Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Rest call to ranger on wire encrypted cluster

Labels (2)
avatar
author-rank dsharma author-rank
Guru

Created on ‎07-09-2016 09:29 AM

Problem:

some of the rest call you might not face this issue , but some cases where A service to service call is made , for ex. hbase makes call to ranger admin to download the policy using following rest call.

https://localhost:6182/service/plugins/policies/download/

in this case ranger admin trust store should have certificate of Client who is trying to download the policy. so for example if hbase tries to download the policy then since we had already setup the ssl for ranger and plugins and ranger admin is having certificate for hbase plugin in ranger admin trust store so this call will work fine

but if you try to make this call using curl from your own rest client then it will fail

curl -k -u admin:admin 'https://localhost:6182/service/plugins/policies/download/'

it will throw following kind of error:

ERROR org.apache.ranger.common.ServiceUtil (ServiceUtil.java:1376) - Unauthorized access. Unable to get client certificate. serviceName=cl1_hadoop
2016-07-06 05:51:46,264 [http-bio-6182-exec-26] INFO  org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:65) - Request failed. SessionId=null, loginId=hdfs, logMessage=Unauthorized access - unable to get client certificate
javax.ws.rs.WebApplicationException
        at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56)
        at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:335)
        at org.apache.ranger.common.ServiceUtil.isValidateHttpsAuthentication(ServiceUtil.java:1377)
        at org.apache.ranger.rest.ServiceREST.getSecureServicePoliciesIfUpdated(ServiceREST.java:1847)
        at org.apache.ranger.rest.ServiceREST$FastClassByCGLIB$92dab672.invoke(<generated>)
        at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:191)
        at

Resolution:

to resolve this problem we need to pass key while making curl call , so first you need to generate the key using following steps:

1. using the keystore of ranger hadoop plugin generate the PKCS12 type store as follows:

keytool -importkeystore -srckeystore <source keystore path> -destkeystore <PKCS type store path> -srcstorepass <source store password> -srcstoretype jks -deststoretype PKCS12 -srcalias <source keystor alias> -deststorepass <pkcs store password> -destkeypass <key password>

2. now PCKS12 type store will be generated , now use this store and generate the key

openssl pkcs12 -in <PKCS type store path> -out <pem key file path> -nodes -passin pass:<key password>

Now you can use this key to make curl call as follows:

curl -k -u:admin:admin --cert  <pem key file path>:<key password> 'https://localhost:6182/service/plugins/policies/download/'

Note: same steps can be followed in case you face such exception while making curl call for any other service where server needs a certificate of client to allow the call.

2,781 Views
Comments

Re: Rest call to ranger on wire encrypted cluster

avatar
author-rank sindhu
Contributor

Created on ‎01-17-2019 10:15 PM

Outdated , Finally after doing these steps I get curl: (35) error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
Not working as of 2019 with HDP 2.6.3

Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements
Version history
Last update:
‎07-09-2016 09:29 AM
Updated by:
Guru Guru
Contributors