Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger 0.4 usersync, missing local linux group in Ranger

avatar
Guru

Hi, I am running Ranger 0.4 with local linux usersync.

On the linux boxes I have defined two additional groups called "hadoop-users" and "hadoop-admins".

After restarting ranger-usersync, there is just the group "hadoop-users" visible in Ranger-Admin-Webui, but "hadoop-admins" is missing?!?!

What is going on there ?!?!

Thanks and regards, Gerd

1 ACCEPTED SOLUTION

avatar
Guru

Hello,

just to update you on the real solution of the problem:

it was causes by an underlying SSL cert. issue after enabling Ranger-HTTPS. The issue got solved by importing the ranger-admin trust into the java keystore "/usr/java/jdk1.7.0_79/jre/lib/security/cacerts"

Assuming you have a Ranger cert in /etc/ranger/admin/conf/ranger-admin-keystore.jks, then:

sudo /usr/java/jdk1.7.0_79/bin/keytool -export -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias ranger-admin -file ranger-admin-trust.cer

sudo /usr/java/jdk1.7.0_79/bin/keytool -import -file /etc/hadoop/conf/ranger-admin-trust.cer -alias ranger-admin -keystore /usr/java/jdk1.7.0_79/jre/lib/security/cacerts

#followed by a Ranger- and usersync-restart

View solution in original post

5 REPLIES 5

avatar
Guru

Hello @sneethiraj ,

thanks for your answer.

On all nodes the group hadoop-admins contains:

hadoop-admins:x:23231:w999711,w1004360,hdfs

and at least the user 'hdfs' is a local user and already sync'ed into Ranger, and I also restarted the ranger-usersync service with the following log entries:

18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Starting User Sync Service!
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Unix Auth Service!
18 Dec 2015 08:42:00  INFO UserGroupSync [UnixUserSyncThread] - initializing sink: com.xasecure.unixusersync.process.PolicyMgrUserGroupBuilder
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello]
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1]
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1]
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2]
18 Dec 2015 08:42:01  INFO UserGroupSync [UnixUserSyncThread] - initializing source: com.xasecure.unixusersync.process.UnixUserGroupBuilder
18 Dec 2015 08:42:01  INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
18 Dec 2015 08:42:01  INFO UserGroupSync [UnixUserSyncThread] - End: initial load of user/group from source==>sink
18 Dec 2015 08:42:01  INFO UserGroupSync [UnixUserSyncThread] - Done initializing user/group source and sink

But I still cannot see the group hadoop-admins in Ranger:

917-hadoop-groups.png

What else to check ? Is there some Debug output possible for usersync process ?!?

avatar

Hi @Gerd Koenig

Do any of the users sync'ed part of hadoop-admins group?

Thanks,

avatar
Guru

Hi @vperiasamy ,

yes, the user 'hdfs' has been sync'ed to Ranger and he is part of that group on OS level (the hadoop-admins group exists on all nodes in the cluster and 'hdfs' is member on all nodes as well).

995-user-hdfs.png

=> user is there, but the group not....

Any hint highly appreciated 😉

avatar
Guru

Hello,

just to update you on the real solution of the problem:

it was causes by an underlying SSL cert. issue after enabling Ranger-HTTPS. The issue got solved by importing the ranger-admin trust into the java keystore "/usr/java/jdk1.7.0_79/jre/lib/security/cacerts"

Assuming you have a Ranger cert in /etc/ranger/admin/conf/ranger-admin-keystore.jks, then:

sudo /usr/java/jdk1.7.0_79/bin/keytool -export -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias ranger-admin -file ranger-admin-trust.cer

sudo /usr/java/jdk1.7.0_79/bin/keytool -import -file /etc/hadoop/conf/ranger-admin-trust.cer -alias ranger-admin -keystore /usr/java/jdk1.7.0_79/jre/lib/security/cacerts

#followed by a Ranger- and usersync-restart

avatar
@Gerd Koenig

You should be able to accept your own answer now