Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger KMS API commands not working in non-kerberised environment

Highlighted

Ranger KMS API commands not working in non-kerberised environment

Contributor

Hi ,

We dont have kerberos in our cluster but ranger and ranger KMS are installed.While trying the rest API command, it is throwing following exception:

command used: curl -u keyadmin:keyadmin1 -X GET http://<ranger-KMS-server>:9292/kms/v1/keys/names

exception: HTTP Status 401 - Authentication required

Please advice a solution.

Also we would like to know whether it is mandatory to enable kerberos inorder to configure ranger KMS?

4 REPLIES 4

Re: Ranger KMS API commands not working in non-kerberised environment

@Vandana K R - Ranger KMS is encrypting data at rest (allowing you to protect from rogue sysadmin). If you don't use kerberos any users who has access to a Linux prompt can pretend to be anyone else by using the variable HADOOP_USER_NAME.

As such it doesn't make sense to use KMS without using Kerberos.

Highlighted

Re: Ranger KMS API commands not working in non-kerberised environment

I believe you indicated you had kerberized this cluster and reverted. To confirm this was completed cleanly, what is the value of hadoop.kms.authentication.type? Also, when using verbose output with curl (-vvv), what is the content of the WWW-Authenticate header in the response?

Highlighted

Re: Ranger KMS API commands not working in non-kerberised environment

Contributor

@slachterman : Please find the response to your queries:

hadoop.kms.authentication.type = simple

output after giving verbose option -vvv with curl:

[root@hdp-dn02 ~]# curl -vvv -u keyadmin:keyadmin1 -X GET http://<KMSip>:9292/kms/v1/keys/names

* About to connect() to <KMSip> port 9292 (#0)

* Trying <KMSip>... connected

* Connected to <KMSip> port 9292 (#0)

* Server auth using Basic with user 'keyadmin'

>GET /kms/v1/keys/names HTTP/1.1

> Authorization: Basic a2V5YWRtaW46a2V5YWRtaW4x

> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2

> Host: <KMSip> :9292

> Accept: */*

>

< HTTP/1.1 401 Unauthorized

< Server: Apache-Coyote/1.1

< WWW-Authenticate: PseudoAuth

< Set-Cookie: hadoop.auth=; HttpOnly

< Content-Type: text/html;charset=utf-8

< Content-Language: en

< Content-Length: 997

< Date: Thu, 09 Feb 2017 06:11:26 GMT

< * Connection #0 to host <KMSip> left intact

* Closing connection #0

<html><head><title>Apache Tomcat/7.0.68 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - Authentication required</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Authentication required</u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.68</h3></body></html>

Highlighted

Re: Ranger KMS API commands not working in non-kerberised environment

Don't have an account?
Coming from Hortonworks? Activate your account here