Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Knox policy synchronization

avatar

Greetings,

I'm having some trouble with the ranger-knox plugin policy synchronization. I have the following versions in my test setup: Ambari 2.5.1.0, HDP 2.6.1.0-129, Ranger 0.7.0, Knox 0.12.0.

If I go to Access Manager > Service manager > knox and hit "Test connection". Everything works fine. The fields are autocompleted with the service definitions and the topologies defined in the knox config. But, for some reason plugin status does not show anything related to knox and the policies are not updated in the knox node /etc/ranger/<cluster_name>_knox/policycache/knox_<cluster_name>_knox.json is empty.

I added a debug log for the ranger.knoxagent in Advanced gateway-log4j

#Ranger Knox Plugin debug
ranger.knoxagent.logger=DEBUG,console,KNOXAGENT
ranger.knoxagent.log.file=ranger.knoxagent.log
log4j.logger.org.apache.ranger=${ranger.knoxagent.logger}
log4j.additivity.org.apache.ranger=false
log4j.appender.KNOXAGENT =org.apache.log4j.DailyRollingFileAppender
log4j.appender.KNOXAGENT.File=${app.log.dir}/${ranger.knoxagent.log.file}
log4j.appender.KNOXAGENT.layout=org.apache.log4j.PatternLayout
log4j.appender.KNOXAGENT.layout.ConversionPattern=%d{ISO8601} %p %c{2}: %m%n %L
log4j.appender.KNOXAGENT.DatePattern=.yyyy-MM-dd

But nothing gets written in ranger.knoxagent.log

I changed the loglevels of Ranger to DEBUG in all the xa_log_appender, but I see no strange erros in the xa_portal.log file.

I'm using self-signed certificates signed with our enterprise CA for both Ranger and all the ranger-plugins. This CA was added to the cacerts file of each node of the cluster and I'm successfully using other ranger-plugins (such as HBase, Hive, HDFS) via SSL.

In the case of knox, I followed this guide https://community.hortonworks.com/articles/14900/demystify-knox-ldap-ssl-ca-cert-integration-1.html to generate a gateway.jks key-pair that's signed with our CA. I use this same gatway.jks file in the Advanced ranger-policymgr-ssl configuration and the truststore points to the cacerts file that contains our enterprise CA's certificate.

I don't know what else to do. Can anyone give me any pointers as to how to debug this issue?

Thanks in advance.

1 ACCEPTED SOLUTION

avatar

Knox plugin downloads policies upon first Knox request, not during the startup of Knox gateway. Send a Knox request to see if plugin downloads the policies. Information about this should be available in Knox gateway log, so you can check there.

View solution in original post

3 REPLIES 3

avatar

Knox plugin downloads policies upon first Knox request, not during the startup of Knox gateway. Send a Knox request to see if plugin downloads the policies. Information about this should be available in Knox gateway log, so you can check there.

avatar

@vperiasamy that solved the issue. I thought the policies were downloaded immediately upon creation/modification.

Thank you so much.

avatar

Glad it worked for you. For Knox plugin, first time policy download happens upon first Knox request. After that any policy modifications should be sync'ed by Knox plugin within 30 seconds. i.e. Every 30 seconds, Knox plugin checks for policy updates from Ranger Admin server. If your issue is resolved, please accept the answer.