I'm seeing a problem that Knox plugin doesn't sync when I enable it through Ambari.
Usually just enabling the plugin I will see the 200 sync. Any suggestions?
I see a few errors in xa_portal.log:
2017-04-04 18:44:35,625 [timed-executor-pool-0] INFO apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:81) - Password decryption failed; trying knox connection with received password string 2017-04-04 18:44:35,767 [timed-executor-pool-0] ERROR apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:158) - Exception on REST call to KnoxUrl : https://santa1.fyre.ibm.com:8443/gateway/admin/api/v1/topologies. com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non
Do you see any error in knox gateway log?
When you it does not sync - what do you mean?
Error you see on xa_portal.log is related to Ranger not being able to connect to knox for resource lookup or test connection. Make sure you save the config of the knox service (aka repository) before trying test connection. Also you need to import the certificate of knox gateway into the trust store used by ranger admin.
By "it" I mean, when I enable the plugin "Knox Ranger Plugin" on/off switch on Ambari -> Ranger -> Ranger Plugin.
I don't see any errors in the knox gateway log, but I do see warnings:
log4j:WARN No such property [maxBackupIndex] in org.apache.log4j.DailyRollingFileAppender. log4j:WARN No such property [maxFileSize] in org.apache.log4j.DailyRollingFileAppender.
How do I import the certificate of the knox gateway into the trust store used by ranger admin?
Voting up vperiasamy answer.
Hi @Anna Shaverdian: When you turn on Knox plugin from Ambari, did you restart Knox after that? If you did, on logging into Ranger UI, do you see the Knox repository/ service?
Under Audits in Ranger UI, goto plugins tab, do you see an entry for Knox service? You could search for it using the SERVICE NAME parameter for your search string.
Yes I restarted Knox and see the repo in ranger admin ui. But the plugin is not syncing. I don't see a 200 status for Knox plugin.
Do you know if auditing to solr is supported for Knox?
Hi @Anna Shaverdian, Audit to Solr is supported for all plugins if you have chosen that in Ranger properties. From Ranger 0.6 onwards, Audit to DB is not supported. Rest of 2 options: Audit to Solr and Audit to HDFS are supported. Do you have Audit enabled through appropriate settings? Also, the issue that you are facing is only with Knox plugin, correct? Do you have some other plugins enabled as well and are they working fine?
Is your cluster wire encrypted?
Policy refresh failures are logged in the service logs on host where it is running. Like in your case you can try to see if there is any exception related to PolicyRefresher in gateway.err/gateway.out on knox hosts.
What code do you see while knox plugin trying to connection/download policies from ranger?
#grep "pluginId=knox" <latestAccessLog> (Access log on ranger admin host like access_log.*)
It looks that plugin is not invoked, usually if the sync happens you should see log for that particular service in access_log file in ranger admin logs. Knox plugin will be invoked when you try to connect on knox port. Try connecting to webhdfs over knox, this should invoke the policy sync. Check in ranger admin UI under Audit>Policy tab, see if knox plugin has attempted for sync. You can also check in access_log* to see if knox plugin has attempted to connect to ranger admin to download the policies.