststore (here happens to be default java trustore) . certs from ranger verified and highlighted in yellow available in hdfs-plugins truststore ==output of keystore & trustore from ranger and hdfs-plugin===== [root@test-hdp253-master1 conf]# keytool -list -keystore /etc/hadoop/conf/ranger-hdfs-keystore.jks -storepass hdfsxasecure Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry rangerhdfsagent, Jan 17, 2018, PrivateKeyEntry, Certificate fingerprint (SHA1): B5:EC:78:D6:05:DC:BD:E0:E4:6F:32:7E:33:C3:AB:64:B9:1E:64:ED Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /etc/hadoop/conf/ranger-hdfs-keystore.jks -destkeystore /etc/hadoop/conf/ranger-hdfs-keystore.jks -deststoretype pkcs12". [root@test-hdp253-master1 conf]# keytool -list -keystore /usr/java/jdk1.8.0_151/jre/lib/security/cacerts -alias rangerhdfsagenttrust -storepass changeit rangerhdfsagenttrust, Jan 17, 2018, trustedCertEntry, Certificate fingerprint (SHA1): B5:EC:78:D6:05:DC:BD:E0:E4:6F:32:7E:33:C3:AB:64:B9:1E:64:ED [root@test-hdp253-master1 conf]# [root@test-hdp253-master1 conf]# [root@test-hdp253-master1 conf]# keytool -list -keystore ranger-admin-keystore.jks -storepass xasecure Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry rangeradmin, Jan 17, 2018, PrivateKeyEntry, Certificate fingerprint (SHA1): C5:F6:EC:BC:69:1F:60:EB:A4:0E:E1:14:EC:39:FB:0A:95:E9:67:7F Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ranger-admin-keystore.jks -destkeystore ranger-admin-keystore.jks -deststoretype pkcs12". [root@test-hdp253-master1 conf]# keytool -list -keystore /etc/hadoop/conf/ranger-hdfs-truststore.jks -storepass hdfsxasecure Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry rangeradmintrust, Jan 17, 2018, trustedCertEntry, Certificate fingerprint (SHA1): C5:F6:EC:BC:69:1F:60:EB:A4:0E:E1:14:EC:39:FB:0A:95:E9:67:7F [root@test-hdp253-master1 conf]# ============