Support Questions

nhgodwal · ‎02-26-2018

This is the knoxurl I am giving while creating service in knox plugin: https://localhost:8443/gateway/admin/api/v1/topologies

I have also added group info in topologies/admin.xml as per suggestion here (https://community.hortonworks.com/articles/38348/ranger-is-not-allowing-access-to-knox-resources-wh.html)

	    <param>
                <name>main.ldapRealm.authorizationEnabled</name>
                <value>true</value>
            </param>
            <param>
                <name>main.ldapRealm.groupSearchBase</name>
                <value>ou=groups,dc=hadoop,dc=apache,dc=org</value>
            </param>
            <param>
                <name>main.ldapRealm.groupObjectClass</name>
                <value>group</value>
            </param>
            <param>
                <name>main.ldapRealm.groupIdAttribute</name>
                <value>cn</value>
            </param

Below are the log details:

ranger-admin.log

2018-02-26 00:34:47,535 [timed-executor-pool-0] INFO  apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:81)
 - Password decryption failed; trying knox connection with received password string
2018-02-26 00:34:47,632 [timed-executor-pool-0] ERROR apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:131) - Got invalid REST response from: https://localhost:8443/gateway/admin/api/v1/topologies, responseStatus: 403

gateway.log

2018-02-26 00:34:47,614 INFO  hadoop.gateway (KnoxLdapRealm.java:getUserDn(691)) - Computed userDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org using dnTemplate for principal: admin
2018-02-26 00:34:47,630 ERROR hadoop.gateway (KnoxLdapRealm.java:getRoles(246)) - Failed to get system ldap connection: javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user ]

gateway-audit.log

18/02/26 00:24:44 ||65cc6da4-9fa6-4e6d-8b69-b99f5d9acacb|audit|127.0.0.1|KNOX|admin|||authentication|uri|/gateway/admin/api/v1/topologies|success|Groups: [] 18/02/26 00:24:44 ||65cc6da4-9fa6-4e6d-8b69-b99f5d9acacb|audit|127.0.0.1|KNOX|admin|||access|uri|/gateway/admin/api/v1/topologies|success|Response status: 403

VR46 · ‎03-15-2018

Hello @GN_Exp,

There are couple of things here:

1. From your gateway.log (dt:03/12), it looks like the Knox Gateway is trying to initialize RangerPDPKnoxFilter in the Gateway request filter and failing while doing so. This RangerPDPKnoxFilter is used when Kerberos is configured. Since you don't have Kerberos configured, you should not be using this.

2. To enable the Ranger plugin in Knox gateway service, you do not always need XAsecurePDPKnox as authorization provider. "AclsAuthz" would do just fine. This is usually used for Service Level Authorization in Knox topology, which you don't need for Ranger plugin test connection.

Therefore, please stick to "AclsAuthz" unless you have any other use-case. If you still have problem with Knox service repo in Ranger, please attach the screenshot of Knox repo configuration from Ranger UI and screenshot of the error (if any).

Hope this helps !

View solution in original post

vsuvagia · ‎03-12-2018

@GN_Exp, looks like the url for Knox present with Ranger is pointing to localhost, can you try using the actual f.q.d.n of the Knox host, even if both Ranger and Knox services are on the same host.
Also as @Deepak Sharma suggested, can you check if the LDAP server being used by Knox service is started and working.

nhgodwal · ‎03-13-2018

@Deepak Sharma

@vsuvagia

If you look at the gateway.log I attached in my previous post, the main error is -> ERROR knox.RangerPDPKnoxFilter (RangerPDPKnoxFilter.java:init(73)) - Error while setting UGI for Knox Plugin...

I tried to look for this error and I found this post ->

https://community.hortonworks.com/questions/97518/help-ad-integration-with-knox.html

In this post, the resolution is to change Authorization provider in admin topology from XAsecurePDPKnox to AclsAuthz.

I tried that too and I am getting a successfull connection by changing this but I read somewhere that to enable Ranger plugin, authorization provider has to be XAsecurePDPKnox.

Please suggest.

VR46 · ‎03-15-2018

Hello @GN_Exp,

There are couple of things here:

1. From your gateway.log (dt:03/12), it looks like the Knox Gateway is trying to initialize RangerPDPKnoxFilter in the Gateway request filter and failing while doing so. This RangerPDPKnoxFilter is used when Kerberos is configured. Since you don't have Kerberos configured, you should not be using this.

2. To enable the Ranger plugin in Knox gateway service, you do not always need XAsecurePDPKnox as authorization provider. "AclsAuthz" would do just fine. This is usually used for Service Level Authorization in Knox topology, which you don't need for Ranger plugin test connection.

Therefore, please stick to "AclsAuthz" unless you have any other use-case. If you still have problem with Knox service repo in Ranger, please attach the screenshot of Knox repo configuration from Ranger UI and screenshot of the error (if any).

Hope this helps !

nhgodwal · ‎03-15-2018

@Vipin Rathor Thank you so much for the explanation!

I have a follow up question too.

If I use 'AclsAuthz' provider then I won't be able to do service level authorization in Ranger by creating policies..is this correct?

I think because in that case service level authorization will be enforced what I define in knox topology like below under 'AclsAuthz' provider.

<param>
    <name>{serviceName}.acl</name>
    <value>username[,*|username...];group[,*|group...];ipaddr[,*|ipaddr...]</value>
</param>

VR46 · ‎03-15-2018

That's correct @GN_Exp. If you want to do SLA in Knox via Ranger plugin then you'd need kerberos too.

Cloudera Community

Support Questions

Ranger Knox Plugin is failing in test connection while creating service -> Unable to retrieve any topologies/services using given parameters.