Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger UI is opening with HTTPS instead of HTTP though SSL is not enabled for Ranger. SSL is enabled for only Ambari UI

Labels:
avatar
author-rank aishwaryamdixit
Contributor

Created ‎06-06-2019 11:41 AM

 
3,907 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎06-07-2019 05:54 AM

@Aishwarya Dixit

By Any chance do you have the Ranger and Ambari Server installed on the same host?

Because by chance iif the Ranger and Ambari are installed on the same host then Ambari might be redirecting the URLs of components like Ranger here from HTTP to HTTPS.


What strict-transport-security does?

When using SSL, this will be used to set the Strict-Transport-Securityresponse header.

HTTP Strict Transport Security (HSTS) is a security policy which is necessary to protect secure HTTPS websites against downgrade attacks. It also aids protection against cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.


Browser knows the hostname (but it does not know in that host Ambari is running or Ranger) Ambari might be setting (it because ambari is set for SSL) that property to some age. But ranger does not want it as it is not set for ssl.


So when from the same browser you are hitting the Ranger ... because of same hostname it might be sending that header back.


Ambari 2.7 had some issue regarding setting those params to 0. But if you are using Older version of amabri then it should work fine.

https://issues.apache.org/jira/browse/AMBARI-25159


Hence i suggested you to try setting them to 0 in ambari.properties foillowed by AmbariServer restart (hit browser in incognito mode) , it works fine in 2.6.x versions. (by the way what is your ambari version)

http.strict-transport-security=max-age=0
views.http.strict-transport-security=max-age=0

View solution in original post

3,829 Views
0 Kudos
7 REPLIES 7

avatar
author-rank Shelton
Master Mentor

Created ‎06-06-2019 12:37 PM

@Aishwarya Dixit

To disable HTTPS for Ranger UI from Ambari go to:

Ambari UI--> Ranger-->config filter with HTTPS Settings:

Older HDP versions

External URL https://<hostname>:6182 

HTTPS enabled - Un-check


HDP 2.6.x

Advanced ranger-admin-site: 

ranger.service.https.attrib.ssl.enabled = false

Hope that helps

3,829 Views
0 Kudos

avatar
author-rank aishwaryamdixit
Contributor

Created ‎06-06-2019 12:57 PM

@Geoffrey Shelton Okot Can you please help us with the issue?


3,829 Views
0 Kudos

avatar
author-rank aishwaryamdixit
Contributor

Created ‎06-06-2019 12:45 PM

Hi,

We have HDP 2.6.5 in our cluster. The property mentioned by you is already disabled.


The link to which it is getting redirected to is "https:/<hostname>:6080"

3,829 Views
0 Kudos

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎06-06-2019 12:59 PM

@Aishwarya Dixit

Can you please try this If you are trying to access the Ranger UI link Via Ambari Quicklinks and if it is getting redirected to Https Ranger url.


1. Stop Ambari Server.

# ambari-server stop

2. Edit the "/etc/ambari-server/conf/ambari.properties" file and update the values of these two properties as 0

http.strict-transport-security=max-age=0
views.http.strict-transport-security=max-age=0

3. Restart Ambari Server.

# ambari-server start

.

4. Open Fresh Incognito Mode Browser (to avoid any browser caching issue)

Then try to access the links for ranger.

3,829 Views
0 Kudos

avatar
author-rank aishwaryamdixit
Contributor

Created ‎06-07-2019 05:06 AM

Hi @Jay Kumar SenSharma, can you please explain more about these properties?

3,829 Views
0 Kudos

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎06-07-2019 05:54 AM

@Aishwarya Dixit

By Any chance do you have the Ranger and Ambari Server installed on the same host?

Because by chance iif the Ranger and Ambari are installed on the same host then Ambari might be redirecting the URLs of components like Ranger here from HTTP to HTTPS.


What strict-transport-security does?

When using SSL, this will be used to set the Strict-Transport-Securityresponse header.

HTTP Strict Transport Security (HSTS) is a security policy which is necessary to protect secure HTTPS websites against downgrade attacks. It also aids protection against cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.


Browser knows the hostname (but it does not know in that host Ambari is running or Ranger) Ambari might be setting (it because ambari is set for SSL) that property to some age. But ranger does not want it as it is not set for ssl.


So when from the same browser you are hitting the Ranger ... because of same hostname it might be sending that header back.


Ambari 2.7 had some issue regarding setting those params to 0. But if you are using Older version of amabri then it should work fine.

https://issues.apache.org/jira/browse/AMBARI-25159


Hence i suggested you to try setting them to 0 in ambari.properties foillowed by AmbariServer restart (hit browser in incognito mode) , it works fine in 2.6.x versions. (by the way what is your ambari version)

http.strict-transport-security=max-age=0
views.http.strict-transport-security=max-age=0
3,830 Views
0 Kudos

avatar
author-rank aishwaryamdixit
Contributor

Created ‎06-07-2019 06:11 AM

Hi @Jay Kumar SenSharma, Yes, we have installed Ambari and Ranger on the same node. And we are using HDP 2.6.5 in our cluster.


Now I have a clear picture on why we are getting this error. Thank you so much for answering and your detailed explanation.

3,829 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements