Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Error creating Ranger repository after kerberos integration

Error creating Ranger repository after kerberos integration

Explorer

having an error after enabling kerberos on HDF stack. Enabled kafka ranger plugin and restarted kafka. getting messages below

when I check the path, it looks like the client kerberos cc file is created with kafka:hadoop permissions & I can use klist to check that it appears valid. It looks like this is an issue with the Ranger UI site not accepting the kerberos TGT

2018-04-02 08:55:36,133 - Repository creation failed 2018-04-02 08:56:06,160 - checked_call['/usr/bin/kinit -c /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_kafka_cc_12337536370f7a202550f5ffcbb478eb -kt /etc/security/keytabs/kafka.service.keytab kafka/sho-t-sdapap-01.sentry.com@SENTRY.COM > /dev/null'] {'user': 'kafka'} 2018-04-02 08:56:06,254 - checked_call returned (0, '') 2018-04-02 08:56:06,255 - call['ambari-sudo.sh su kafka -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/e3590509-62a8-4d79-8e34-e63d4e8dd705 -c /var/lib/ambari-agent/tmp/cookies/e3590509-62a8-4d79-8e34-e63d4e8dd705 '"'"'http://sho-t-sdapap-01.sentry.com:6080/service/public/v2/api/service?serviceName=test_kafka&serviceType=kafka&isEnabled=true'"'"' --connect-timeout 10 --max-time 12 -X GET 1>/tmp/tmpKpySPR 2>/tmp/tmpCu42_h''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_kafka_cc_12337536370f7a202550f5ffcbb478eb'}} 2018-04-02 08:56:06,350 - call returned (0, '') 2018-04-02 08:56:06,351 - call['/usr/bin/klist -s /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_kafka_cc_12337536370f7a202550f5ffcbb478eb'] {'user': 'kafka'} 2018-04-02 08:56:06,427 - call returned (0, '') 2018-04-02 08:56:06,429 - call['ambari-sudo.sh su kafka -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/03e5f985-e8d9-4137-b64a-35ad4ad2e90b -c /var/lib/ambari-agent/tmp/cookies/03e5f985-e8d9-4137-b64a-35ad4ad2e90b http://sho-t-sdapap-01.sentry.com:6080/service/public/v2/api/service --connect-timeout 10 --max-time 12 -H '"'"'Content-Type: application/json'"'"' -X POST -d '"'"'{"assetType": "1", "name": "test_kafka", "repositoryType": "kafka", "configs": {"username": "admin", "tag.download.auth.users": "kafka", "ambari.service.check.user": "ambari-qa", "policy.download.auth.users": "kafka", "zookeeper.connect": "sho-t-sdapap-01.sentry.com:2181,sho-t-sdapap-02.sentry.com:2181,sho-t-sdapap-03.sentry.com:2181", "password": "x7KsV487fs8aQdN7", "commonNameForCertificate": ""}, "type": "kafka", "isEnabled": "true", "description": "kafka repo"}'"'"' 1>/tmp/tmpSUfkfC 2>/tmp/tmpwMO3Z6''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_kafka_cc_12337536370f7a202550f5ffcbb478eb'}} 2018-04-02 08:56:06,517 - call returned (0, '') 2018-04-02 08:56:06,518 - Repository creation failed

2 REPLIES 2
Highlighted

Re: Error creating Ranger repository after kerberos integration

Can you check if there are any errors in ranger admin logs? That should give clue on why repository creation failed.

Highlighted

Re: Error creating Ranger repository after kerberos integration

Explorer

I don't see any errors in /var/log/ranger/admin/xa_portal.log when I restart kafka & recreate the error. Am I looking in the wrong spot? I've tried setting it from info to debug per https://community.hortonworks.com/content/supportkb/49445/how-to-enable-debug-logging-for-ranger-adm... and still don't see anything logged here when I recreate the problem

Don't have an account?
Coming from Hortonworks? Activate your account here