question Re: Ranger usersync 401 unauthorized in Support Questions

Ranger usersync 401 unauthorized

ben_grant — Wed, 31 Jan 2018 21:59:01 GMT

having trouble with Ranger usersync from Active Directory. Just trying ldap, not ldaps at the moment. I can see in the usersync.log that it connect to my AD server & finds the users and groups I have set in my filters. When it goes to try to push these into Ranger, I'm getting

com.sun.jersey.api.client.UniformInterfaceException: GET http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized

It looks like the usersync can't push to Ranger.

Re: Ranger usersync 401 unauthorized

vperiasamy — Wed, 31 Jan 2018 22:47:58 GMT

Is this kerberos env? If so make sure all the necessary keytabs are there with right permissions.

Re: Ranger usersync 401 unauthorized

ben_grant — Wed, 31 Jan 2018 23:09:26 GMT

yes, kerberos is enabled. I see a rangerusersync.service.keytab, rangeradmin.service.keytab, and rangerlookup.service.keytab in /etc/security/keytabs all owned by ranger

Re: Ranger usersync 401 unauthorized

vperiasamy — Wed, 31 Jan 2018 23:47:43 GMT

Do you see any errors in ranger usersync log or ranger admin log?

Re: Ranger usersync 401 unauthorized

ben_grant — Thu, 01 Feb 2018 01:08:42 GMT

yes. here is the full error I'm seeing

com.sun.jersey.api.client.UniformInterfaceException: GET http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:429)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$000(PolicyMgrUserGroupBuilder.java:72)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$1.run(PolicyMgrUserGroupBuilder.java:180)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$1.run(PolicyMgrUserGroupBuilder.java:176)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:176)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:163)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:51)
at java.lang.Thread.run(Thread.java:745)

when I look in the ranger database, I see the following users: Admin, rangerusersync, keyadmin, rangertagsync. So the rangerusersync user exists.

Re: Ranger usersync 401 unauthorized

vperiasamy — Thu, 01 Feb 2018 01:13:40 GMT

Do you see any error on ranger admin log? Is there core-site.xml under /etc/ranger/admin/conf ?

What is the HDP version?

Re: Ranger usersync 401 unauthorized

ben_grant — Thu, 01 Feb 2018 01:39:50 GMT

yes, there is a core-site.xml under /etc/ranger/admin/conf. There are errors in my xa_portal.log. I will attach a .zip with the core-site.xml and xa_portal.log. This is HDF not HDP but the Ranger distro is the same between the builds. HDF 3.0.1 cworkhdfissue.zip

Re: Ranger usersync 401 unauthorized

vperiasamy — Thu, 01 Feb 2018 01:56:49 GMT

I don't see any related errors. You can enable DEBUG and kerberos debug to get more info. Also zip does not contain core-site.xml

Re: Ranger usersync 401 unauthorized

ben_grant — Thu, 01 Feb 2018 02:09:17 GMT

I see how to enable DEBUG for Ranger admin, but not certain where you're talking about enabling for Kerberos.

https://community.hortonworks.com/content/supportkb/49445/how-to-enable-debug-logging-for-ranger-admin.html

cworkhdfcore-site.xml

Re: Ranger usersync 401 unauthorized

vperiasamy — Thu, 01 Feb 2018 02:17:56 GMT

You need to make sure rangerusersync is sending kerberos request.

To enable kerberos debug, you can add below arguments to ranger start via JAVA_OPTS in ranger-admin-services.sh

-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -Djava.security.debug="logincontext,policy,scl,gssloginconfig"

Re: Ranger usersync 401 unauthorized

ben_grant — Thu, 01 Feb 2018 03:04:42 GMT

cworkhdfnew-folderusersync-issue2.zip I believe I enabled correctly & restarted. when I check the log files I don't see any extra Kerberos information.

Re: Ranger usersync 401 unauthorized

vperiasamy — Thu, 01 Feb 2018 03:09:08 GMT

Kerberos debug messages will be in catalina.out

Not sure if ranger admin is properly spnego enabled. Please enable DEBUG for ranger admin logs.

One thing you can try is to manually kinit using rangerusersync keytab and perform the same request via Curl. http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000☆tIndex=0

Re: Ranger usersync 401 unauthorized

ben_grant — Thu, 01 Feb 2018 03:41:04 GMT

is there a way to change the usersync account so that it uses just username/password instead of Kerberos?

Re: Ranger usersync 401 unauthorized

ben_grant — Fri, 09 Feb 2018 02:17:07 GMT

we ended up just dropping the cluster, deploying Ranger & Ranger usersync, then enabling Kerberos. works perfect if you deploy ranger first.