After Enabling Ranger with SSL, YARN & HDFS are not sync

moreharish987 · ‎12-06-2018

I have configured SSL with Ranger. Now ranger is started perfectly, but my resource manager UI is not reachable..

Belo is the error from /var/log/hadoop-yarn/yarn/yarn-yarn-resourcemanager-master1.log

ERROR util.PolicyRefresher (PolicyRefresher.java:loadPolicyfromPolicyAdmin(288)) - PolicyRefresher(serviceName=Prod_yarn): failed to refresh policies. Will continue to use last known version of policies (24)

pbhagade · ‎12-06-2018

Hi @Harish More ,

I see you have two issues here.

As, you mentioned RM UI is not reachable, is it just RM UI is not accessible? Can u access HDFS UI?
Do you see any exceptions in RM logs?

Regarding policy sync.
Once you enabled Ranger SSL, did you configured Ranger Plugin SSL for each components for which you have enabled plugin.
Like example for HDFS: Configuring the Ranger HDFS Plugin for SSL

moreharish987 · ‎12-07-2018

hi @Pravin Bhagade

Even HDFS UI is not accessible.

When I am trying to configure ranger hdfs and yarn plugin, using the link you have provided.

after hitting below command

keytool -genkey -keyalg RSA -alias rangerHdfsAgent -keystore ranger-plugin-keystore.jks -storepass myKeyFilePassword -validity 360 -keysize 2048

the error is Alias rangerHdfsAgent name is not available.

pbhagade · ‎12-07-2018

Which doc you followed to configure HDFS SSL?

Regarding other error, You should see something like below when you hit the cmd. I java used by the keytool cmd.

[root@alpha ~]# /usr/jdk64/jdk1.8.0_112/bin/keytool -genkey -keyalg RSA -alias rangerHdfsAgent -keystore ranger-plugin-keystore.jks -storepass myKeyFilePassword -validity 360 -keysize 2048
What is your first and last name?
  [Unknown]:  
What is the name of your organizational unit?
  [Unknown]:  
What is the name of your organization?
  [Unknown]:  
What is the name of your City or Locality?
  [Unknown]:  
What is the name of your State or Province?
  [Unknown]:  
What is the two-letter country code for this unit?
  [Unknown]:  
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:

moreharish987 · ‎12-07-2018

Actually I have certificate available so i used below command.

keytool -importkeystore -srckeystore certificate.p12 -destkeystore /etc/ranger/admin/conf/ranger-plugin-keystore.jks -deststoretype pkcs12 -alias rangerHdfsAgent

Then that error comes

pbhagade · ‎12-08-2018

Please share the correct cmd to avoid confusion.

Please use below cmd:

keytool -v -importkeystore -srckeystore eneCert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

Earlier you were passing incorrect deststoretype and no need of -alias this cmd.

or try below.

keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12 -srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks] -deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST]

moreharish987 · ‎12-11-2018

Thank you for the reply. I will try this