Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Knox Unable to Pull Policies in Ranger after SSL Turned On

Highlighted

Knox Unable to Pull Policies in Ranger after SSL Turned On

Contributor

I'm working with HDP 2.3.4.7

I'm unable to pull the policies in Ranger for knox with SSL turned on. I've been successful for both hdfs and hive though. My knox is using a certificate that's signed with the organization's CA. I've downloaded both the root and sub ca and placed in under the default JAVA location for Ranger under /usr/jdk/.../securiy/cacerts. I've also added the public certificate of the private certificate that Knox server is using in the /usr/hdp/current/knox-server/data/security/keystore/gateway.jks.

In addition, I've also added ranger's public certificate to knox's public keystore as defined under the knox configuration which is currently under /usr/hdp/current/knox-server/conf/ranger-plugin-truststore.jks.

However, I'm still unable to pull the policies. Surprisingly there are no ERRORS in the gateway.log file, so I had to turn on DEBUGGING. When I did that, these are the errors that come up which have all the sings of a misconfigured SSL happening somewhere. I just don't know where since I've already added all the certificates I could think of.

Here's the error:

2016-10-05 14:46:30,786 DEBUG io.nio (SelectorManager.java:createEndPoint(842)) - created SCEP@49ebe0fd{l(/xxx.xxx.111.243:23766)<->r(/xxx.xxx.111.243:8443),s=0,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=0}-{SslConnection@1d0027f5 SSL NOT_HANDSHAKING i/o/u=-1/-1/-1 ishut=false oshut=false {AsyncHttpConnection@c3d6fb9,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}}
2016-10-05 14:46:30,791 DEBUG nio.ChannelEndPoint (ChannelEndPoint.java:shutdownChannelInput(118)) - ishut SCEP@49ebe0fd{l(/xxx.xxx.111.243:23766)<->r(/xxx.xxx.111.243:8443),s=1,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=0r}-{SslConnection@1d0027f5 SSL NOT_HANDSHAKING i/o/u=0/0/0 ishut=false oshut=false {AsyncHttpConnection@c3d6fb9,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}}
2016-10-05 14:46:30,792 DEBUG nio.ssl (SslConnection.java:process(347)) - [Session-1, SSL_NULL_WITH_NULL_NULL] SslConnection@1d0027f5 SSL NOT_HANDSHAKING i/o/u=0/0/0 ishut=false oshut=false {AsyncHttpConnection@c3d6fb9,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0} NOT_HANDSHAKING filled=-1/0 flushed=0/0
2016-10-05 14:46:30,794 DEBUG nio.ChannelEndPoint (ChannelEndPoint.java:shutdownChannelOutput(157)) - oshut SCEP@49ebe0fd{l(/xxx.xxx.111.243:23766)<->r(/xxx.xxx.111.243:8443),s=1,open=true,ishut=true,oshut=false,rb=false,wb=false,w=true,i=0r}-{SslConnection@1d0027f5 SSL NOT_HANDSHAKING i/o/u=0/0/0 ishut=false oshut=false {AsyncHttpConnection@c3d6fb9,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}}
2016-10-05 14:46:30,794 DEBUG nio.ChannelEndPoint (ChannelEndPoint.java:close(209)) - close SCEP@49ebe0fd{l(/xxx.xxx.111.243:23766)<->r(/xxx.xxx.111.243:8443),s=1,open=true,ishut=true,oshut=true,rb=false,wb=false,w=true,i=0r}-{SslConnection@1d0027f5 SSL NOT_HANDSHAKING i/o/u=0/0/0 ishut=false oshut=false {AsyncHttpConnection@c3d6fb9,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}}
2016-10-05 14:46:30,795 DEBUG http.HttpParser (HttpParser.java:parseNext(281)) - filled -1/0
2016-10-05 14:46:30,795 DEBUG io.nio (SelectorManager.java:destroyEndPoint(851)) - destroyEndPoint SCEP@49ebe0fd{l(null)<->r(0.0.0.0/0.0.0.0:8443),s=1,open=false,ishut=true,oshut=true,rb=false,wb=false,w=true,i=0!}-{SslConnection@1d0027f5 SSL NOT_HANDSHAKING i/o/u=0/0/0 ishut=false oshut=false {AsyncHttpConnection@c3d6fb9,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0}}
2016-10-05 14:46:30,796 DEBUG nio.ssl (SslConnection.java:process(347)) - [Session-1, SSL_NULL_WITH_NULL_NULL] SslConnection@1d0027f5 SSL NOT_HANDSHAKING i/o/u=0/0/0 ishut=false oshut=false {AsyncHttpConnection@c3d6fb9,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0} NOT_HANDSHAKING filled=-1/0 flushed=0/0
2016-10-05 14:46:30,796 DEBUG server.AbstractHttpConnection (AbstractHttpConnection.java:onClose(738)) - closed AsyncHttpConnection@c3d6fb9,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0
2016-10-05 14:46:30,796 DEBUG server.AsyncHttpConnection (AsyncHttpConnection.java:handle(145)) - Disabled read interest while writing response SSL NOT_HANDSHAKING i/o/u=0/0/0 ishut=false oshut=false {AsyncHttpConnection@c3d6fb9,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0}
2016-10-05 14:46:30,797 DEBUG nio.ssl (SslConnection.java:handle(203)) - [Session-1, SSL_NULL_WITH_NULL_NULL] handle SslConnection@1d0027f5 SSL NOT_HANDSHAKING i/o/u=0/0/0 ishut=false oshut=false {AsyncHttpConnection@c3d6fb9,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0} progress=false

Interestingly enough, the ip addresses that are displayed in the DEBUG is the same. I would have thought I would see the other ip address reference both the knox server and the ranger server. I must be missing something here.

2 REPLIES 2
Highlighted

Re: Knox Unable to Pull Policies in Ranger after SSL Turned On

do you see any errors in ranger logs?

Highlighted

Re: Knox Unable to Pull Policies in Ranger after SSL Turned On

I'm having same issue.

Did you figuore out?

Don't have an account?
Coming from Hortonworks? Activate your account here