question Re: "Test Connection" for ranger kms repository fails in Archives of Support Questions (Read Only)

"Test Connection" for ranger kms repository fails

sshimpi — Thu, 31 Mar 2016 23:11:13 GMT

I followed the document for setting ranger kms on kerberized cluster.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Ranger_KMS_Admin_Guide/content/ch03s02.html

While doing test connection to default repository of Ranger KMS it gives error as shown below -

Can you please help how to resolve this ?

2016-03-31 20:02:05,403 [timed-executor-pool-0] INFO  apache.ranger.services.kms.client.KMSClient (KMSClient.java:214) - getKeyList():response.getStatus()= 401 for URL http://node1.example.com:9292/kms/v1/keys/names?user.name=keyadmin, so returning null list
2016-03-31 20:02:05,408 [timed-executor-pool-0] ERROR apache.ranger.services.kms.client.KMSResourceMgr (KMSResourceMgr.java:43) - <== KMSResourceMgr.validateConfig Error: org.apache.ranger.plugin.client.HadoopException: <html><head><title>Apache Tomcat/7.0.55 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - Authentication required</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Authentication required</u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.55</h3></body></html>

Re: "Test Connection" for ranger kms repository fails

vperiasamy — Fri, 01 Apr 2016 00:51:23 GMT

In Kerberized environments, repository config user should be a valid kerberos principal. Please create a valid principal like keyadmin@DOMAIN.COM with password and configure this in KMS repo - this needs to be done in ranger UI. Steps are listed here. Although this is from latest documentation, these steps should work.

After repository is updated, Ranger and KMS needs to be restarted.

Also make sure you have a link to core-site.xml under /etc/ranger/kms/conf as described here

Re: "Test Connection" for ranger kms repository fails

VR46 — Fri, 01 Apr 2016 02:59:51 GMT

From the log, looks like you are still using the username as 'keyadmin' which won't work if you have setup Kerberos. The KMSClient code looks for keyadmin@REALM if kerberos is enabled. Please set that restart the Ranger and KMS services after the change.

Re: "Test Connection" for ranger kms repository fails

VR46 — Fri, 01 Apr 2016 03:01:03 GMT

Uhh just saw that @vperiasamy had already replied. And that is pretty much correct. Cheers Vel !

Re: "Test Connection" for ranger kms repository fails

sshimpi — Fri, 01 Apr 2016 18:30:12 GMT

@vperiasamy the issue is resolved. I just took solution from @Vipin Rathor before checking you comment 😜

But it helped. Thanks for reply.

Re: "Test Connection" for ranger kms repository fails

trip_ankit87 — Tue, 24 May 2016 03:21:54 GMT

Hi Vipin,

In my case also, user name coming as only 'keyadmin" instead of keyadmin@realm but I am giving username as

keyadmin@realm in UI:-

UNAUTHENTICATED RemoteHost:127.0.0.1 Method:GET URL:http://hostname:9292/kms/v1/keys/names?doAs=keyadmin ErrorMsg:'Authentication required'.

which property should I change for this?

please help.

Thanks in advance

Re: "Test Connection" for ranger kms repository fails

trip_ankit87 — Tue, 24 May 2016 05:58:34 GMT

Hi Vipin,

In my case also, user name coming as only 'keyadmin" instead of keyadmin@realm but I am giving username as

keyadmin@realm in UI:-

UNAUTHENTICATED RemoteHost:127.0.0.1 Method:GET URL:http://hostname:9292/kms/v1/keys/names?doAs=keyadmin ErrorMsg:'Authentication required'.

which property should I change for this?

please help.

Thanks in advance

Re: "Test Connection" for ranger kms repository fails

avijeetd — Fri, 19 Aug 2016 14:32:33 GMT

@Vipin Rathor

Hi Vipin,

I am having the same issue, the ranger logs show "returning null list"

I am able to login into Ranger as keyadmin / password (as created in AD), I can kinit as keyadmin

I am not seeing the user in Ranger user tab, however can see the user in usersync log

2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:312) - Getting KmsClient for datasource: hubhdpdevcluster01_kms 2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:313) - configMap: {password=*****, provider=kms://http@hadooplinux.xxx.com:9292/kms, username=keyadmin@HADOOPDOM.COM} 2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:73) - Kms Client is build with url [kms://http@hadooplinux.xxx.com:9292/kms] user: [keyadmin@HADOOPDOM.COM] 2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:144) - Getting Kms Key list for keyNameMatching : 2016-08-19 03:38:10,994 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:181) - getKeyList():calling http://hadooplinux.xxx.com:9292/kms/v1/keys/names?doAs=keyadmin 2016-08-19 03:38:10,994 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:185) - getKeyList():response.getStatus()= 401 2016-08-19 03:38:10,994 [timed-executor-pool-0] INFO apache.ranger.services.kms.client.KMSClient (KMSClient.java:214) - getKeyList():response.getStatus()= 401 for URL http://hadooplinux.xxx.com:9292/kms/v1/keys/names?doAs=keyadmin so returning null list 2016-08-19 03:38:10,995 [timed-executor-pool-0] ERROR apache.ranger.services.kms.client.KMSResourceMgr (KMSResourceMgr.java:43) - <== KMSResourceMgr.validateConfig Error: org.apache.ranger.plugin.client.HadoopException:

Is there some other settings for AD-KDC in Ranger KMS?

Ranger KMS was setup and the cluster was kerbersized later. Does it have to be setup after kerberzing?

Thanks,

Avijeet

Re: "Test Connection" for ranger kms repository fails

arturbrandys — Fri, 20 Sep 2019 12:06:26 GMT

This links are not working now.

Re: "Test Connection" for ranger kms repository fails

cjervis — Fri, 20 Sep 2019 13:28:31 GMT

I found the Ranger KMS Admin Guide for HDP 2.4.0, hopefully this is what you are looking for.