question Re: Ranger SSL Not Working in Archives of Support Questions (Read Only)

Ranger SSL Not Working

bkandalkar — Mon, 27 Aug 2018 19:07:30 GMT

Hello Team,

We have enabled SSL for Ranger Admin Web UI. We can access ranger Admin Web UI on port 6182.

But Hive Server2 daemon is failing to refresh policies after enabling SSL for Ranger Admin Web UI.

We are using internal CA signed certificate. Our Hive Server2 is SSL enabled.

We have done all configuration for enabling two-way SSL between Ranger and Hive. We have imported Ranger Admin's certificate in Hiveserver2 Truststore and Hiveserver2 certificate in Ranger Admin's Truststore. We have setup Keystore for Hiveserver2 and Ranger Admin.

Also, added hmaster.test.org as Common Name for Certificate in Hive and Ranger policy.

In Hive Server2 log, we are getting following error:

2018-08-27 06:40:31,785 ERROR [main]: client.RangerAdminRESTClient (RangerAdminRESTClient.java:getServicePoliciesIfUpdated(124)) - Error getting policies. secureMode=false, user=hive (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":1,"msgDesc":"Unauthorized access - unable to get client certificate","messageList":[{"name":"OPER_NOT_ALLOWED_FOR_ENTITY","rbKey":"xa.error.oper_not_allowed_for_state","message":"Operation not allowed for entity"}]}, serviceName=C03_hive
2018-08-27 06:40:31,786 ERROR [main]: util.PolicyRefresher (PolicyRefresher.java:loadPolicyfromPolicyAdmin(255)) - PolicyRefresher(serviceName=C03_hive): failed to refresh policies. Will continue to use last known version of policies (-1)
java.lang.Exception: Unauthorized access - unable to get client certificate
        at org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:126)
        at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:232)
        at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:188)
        at org.apache.ranger.plugin.util.PolicyRefresher.startRefresher(PolicyRefresher.java:136)

In Ranger Admin log, we are getting following error:

2018-08-27 11:45:02,556 [http-bio-6182-exec-5] ERROR org.apache.ranger.common.ServiceUtil (ServiceUtil.java:1367) - Unauthorized access. Unable to get client certificate. serviceName=C03_hive
2018-08-27 11:45:02,557 [http-bio-6182-exec-5] INFO  org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:65) - Request failed. SessionId=null, loginId=null, logMessage=Unauthorized access - unable to get client certificate
javax.ws.rs.WebApplicationException
        at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56)
        at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:335)
        at org.apache.ranger.common.ServiceUtil.isValidateHttpsAuthentication(ServiceUtil.java:1368)
        at org.apache.ranger.rest.ServiceREST.getServicePoliciesIfUpdated(ServiceREST.java:1817)

How to solve it?

Please suggest.

Thanks,

Bhushan

Re: Ranger SSL Not Working

apappu — Mon, 27 Aug 2018 23:40:50 GMT

@Bhushan Kandalkar

What version HDP are you using? By default 2-WAY SSL is enabled between Hive and Ranger - so server is expecting client certificate as part of handshake and it is failing.

I have an article at https://community.hortonworks.com/articles/68150/configuring-ranger-ranger-hdfs-plugin-for-ssl-with.html - please follow and let me know.

May be you can try setting below configs

ranger.service.https.attrib.clientAuth=false

ranger.service.https.attrib.client.auth=false

Re: Ranger SSL Not Working

bkandalkar — Tue, 28 Aug 2018 17:38:01 GMT

@amarnath reddy pappu

I am using HDP-2.5.6.

Re: Ranger SSL Not Working

falbani — Tue, 28 Aug 2018 19:16:05 GMT

@Bhushan Kandalkar

The error:

Unauthorized access - unable to get client certificate at

Means the truststore has not been properly configured for ranger admin. I suggest you review the following video where I cover this configuration in detail:

https://community.hortonworks.com/content/supportkb/187924/video-kb-how-to-co-nfigure-ranger-admin-ssl.html

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

Re: Ranger SSL Not Working

apappu — Tue, 28 Aug 2018 23:28:23 GMT

@Bhushan Kandalkar then you can try above recommendations and see if that helps

Re: Ranger SSL Not Working

bkandalkar — Wed, 29 Aug 2018 12:39:27 GMT

Thanks @Felix Albani

I am able to configure 2-way SSL. But 1-way SSL is not working in HDP-2.5.6.

Also, we have configured HiveServer2 HA. What should be the value of Common Name For Certificate in Ranger Policy Manager UI for Hive repository? Currently for one of the Hiveserver2 CN value is hmaster.test.org and for other Hiveserver2 CN value is hmaster2.test.org.

Please suggest.

Re: Ranger SSL Not Working

falbani — Wed, 29 Aug 2018 22:33:04 GMT

@Bhushan Kandalkar

For Common Name for Certificate use a comma separated list (no spaces before of after comma). For example:

hmaster.test.org,hmaster2.test.org

I haven't got the chance to test 1-way ssl between plugins and ranger admin yet. However, by looking at the following jira

https://issues.apache.org/jira/browse/RANGER-1094

This shows as fixed in ranger 0.6.3 and hdp-2.5.6 comes with ranger 0.6 so perhaps is still not supported in your version.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.