Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger 0.4 usersync, missing local linux group in Ranger

Labels:
avatar
author-rank geko
Guru

Created ‎12-17-2015 08:07 PM

Hi, I am running Ranger 0.4 with local linux usersync.

On the linux boxes I have defined two additional groups called "hadoop-users" and "hadoop-admins".

After restarting ranger-usersync, there is just the group "hadoop-users" visible in Ranger-Admin-Webui, but "hadoop-admins" is missing?!?!

What is going on there ?!?!

Thanks and regards, Gerd

2,247 Views
1 ACCEPTED SOLUTION

avatar
author-rank geko
Guru

Created ‎02-11-2016 12:42 PM

Hello,

just to update you on the real solution of the problem:

it was causes by an underlying SSL cert. issue after enabling Ranger-HTTPS. The issue got solved by importing the ranger-admin trust into the java keystore "/usr/java/jdk1.7.0_79/jre/lib/security/cacerts"

Assuming you have a Ranger cert in /etc/ranger/admin/conf/ranger-admin-keystore.jks, then:

sudo /usr/java/jdk1.7.0_79/bin/keytool -export -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias ranger-admin -file ranger-admin-trust.cer

sudo /usr/java/jdk1.7.0_79/bin/keytool -import -file /etc/hadoop/conf/ranger-admin-trust.cer -alias ranger-admin -keystore /usr/java/jdk1.7.0_79/jre/lib/security/cacerts

#followed by a Ranger- and usersync-restart

View solution in original post

1,760 Views
5 REPLIES 5

avatar
author-rank geko
Guru

Created on ‎12-18-2015 07:52 AM - edited ‎08-19-2019 05:31 AM

Hello @sneethiraj ,

thanks for your answer.

On all nodes the group hadoop-admins contains:

hadoop-admins:x:23231:w999711,w1004360,hdfs

and at least the user 'hdfs' is a local user and already sync'ed into Ranger, and I also restarted the ranger-usersync service with the following log entries:

18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Starting User Sync Service!
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Unix Auth Service!
18 Dec 2015 08:42:00  INFO UserGroupSync [UnixUserSyncThread] - initializing sink: com.xasecure.unixusersync.process.PolicyMgrUserGroupBuilder
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello]
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1]
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1]
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2]
18 Dec 2015 08:42:01  INFO UserGroupSync [UnixUserSyncThread] - initializing source: com.xasecure.unixusersync.process.UnixUserGroupBuilder
18 Dec 2015 08:42:01  INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
18 Dec 2015 08:42:01  INFO UserGroupSync [UnixUserSyncThread] - End: initial load of user/group from source==>sink
18 Dec 2015 08:42:01  INFO UserGroupSync [UnixUserSyncThread] - Done initializing user/group source and sink

But I still cannot see the group hadoop-admins in Ranger:

917-hadoop-groups.png

What else to check ? Is there some Debug output possible for usersync process ?!?

1,760 Views

avatar
author-rank vperiasamy author-rank
Guru

Created ‎12-21-2015 05:35 PM

Hi @Gerd Koenig

Do any of the users sync'ed part of hadoop-admins group?

Thanks,

1,760 Views
0 Kudos

avatar
author-rank geko
Guru

Created on ‎12-22-2015 07:56 AM - edited ‎08-19-2019 05:30 AM

Hi @vperiasamy ,

yes, the user 'hdfs' has been sync'ed to Ranger and he is part of that group on OS level (the hadoop-admins group exists on all nodes in the cluster and 'hdfs' is member on all nodes as well).

995-user-hdfs.png

=> user is there, but the group not....

Any hint highly appreciated 😉

1,760 Views

avatar
author-rank geko
Guru

Created ‎02-11-2016 12:42 PM

Hello,

just to update you on the real solution of the problem:

it was causes by an underlying SSL cert. issue after enabling Ranger-HTTPS. The issue got solved by importing the ranger-admin trust into the java keystore "/usr/java/jdk1.7.0_79/jre/lib/security/cacerts"

Assuming you have a Ranger cert in /etc/ranger/admin/conf/ranger-admin-keystore.jks, then:

sudo /usr/java/jdk1.7.0_79/bin/keytool -export -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias ranger-admin -file ranger-admin-trust.cer

sudo /usr/java/jdk1.7.0_79/bin/keytool -import -file /etc/hadoop/conf/ranger-admin-trust.cer -alias ranger-admin -keystore /usr/java/jdk1.7.0_79/jre/lib/security/cacerts

#followed by a Ranger- and usersync-restart
1,761 Views

avatar
author-rank amcbarnett
Guru

Created ‎02-13-2016 06:12 AM

@Gerd Koenig

You should be able to accept your own answer now

1,760 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements