Support Questions

Find answers, ask questions, and share your expertise

Ranger UI is opening with HTTPS instead of HTTP though SSL is not enabled for Ranger. SSL is enabled for only Ambari UI

avatar
Contributor
 
1 ACCEPTED SOLUTION

avatar
Master Mentor

@Aishwarya Dixit

By Any chance do you have the Ranger and Ambari Server installed on the same host?

Because by chance iif the Ranger and Ambari are installed on the same host then Ambari might be redirecting the URLs of components like Ranger here from HTTP to HTTPS.


What strict-transport-security does?

When using SSL, this will be used to set the Strict-Transport-Securityresponse header.

HTTP Strict Transport Security (HSTS) is a security policy which is necessary to protect secure HTTPS websites against downgrade attacks. It also aids protection against cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.


Browser knows the hostname (but it does not know in that host Ambari is running or Ranger) Ambari might be setting (it because ambari is set for SSL) that property to some age. But ranger does not want it as it is not set for ssl.


So when from the same browser you are hitting the Ranger ... because of same hostname it might be sending that header back.


Ambari 2.7 had some issue regarding setting those params to 0. But if you are using Older version of amabri then it should work fine.

https://issues.apache.org/jira/browse/AMBARI-25159


Hence i suggested you to try setting them to 0 in ambari.properties foillowed by AmbariServer restart (hit browser in incognito mode) , it works fine in 2.6.x versions. (by the way what is your ambari version)

http.strict-transport-security=max-age=0
views.http.strict-transport-security=max-age=0

View solution in original post

7 REPLIES 7

avatar
Master Mentor

@Aishwarya Dixit

To disable HTTPS for Ranger UI from Ambari go to:

Ambari UI--> Ranger-->config filter with HTTPS Settings:

Older HDP versions

External URL https://<hostname>:6182

HTTPS enabled - Un-check


HDP 2.6.x

Advanced ranger-admin-site:

ranger.service.https.attrib.ssl.enabled = false

Hope that helps

avatar
Contributor

@Geoffrey Shelton Okot Can you please help us with the issue?


avatar
Contributor

Hi,

We have HDP 2.6.5 in our cluster. The property mentioned by you is already disabled.


The link to which it is getting redirected to is "https:/<hostname>:6080"

avatar
Master Mentor

@Aishwarya Dixit

Can you please try this If you are trying to access the Ranger UI link Via Ambari Quicklinks and if it is getting redirected to Https Ranger url.


1. Stop Ambari Server.

# ambari-server stop

2. Edit the "/etc/ambari-server/conf/ambari.properties" file and update the values of these two properties as 0

http.strict-transport-security=max-age=0
views.http.strict-transport-security=max-age=0

3. Restart Ambari Server.

# ambari-server start

.

4. Open Fresh Incognito Mode Browser (to avoid any browser caching issue)

Then try to access the links for ranger.

avatar
Contributor

Hi @Jay Kumar SenSharma, can you please explain more about these properties?

avatar
Master Mentor

@Aishwarya Dixit

By Any chance do you have the Ranger and Ambari Server installed on the same host?

Because by chance iif the Ranger and Ambari are installed on the same host then Ambari might be redirecting the URLs of components like Ranger here from HTTP to HTTPS.


What strict-transport-security does?

When using SSL, this will be used to set the Strict-Transport-Securityresponse header.

HTTP Strict Transport Security (HSTS) is a security policy which is necessary to protect secure HTTPS websites against downgrade attacks. It also aids protection against cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.


Browser knows the hostname (but it does not know in that host Ambari is running or Ranger) Ambari might be setting (it because ambari is set for SSL) that property to some age. But ranger does not want it as it is not set for ssl.


So when from the same browser you are hitting the Ranger ... because of same hostname it might be sending that header back.


Ambari 2.7 had some issue regarding setting those params to 0. But if you are using Older version of amabri then it should work fine.

https://issues.apache.org/jira/browse/AMBARI-25159


Hence i suggested you to try setting them to 0 in ambari.properties foillowed by AmbariServer restart (hit browser in incognito mode) , it works fine in 2.6.x versions. (by the way what is your ambari version)

http.strict-transport-security=max-age=0
views.http.strict-transport-security=max-age=0

avatar
Contributor

Hi @Jay Kumar SenSharma, Yes, we have installed Ambari and Ranger on the same node. And we are using HDP 2.6.5 in our cluster.


Now I have a clear picture on why we are getting this error. Thank you so much for answering and your detailed explanation.