Community Articles

Find and share helpful community-sourced technical articles.
Labels (2)
avatar

Problem:

some of the rest call you might not face this issue , but some cases where A service to service call is made , for ex. hbase makes call to ranger admin to download the policy using following rest call.

https://localhost:6182/service/plugins/policies/download/

in this case ranger admin trust store should have certificate of Client who is trying to download the policy. so for example if hbase tries to download the policy then since we had already setup the ssl for ranger and plugins and ranger admin is having certificate for hbase plugin in ranger admin trust store so this call will work fine

but if you try to make this call using curl from your own rest client then it will fail

curl -k -u admin:admin 'https://localhost:6182/service/plugins/policies/download/'

it will throw following kind of error:

ERROR org.apache.ranger.common.ServiceUtil (ServiceUtil.java:1376) - Unauthorized access. Unable to get client certificate. serviceName=cl1_hadoop
2016-07-06 05:51:46,264 [http-bio-6182-exec-26] INFO  org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:65) - Request failed. SessionId=null, loginId=hdfs, logMessage=Unauthorized access - unable to get client certificate
javax.ws.rs.WebApplicationException
        at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56)
        at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:335)
        at org.apache.ranger.common.ServiceUtil.isValidateHttpsAuthentication(ServiceUtil.java:1377)
        at org.apache.ranger.rest.ServiceREST.getSecureServicePoliciesIfUpdated(ServiceREST.java:1847)
        at org.apache.ranger.rest.ServiceREST$FastClassByCGLIB$92dab672.invoke(<generated>)
        at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:191)
        at 

Resolution:

to resolve this problem we need to pass key while making curl call , so first you need to generate the key using following steps:

1. using the keystore of ranger hadoop plugin generate the PKCS12 type store as follows:

keytool -importkeystore -srckeystore <source keystore path> -destkeystore <PKCS type store path> -srcstorepass <source store password> -srcstoretype jks -deststoretype PKCS12 -srcalias <source keystor alias> -deststorepass <pkcs store password> -destkeypass <key password>

2. now PCKS12 type store will be generated , now use this store and generate the key

openssl pkcs12 -in <PKCS type store path> -out <pem key file path> -nodes -passin pass:<key password>

Now you can use this key to make curl call as follows:

curl -k -u:admin:admin --cert  <pem key file path>:<key password> 'https://localhost:6182/service/plugins/policies/download/'

Note: same steps can be followed in case you face such exception while making curl call for any other service where server needs a certificate of client to allow the call.

2,792 Views
Comments
avatar
Contributor

Outdated , Finally after doing these steps I get curl: (35) error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
Not working as of 2019 with HDP 2.6.3