Support Questions
Find answers, ask questions, and share your expertise

CDP 7.1.6 Ranger KMS test conection failed " User:ranger not allowed to do 'GET_KEYS' "

Explorer

Hello Gurus,

 

I am having Ranger KMS test connection failed, it is POC test.

CDP 7.1.6 with Isilon OneFS v8.2.2.0, AD kerberos enabled.

 

Ranger KMS is up and runningRanger KMS is up and runningdefault policy login as keyadmindefault policy login as keyadmintest connection failedtest connection failed

 

Already added following lines in kms-site.xml ( added in Ranger KMS -configuration )

hadoop.kms.proxyuser.rangeradmin.hosts=* 
hadoop.kms.proxyuser.rangeradmin.groups=* 
hadoop.kms.proxyuser.rangeradmin.users=*

 

Ranger KMS debug:

2021-06-26 06:51:38,420 DEBUG org.apache.ranger.plugin.classloader.RangerPluginClassLoader: ==> RangerPluginClassLoader.deactivate()
2021-06-26 06:51:38,420 DEBUG org.apache.ranger.plugin.classloader.RangerPluginClassLoader: <== RangerPluginClassLoader.deactivate()
2021-06-26 06:51:38,420 ERROR org.apache.hadoop.crypto.key.kms.server.KMS: Exception in getkeyNames.
org.apache.hadoop.security.authorize.AuthorizationException: User:ranger not allowed to do 'GET_KEYS'
2021-06-26 06:51:38,420 WARN org.apache.hadoop.crypto.key.kms.server.KMS: User ranger (auth:PROXY) via rangeradmin/n02.py.local@PY.LOCAL (auth:KERBEROS) request GET http://n03.py.local:9292/kms/v1/keys/names?doAs=ranger caused exception.
org.apache.hadoop.security.authorize.AuthorizationException: User:ranger not allowed to do 'GET_KEYS'
2021-06-26 06:52:04,559 INFO org.apache.ranger.audit.provider.BaseAuditHandler: Audit Status Log: name=kms.async.summary.multi_dest.batch.solr, interval=01:00.003 minutes, events=1, deferredCount=1, totalEvents=3, totalDeferredCount=3
2021-06-26 06:52:04,560 INFO org.apache.ranger.audit.destination.SolrAuditDestination: Solr zkHosts=null, solrURLs=null, collectionName=ranger_audits
2021-06-26 06:52:04,560 ERROR org.apache.ranger.audit.queue.AuditFileSpool: Error sending logs to consumer. provider=kms.async.summary.multi_dest.batch, consumer=kms.async.summary.multi_dest.batch.solr
2021-06-26 06:52:04,560 INFO org.apache.ranger.audit.queue.AuditFileSpool: Destination is down. sleeping for 30000 milli seconds. indexQueue=0, queueName=kms.async.summary.multi_dest.batch, consumer=kms.async.summary.multi_dest.batch.solr
2021-06-26 06:52:04,691 INFO org.apache.ranger.audit.provider.BaseAuditHandler: Audit Status Log: name=kms.async.summary.multi_dest.batch.hdfs, interval=01:00.012 minutes, events=1, deferredCount=1, totalEvents=3, totalDeferredCount=3

 

Is there anything mis-configured or need to be checked? Thank you

 

Best Regards,

Jake Zhang

1 ACCEPTED SOLUTION

Accepted Solutions

Super Collaborator

@jakezhang From the screenshot, I can see cm_kms policy is not in sync

Policy needs to be sync after ranger users is added to the policy, then only the Ranger user will be allowed to Get the keys

View solution in original post

11 REPLIES 11

Super Collaborator

@jakezhang Assign getkeys permission for ranger user in ranger policy

Explorer

Thanks.

However the permissions are already assigned in the default policy: 

  cm_kms

 

jakezhang_0-1624755445124.png

 

 

Super Collaborator

@jakezhang Check is  cm_kms policy is in sync 

Also, modify the Config Properties values in cm_kms as shown below 

tag.download.auth.users=kms
policy.download.auth.users=keyadmin,rangerkms

 

Explorer

Thank you.

You might see they are already added in the previous screenshot.

Ranger user is added as well but it did not work.

 

tag.download.auth.users=kms,ranger
policy.download.auth.users=keyadmin,rangerkms,ranger

 

Super Collaborator

@jakezhang  Can you check is cm_kms policy is in sync after adding the ranger users to the policy

Share the screenshot of Ranger Ui => Audit => Plugins

Explorer

Thanks @Scharan 

 

I don't think it's in sync since the test connection failed.

 

kms-4.PNGkms-5.PNGkms-6.PNG

Super Collaborator

@jakezhang From the screenshot, I can see cm_kms policy is not in sync

Policy needs to be sync after ranger users is added to the policy, then only the Ranger user will be allowed to Get the keys

View solution in original post

Explorer

Thanks, but how can I get the policy synced?

Super Collaborator

@jakezhang Check ranger KMS logs and see what is the error while refreshing the policy