Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

Active Directory integrated with Ranger - Users/user groups not showing up

Expert Contributor

Hello - i've Active Directory integrated with Ranger for authentication, somehow the users/usergroups are not showing up. The error is as shown below, usersync.log file attached

usersynclog.txt

Any ideas on this ?

------------------------------------------------------------------------

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff} span.s1 {font-variant-ligatures: no-common-ligatures} span.Apple-tab-span {white-space:pre}

26 Apr 2017 22:02:01 WARN FSInputChecker [main] - Problem opening checksum file: file:/usr/hdp/current/ranger-usersync/conf/ugsync.jceks. Ignoring exception:

java.io.FileNotFoundException: /usr/hdp/current/ranger-usersync/conf/.ugsync.jceks.crc (Permission denied)

at java.io.FileInputStream.open0(Native Method)

at java.io.FileInputStream.open(FileInputStream.java:195)

at java.io.FileInputStream.<init>(FileInputStream.java:138)

at org.apache.hadoop.fs.RawLocalFileSystem$LocalFSFileInputStream.<init>(RawLocalFileSystem.java:111)

at org.apache.hadoop.fs.RawLocalFileSystem.open(RawLocalFileSystem.java:215)

at org.apache.hadoop.fs.ChecksumFileSystem$ChecksumFSInputChecker.<init>(ChecksumFileSystem.java:152)

at org.apache.hadoop.fs.ChecksumFileSystem.open(ChecksumFileSystem.java:348)

at org.apache.hadoop.fs.FileSystem.open(FileSystem.java:782)

at org.apache.hadoop.security.alias.JavaKeyStoreProvider.getInputStreamForFile(JavaKeyStoreProvider.java:70)

at org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.<init>(AbstractJavaKeyStoreProvider.java:107)

at org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:49)

at org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:41)

at org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:100)

at org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:58)

at org.apache.ranger.credentialapi.CredentialReader.getDecryptedString(CredentialReader.java:59)

at org.apache.ranger.authentication.UnixAuthenticationService.init(UnixAuthenticationService.java:224)

at org.apache.ranger.authentication.UnixAuthenticationService.run(UnixAuthenticationService.java:118)

at org.apache.ranger.authentication.UnixAuthenticationService.main(UnixAuthenticationService.java:105)

26 Apr 2017 22:02:01 INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello]

26 Apr 2017 22:02:01 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1]

26 Apr 2017 22:02:01 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1]

26 Apr 2017 22:02:01 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2]

26 Apr 2017 22:02:38 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.username.regex

26 Apr 2017 22:02:38 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.groupname.regex

26 Apr 2017 22:02:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder created

26 Apr 2017 22:02:38 INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder

26 Apr 2017 22:02:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started

26 Apr 2017 22:02:38 WARN FSInputChecker [UnixUserSyncThread] - Problem opening checksum file: file:/usr/hdp/current/ranger-usersync/conf/ugsync.jceks. Ignoring exception:

java.io.FileNotFoundException: /usr/hdp/current/ranger-usersync/conf/.ugsync.jceks.crc (Permission denied)

at java.io.FileInputStream.open0(Native Method)

at java.io.FileInputStream.open(FileInputStream.java:195)

at java.io.FileInputStream.<init>(FileInputStream.java:138)

at org.apache.hadoop.fs.RawLocalFileSystem$LocalFSFileInputStream.<init>(RawLocalFileSystem.java:111)

at org.apache.hadoop.fs.RawLocalFileSystem.open(RawLocalFileSystem.java:215)

at org.apache.hadoop.fs.ChecksumFileSystem$ChecksumFSInputChecker.<init>(ChecksumFileSystem.java:152)

at org.apache.hadoop.fs.ChecksumFileSystem.open(ChecksumFileSystem.java:348)

at org.apache.hadoop.fs.FileSystem.open(FileSystem.java:782)

at org.apache.hadoop.security.alias.JavaKeyStoreProvider.getInputStreamForFile(JavaKeyStoreProvider.java:70)

at org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.<init>(AbstractJavaKeyStoreProvider.java:107)

at org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:49)

at org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:41)

at org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:100)

at org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:58)

at org.apache.ranger.credentialapi.CredentialReader.getDecryptedString(CredentialReader.java:59)

at org.apache.ranger.unixusersync.config.UserGroupSyncConfig.getLdapBindPassword(UserGroupSyncConfig.java:541)

at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.setConfig(LdapUserGroupBuilder.java:174)

at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.init(LdapUserGroupBuilder.java:135)

at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:55)

at java.lang.Thread.run(Thread.java:745)

26 Apr 2017 22:02:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with -- ldapUrl: ldaps://amp.gdcs-qa.apple.com:636, ldapBindDn: bdp-ldap-auth, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: dc=amp,dc=gdcs-test,dc=apple,dc=com, userSearchBase: [dc=amp,dc=gdcs-qa,dc=apple,dc=com], userSearchScope: 2, userObjectClass: person, userSearchFilter: , extendedUserSearchFilter: (objectclass=person), userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName], userGroupNameAttributeSet: null, pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: true, groupSearchBase: [dc=amp,dc=gdcs-qa,dc=apple,dc=com], groupSearchScope: 2, groupObjectClass: groupOfNames, groupSearchFilter: ou=core,dc=amp,dc=gdcs-qa,dc=apple,dc=com, extendedGroupSearchFilter: (&(objectclass=groupOfNames)(ou=core,dc=amp,dc=gdcs-qa,dc=apple,dc=com)(|(member={0})(member={1}))), extendedAllGroupsSearchFilter: (&(objectclass=groupOfNames)(ou=core,dc=amp,dc=gdcs-qa,dc=apple,dc=com)), groupMemberAttributeName: member, groupNameAttribute: distinguishedName, groupSearchAttributes: [member, distinguishedName], groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false, userSearchEnabled: false, ldapReferral: ignore

26 Apr 2017 22:02:38 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink

26 Apr 2017 22:02:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started

26 Apr 2017 22:02:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Performing user search first

26 Apr 2017 22:02:38 ERROR CustomSSLSocketFactory [UnixUserSyncThread] - Unable to obtain keystore from file [/usr/hdp/current/ranger-usersync/conf/mytruststore.jks]

26 Apr 2017 22:02:38 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details:

javax.naming.CommunicationException: amp.gdcs-qa.apple.com:636 [Root exception is java.lang.NullPointerException]

at com.sun.jndi.ldap.Connection.<init>(Connection.java:216)

at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)

at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1614)

at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)

at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)

at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)

at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)

at javax.naming.InitialContext.init(InitialContext.java:244)

at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)

at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:147)

at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.getUsers(LdapUserGroupBuilder.java:377)

at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:302)

at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)

at java.lang.Thread.run(Thread.java:745)

Caused by: java.lang.NullPointerException

at org.apache.ranger.ldapusersync.process.CustomSSLSocketFactory.createSocket(CustomSSLSocketFactory.java:138)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at com.sun.jndi.ldap.Connection.createSocket(Connection.java:328)

at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)

... 17 more

1 REPLY 1

Contributor

The exception is clearly saying:

26 Apr 2017 22:02:38 ERROR CustomSSLSocketFactory [UnixUserSyncThread] - Unable to obtain keystore from file [/usr/hdp/current/ranger-usersync/conf/mytruststore.jks]

You are using 'ldaps" and therefore you need to add the AD's SSL certificate to the above mentioned trust store file using the command:

# keytool -import -trustcacerts -file <path_to_cert> -keystore /usr/hdp/current/ranger-usersync/conf/mytruststore.jks