Error creating Ranger repository after kerberos integration

ben_grant · ‎04-02-2018

having an error after enabling kerberos on HDF stack. Enabled kafka ranger plugin and restarted kafka. getting messages below

when I check the path, it looks like the client kerberos cc file is created with kafka:hadoop permissions & I can use klist to check that it appears valid. It looks like this is an issue with the Ranger UI site not accepting the kerberos TGT

2018-04-02 08:55:36,133 - Repository creation failed 2018-04-02 08:56:06,160 - checked_call['/usr/bin/kinit -c /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_kafka_cc_12337536370f7a202550f5ffcbb478eb -kt /etc/security/keytabs/kafka.service.keytab kafka/sho-t-sdapap-01.sentry.com@SENTRY.COM > /dev/null'] {'user': 'kafka'} 2018-04-02 08:56:06,254 - checked_call returned (0, '') 2018-04-02 08:56:06,255 - call['ambari-sudo.sh su kafka -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/e3590509-62a8-4d79-8e34-e63d4e8dd705 -c /var/lib/ambari-agent/tmp/cookies/e3590509-62a8-4d79-8e34-e63d4e8dd705 '"'"'http://sho-t-sdapap-01.sentry.com:6080/service/public/v2/api/service?serviceName=test_kafka&serviceType=kafka&isEnabled=true'"'"' --connect-timeout 10 --max-time 12 -X GET 1>/tmp/tmpKpySPR 2>/tmp/tmpCu42_h''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_kafka_cc_12337536370f7a202550f5ffcbb478eb'}} 2018-04-02 08:56:06,350 - call returned (0, '') 2018-04-02 08:56:06,351 - call['/usr/bin/klist -s /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_kafka_cc_12337536370f7a202550f5ffcbb478eb'] {'user': 'kafka'} 2018-04-02 08:56:06,427 - call returned (0, '') 2018-04-02 08:56:06,429 - call['ambari-sudo.sh su kafka -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/03e5f985-e8d9-4137-b64a-35ad4ad2e90b -c /var/lib/ambari-agent/tmp/cookies/03e5f985-e8d9-4137-b64a-35ad4ad2e90b http://sho-t-sdapap-01.sentry.com:6080/service/public/v2/api/service --connect-timeout 10 --max-time 12 -H '"'"'Content-Type: application/json'"'"' -X POST -d '"'"'{"assetType": "1", "name": "test_kafka", "repositoryType": "kafka", "configs": {"username": "admin", "tag.download.auth.users": "kafka", "ambari.service.check.user": "ambari-qa", "policy.download.auth.users": "kafka", "zookeeper.connect": "sho-t-sdapap-01.sentry.com:2181,sho-t-sdapap-02.sentry.com:2181,sho-t-sdapap-03.sentry.com:2181", "password": "x7KsV487fs8aQdN7", "commonNameForCertificate": ""}, "type": "kafka", "isEnabled": "true", "description": "kafka repo"}'"'"' 1>/tmp/tmpSUfkfC 2>/tmp/tmpwMO3Z6''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_kafka_cc_12337536370f7a202550f5ffcbb478eb'}} 2018-04-02 08:56:06,517 - call returned (0, '') 2018-04-02 08:56:06,518 - Repository creation failed

vperiasamy · ‎04-02-2018

Can you check if there are any errors in ranger admin logs? That should give clue on why repository creation failed.

ben_grant · ‎04-02-2018

I don't see any errors in /var/log/ranger/admin/xa_portal.log when I restart kafka & recreate the error. Am I looking in the wrong spot? I've tried setting it from info to debug per https://community.hortonworks.com/content/supportkb/49445/how-to-enable-debug-logging-for-ranger-adm... and still don't see anything logged here when I recreate the problem