Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger KMS Web UI - Unauthenticated : Please check the premission in the policy for the user

Highlighted

Ranger KMS Web UI - Unauthenticated : Please check the premission in the policy for the user

Expert Contributor

I have installed HDP 2.4 Ranger and Ranger KMS, and am unable to properly authenticate using the Web UI. I am, however, able to manipulate keys using curl and the Rest API. This happens when I select "Encryption", and then select the KMS service from the dropdown. I think I have followed appropriate setup steps. Any suggestions? Thanks!

7019-untitled.jpg

# Thiw works from command line.
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: keyadmin@HWX.COM
Valid starting     Expires            Service principal
08/25/16 11:43:33  08/26/16 11:43:33  krbtgt/HWX.COM@HWX.COM
renew until 08/25/16 11:43:33
08/25/16 12:32:11  08/26/16 11:43:33  HTTP/ranger.screamingweasel.com@
renew until 08/25/16 11:43:33
08/25/16 12:32:11  08/26/16 11:43:33  HTTP/ranger.screamingweasel.com@HWX.COM
renew until 08/25/16 11:43:33

curl --negotiate -u : -b ~/cookies.txt -c ~/cookies.txt -H "Content-Type: application/json" -X POST -d  '{"name":"KEY2"}' http://localhost:9292/kms/v1/keys?user.name=keyadmin
{
  "name" : "KEY2",
  "versionName" : "KEY2@0",
  "material" : "3GVEfiBSDbQh6oxxTf-lWA"
}
5 REPLIES 5
Highlighted

Re: Ranger KMS Web UI - Unauthenticated : Please check the premission in the policy for the user

Guru

Hello @jbarnett can you please check the Ranger UI access permission for keyadmin user? To check this, you'll need to login to Ranger admin UI as 'admin' user. Go to Settings > Permissions > check if keyadmin user is listed for Key Manager row.

Highlighted

Re: Ranger KMS Web UI - Unauthenticated : Please check the premission in the policy for the user

@jbarnett

Please try restarting "Ranger" service once and then give a try.

Somehow I found that After installing and configuring Ranger KMS, Ranger service needs to be started, whereas its not prompting us for the Affected services.

Highlighted

Re: Ranger KMS Web UI - Unauthenticated : Please check the premission in the policy for the user

Expert Contributor

No Luck! I did restart everything as suggested by @Sagar Shimpi, and verified that the keyadmin user is listed under "Key Manager" permissions. Interesting, though that keyadmin DOES NOT show up under users and groups. Is that a possible issue? I did try to add it, and it already exists".

Any other thoughts?

Re: Ranger KMS Web UI - Unauthenticated : Please check the premission in the policy for the user

Contributor

@jbarnett

I ran into the same issue. Have you figured out how to resolve this?

Highlighted

Re: Ranger KMS Web UI - Unauthenticated : Please check the premission in the policy for the user

Few things to check..

— Link to core-site.xml exists in /etc/ranger/kms/conf

— Proxy settings are added for keyadmin user (and others as needed)

— Ranger KMS repo is updated to have a valid kerberos principal/password (like keyadmin@EXAMPLE.COM)

— User specified in Ranger KMS repo has appropriate permissions for key operations.

These steps are documented below. After applying these steps, Ranger and Ranger KMS needs to be restarted.

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/ch06s01s01s01.html

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/ch06s01s01s01s02.h...

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/ch06s01s01s01s03.h...

Don't have an account?
Coming from Hortonworks? Activate your account here