Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger SSL Not Working

avatar
Contributor

Hello Team,

We have enabled SSL for Ranger Admin Web UI. We can access ranger Admin Web UI on port 6182.

But Hive Server2 daemon is failing to refresh policies after enabling SSL for Ranger Admin Web UI.

We are using internal CA signed certificate. Our Hive Server2 is SSL enabled.

We have done all configuration for enabling two-way SSL between Ranger and Hive. We have imported Ranger Admin's certificate in Hiveserver2 Truststore and Hiveserver2 certificate in Ranger Admin's Truststore. We have setup Keystore for Hiveserver2 and Ranger Admin.

Also, added hmaster.test.org as Common Name for Certificate in Hive and Ranger policy.

In Hive Server2 log, we are getting following error:

2018-08-27 06:40:31,785 ERROR [main]: client.RangerAdminRESTClient (RangerAdminRESTClient.java:getServicePoliciesIfUpdated(124)) - Error getting policies. secureMode=false, user=hive (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":1,"msgDesc":"Unauthorized access - unable to get client certificate","messageList":[{"name":"OPER_NOT_ALLOWED_FOR_ENTITY","rbKey":"xa.error.oper_not_allowed_for_state","message":"Operation not allowed for entity"}]}, serviceName=C03_hive
2018-08-27 06:40:31,786 ERROR [main]: util.PolicyRefresher (PolicyRefresher.java:loadPolicyfromPolicyAdmin(255)) - PolicyRefresher(serviceName=C03_hive): failed to refresh policies. Will continue to use last known version of policies (-1)
java.lang.Exception: Unauthorized access - unable to get client certificate
        at org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:126)
        at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:232)
        at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:188)
        at org.apache.ranger.plugin.util.PolicyRefresher.startRefresher(PolicyRefresher.java:136)


In Ranger Admin log, we are getting following error:

2018-08-27 11:45:02,556 [http-bio-6182-exec-5] ERROR org.apache.ranger.common.ServiceUtil (ServiceUtil.java:1367) - Unauthorized access. Unable to get client certificate. serviceName=C03_hive
2018-08-27 11:45:02,557 [http-bio-6182-exec-5] INFO  org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:65) - Request failed. SessionId=null, loginId=null, logMessage=Unauthorized access - unable to get client certificate
javax.ws.rs.WebApplicationException
        at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56)
        at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:335)
        at org.apache.ranger.common.ServiceUtil.isValidateHttpsAuthentication(ServiceUtil.java:1368)
        at org.apache.ranger.rest.ServiceREST.getServicePoliciesIfUpdated(ServiceREST.java:1817)


How to solve it?

Please suggest.

Thanks,

Bhushan

1 ACCEPTED SOLUTION

avatar
@Bhushan Kandalkar

The error:

Unauthorized access - unable to get client certificate at

Means the truststore has not been properly configured for ranger admin. I suggest you review the following video where I cover this configuration in detail:

https://community.hortonworks.com/content/supportkb/187924/video-kb-how-to-co-nfigure-ranger-admin-s...

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

View solution in original post

6 REPLIES 6

avatar

@Bhushan Kandalkar

What version HDP are you using? By default 2-WAY SSL is enabled between Hive and Ranger - so server is expecting client certificate as part of handshake and it is failing.

I have an article at https://community.hortonworks.com/articles/68150/configuring-ranger-ranger-hdfs-plugin-for-ssl-with.... - please follow and let me know.

May be you can try setting below configs

ranger.service.https.attrib.clientAuth=false

ranger.service.https.attrib.client.auth=false

avatar
Contributor

@amarnath reddy pappu

I am using HDP-2.5.6.

avatar

@Bhushan Kandalkar then you can try above recommendations and see if that helps

avatar
@Bhushan Kandalkar

The error:

Unauthorized access - unable to get client certificate at

Means the truststore has not been properly configured for ranger admin. I suggest you review the following video where I cover this configuration in detail:

https://community.hortonworks.com/content/supportkb/187924/video-kb-how-to-co-nfigure-ranger-admin-s...

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

avatar
Contributor

Thanks @Felix Albani

I am able to configure 2-way SSL. But 1-way SSL is not working in HDP-2.5.6.

Also, we have configured HiveServer2 HA. What should be the value of Common Name For Certificate in Ranger Policy Manager UI for Hive repository? Currently for one of the Hiveserver2 CN value is hmaster.test.org and for other Hiveserver2 CN value is hmaster2.test.org.

Please suggest.

avatar
@Bhushan Kandalkar

For Common Name for Certificate use a comma separated list (no spaces before of after comma). For example:

hmaster.test.org,hmaster2.test.org

I haven't got the chance to test 1-way ssl between plugins and ranger admin yet. However, by looking at the following jira

https://issues.apache.org/jira/browse/RANGER-1094

This shows as fixed in ranger 0.6.3 and hdp-2.5.6 comes with ranger 0.6 so perhaps is still not supported in your version.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.