Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger 0.7.0 and Knox Plugin doesn't Sync

Ranger 0.7.0 and Knox Plugin doesn't Sync

New Contributor

I'm seeing a problem that Knox plugin doesn't sync when I enable it through Ambari.

Usually just enabling the plugin I will see the 200 sync. Any suggestions?

I see a few errors in xa_portal.log:

2017-04-04 18:44:35,625 [timed-executor-pool-0] INFO  apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:81) - Password decryption failed; trying knox connection with received password string
2017-04-04 18:44:35,767 [timed-executor-pool-0] ERROR apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:158) - Exception on REST call to KnoxUrl : https://santa1.fyre.ibm.com:8443/gateway/admin/api/v1/topologies.
com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non
10 REPLIES 10

Re: Ranger 0.7.0 and Knox Plugin doesn't Sync

Do you see any error in knox gateway log?

When you it does not sync - what do you mean?

Error you see on xa_portal.log is related to Ranger not being able to connect to knox for resource lookup or test connection. Make sure you save the config of the knox service (aka repository) before trying test connection. Also you need to import the certificate of knox gateway into the trust store used by ranger admin.

Re: Ranger 0.7.0 and Knox Plugin doesn't Sync

New Contributor

By "it" I mean, when I enable the plugin "Knox Ranger Plugin" on/off switch on Ambari -> Ranger -> Ranger Plugin.

I don't see any errors in the knox gateway log, but I do see warnings:

log4j:WARN No such property [maxBackupIndex] in org.apache.log4j.DailyRollingFileAppender.
log4j:WARN No such property [maxFileSize] in org.apache.log4j.DailyRollingFileAppender.

How do I import the certificate of the knox gateway into the trust store used by ranger admin?

Re: Ranger 0.7.0 and Knox Plugin doesn't Sync

Contributor

Voting up vperiasamy answer.

Hi @Anna Shaverdian: When you turn on Knox plugin from Ambari, did you restart Knox after that? If you did, on logging into Ranger UI, do you see the Knox repository/ service?

Under Audits in Ranger UI, goto plugins tab, do you see an entry for Knox service? You could search for it using the SERVICE NAME parameter for your search string.

Re: Ranger 0.7.0 and Knox Plugin doesn't Sync

New Contributor

Yes I restarted Knox and see the repo in ranger admin ui. But the plugin is not syncing. I don't see a 200 status for Knox plugin.

Do you know if auditing to solr is supported for Knox?

Highlighted

Re: Ranger 0.7.0 and Knox Plugin doesn't Sync

Contributor

Hi @Anna Shaverdian, Audit to Solr is supported for all plugins if you have chosen that in Ranger properties. From Ranger 0.6 onwards, Audit to DB is not supported. Rest of 2 options: Audit to Solr and Audit to HDFS are supported. Do you have Audit enabled through appropriate settings? Also, the issue that you are facing is only with Knox plugin, correct? Do you have some other plugins enabled as well and are they working fine?

Is your cluster wire encrypted?

Re: Ranger 0.7.0 and Knox Plugin doesn't Sync

New Contributor

HDFS Ranger plugin is working. But my problem is only wiht Knox plugin.

No the cluster is not wire encrypted.

Re: Ranger 0.7.0 and Knox Plugin doesn't Sync

Super Collaborator

@Anna Shaverdian

Policy refresh failures are logged in the service logs on host where it is running. Like in your case you can try to see if there is any exception related to PolicyRefresher in gateway.err/gateway.out on knox hosts.

What code do you see while knox plugin trying to connection/download policies from ranger?

#grep "pluginId=knox" <latestAccessLog> (Access log on ranger admin host like access_log.*)

Re: Ranger 0.7.0 and Knox Plugin doesn't Sync

New Contributor

I don't see any PolicyRefresher in knox gateway logs. And in Ranger logs the grep for "pluginId=knox" is also empty.

Re: Ranger 0.7.0 and Knox Plugin doesn't Sync

Super Collaborator

It looks that plugin is not invoked, usually if the sync happens you should see log for that particular service in access_log file in ranger admin logs. Knox plugin will be invoked when you try to connect on knox port. Try connecting to webhdfs over knox, this should invoke the policy sync. Check in ranger admin UI under Audit>Policy tab, see if knox plugin has attempted for sync. You can also check in access_log* to see if knox plugin has attempted to connect to ranger admin to download the policies.