Support Questions
Find answers, ask questions, and share your expertise

Ranger 0.4 usersync, missing local linux group in Ranger

Solved Go to solution

Ranger 0.4 usersync, missing local linux group in Ranger

Guru

Hi, I am running Ranger 0.4 with local linux usersync.

On the linux boxes I have defined two additional groups called "hadoop-users" and "hadoop-admins".

After restarting ranger-usersync, there is just the group "hadoop-users" visible in Ranger-Admin-Webui, but "hadoop-admins" is missing?!?!

What is going on there ?!?!

Thanks and regards, Gerd

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Ranger 0.4 usersync, missing local linux group in Ranger

Guru

Hello,

just to update you on the real solution of the problem:

it was causes by an underlying SSL cert. issue after enabling Ranger-HTTPS. The issue got solved by importing the ranger-admin trust into the java keystore "/usr/java/jdk1.7.0_79/jre/lib/security/cacerts"

Assuming you have a Ranger cert in /etc/ranger/admin/conf/ranger-admin-keystore.jks, then:

sudo /usr/java/jdk1.7.0_79/bin/keytool -export -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias ranger-admin -file ranger-admin-trust.cer

sudo /usr/java/jdk1.7.0_79/bin/keytool -import -file /etc/hadoop/conf/ranger-admin-trust.cer -alias ranger-admin -keystore /usr/java/jdk1.7.0_79/jre/lib/security/cacerts

#followed by a Ranger- and usersync-restart

View solution in original post

5 REPLIES 5

Re: Ranger 0.4 usersync, missing local linux group in Ranger

Guru

Hello @sneethiraj ,

thanks for your answer.

On all nodes the group hadoop-admins contains:

hadoop-admins:x:23231:w999711,w1004360,hdfs

and at least the user 'hdfs' is a local user and already sync'ed into Ranger, and I also restarted the ranger-usersync service with the following log entries:

18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Starting User Sync Service!
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Unix Auth Service!
18 Dec 2015 08:42:00  INFO UserGroupSync [UnixUserSyncThread] - initializing sink: com.xasecure.unixusersync.process.PolicyMgrUserGroupBuilder
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello]
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1]
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1]
18 Dec 2015 08:42:00  INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2]
18 Dec 2015 08:42:01  INFO UserGroupSync [UnixUserSyncThread] - initializing source: com.xasecure.unixusersync.process.UnixUserGroupBuilder
18 Dec 2015 08:42:01  INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
18 Dec 2015 08:42:01  INFO UserGroupSync [UnixUserSyncThread] - End: initial load of user/group from source==>sink
18 Dec 2015 08:42:01  INFO UserGroupSync [UnixUserSyncThread] - Done initializing user/group source and sink

But I still cannot see the group hadoop-admins in Ranger:

917-hadoop-groups.png

What else to check ? Is there some Debug output possible for usersync process ?!?

Re: Ranger 0.4 usersync, missing local linux group in Ranger

Hi @Gerd Koenig

Do any of the users sync'ed part of hadoop-admins group?

Thanks,

Re: Ranger 0.4 usersync, missing local linux group in Ranger

Guru

Hi @vperiasamy ,

yes, the user 'hdfs' has been sync'ed to Ranger and he is part of that group on OS level (the hadoop-admins group exists on all nodes in the cluster and 'hdfs' is member on all nodes as well).

995-user-hdfs.png

=> user is there, but the group not....

Any hint highly appreciated

Re: Ranger 0.4 usersync, missing local linux group in Ranger

Guru

Hello,

just to update you on the real solution of the problem:

it was causes by an underlying SSL cert. issue after enabling Ranger-HTTPS. The issue got solved by importing the ranger-admin trust into the java keystore "/usr/java/jdk1.7.0_79/jre/lib/security/cacerts"

Assuming you have a Ranger cert in /etc/ranger/admin/conf/ranger-admin-keystore.jks, then:

sudo /usr/java/jdk1.7.0_79/bin/keytool -export -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias ranger-admin -file ranger-admin-trust.cer

sudo /usr/java/jdk1.7.0_79/bin/keytool -import -file /etc/hadoop/conf/ranger-admin-trust.cer -alias ranger-admin -keystore /usr/java/jdk1.7.0_79/jre/lib/security/cacerts

#followed by a Ranger- and usersync-restart

View solution in original post

Re: Ranger 0.4 usersync, missing local linux group in Ranger

@Gerd Koenig

You should be able to accept your own answer now