Created 11-06-2017 03:19 PM
Greetings,
I'm having some trouble with the ranger-knox plugin policy synchronization. I have the following versions in my test setup: Ambari 2.5.1.0, HDP 2.6.1.0-129, Ranger 0.7.0, Knox 0.12.0.
If I go to Access Manager > Service manager > knox and hit "Test connection". Everything works fine. The fields are autocompleted with the service definitions and the topologies defined in the knox config. But, for some reason plugin status does not show anything related to knox and the policies are not updated in the knox node /etc/ranger/<cluster_name>_knox/policycache/knox_<cluster_name>_knox.json is empty.
I added a debug log for the ranger.knoxagent in Advanced gateway-log4j
#Ranger Knox Plugin debug ranger.knoxagent.logger=DEBUG,console,KNOXAGENT ranger.knoxagent.log.file=ranger.knoxagent.log log4j.logger.org.apache.ranger=${ranger.knoxagent.logger} log4j.additivity.org.apache.ranger=false log4j.appender.KNOXAGENT =org.apache.log4j.DailyRollingFileAppender log4j.appender.KNOXAGENT.File=${app.log.dir}/${ranger.knoxagent.log.file} log4j.appender.KNOXAGENT.layout=org.apache.log4j.PatternLayout log4j.appender.KNOXAGENT.layout.ConversionPattern=%d{ISO8601} %p %c{2}: %m%n %L log4j.appender.KNOXAGENT.DatePattern=.yyyy-MM-dd
But nothing gets written in ranger.knoxagent.log
I changed the loglevels of Ranger to DEBUG in all the xa_log_appender, but I see no strange erros in the xa_portal.log file.
I'm using self-signed certificates signed with our enterprise CA for both Ranger and all the ranger-plugins. This CA was added to the cacerts file of each node of the cluster and I'm successfully using other ranger-plugins (such as HBase, Hive, HDFS) via SSL.
In the case of knox, I followed this guide https://community.hortonworks.com/articles/14900/demystify-knox-ldap-ssl-ca-cert-integration-1.html to generate a gateway.jks key-pair that's signed with our CA. I use this same gatway.jks file in the Advanced ranger-policymgr-ssl configuration and the truststore points to the cacerts file that contains our enterprise CA's certificate.
I don't know what else to do. Can anyone give me any pointers as to how to debug this issue?
Thanks in advance.
Created 11-06-2017 03:41 PM
Knox plugin downloads policies upon first Knox request, not during the startup of Knox gateway. Send a Knox request to see if plugin downloads the policies. Information about this should be available in Knox gateway log, so you can check there.
Created 11-06-2017 03:41 PM
Knox plugin downloads policies upon first Knox request, not during the startup of Knox gateway. Send a Knox request to see if plugin downloads the policies. Information about this should be available in Knox gateway log, so you can check there.
Created 11-07-2017 01:10 PM
@vperiasamy that solved the issue. I thought the policies were downloaded immediately upon creation/modification.
Thank you so much.
Created 11-07-2017 02:16 PM
Glad it worked for you. For Knox plugin, first time policy download happens upon first Knox request. After that any policy modifications should be sync'ed by Knox plugin within 30 seconds. i.e. Every 30 seconds, Knox plugin checks for policy updates from Ranger Admin server. If your issue is resolved, please accept the answer.