Support Questions

aishwaryamdixit · ‎06-06-2019

jsensharma · ‎06-07-2019

By Any chance do you have the Ranger and Ambari Server installed on the same host?

Because by chance iif the Ranger and Ambari are installed on the same host then Ambari might be redirecting the URLs of components like Ranger here from HTTP to HTTPS.

What strict-transport-security does?

When using SSL, this will be used to set the Strict-Transport-Securityresponse header.

HTTP Strict Transport Security (HSTS) is a security policy which is necessary to protect secure HTTPS websites against downgrade attacks. It also aids protection against cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.

Browser knows the hostname (but it does not know in that host Ambari is running or Ranger) Ambari might be setting (it because ambari is set for SSL) that property to some age. But ranger does not want it as it is not set for ssl.

So when from the same browser you are hitting the Ranger ... because of same hostname it might be sending that header back.

Ambari 2.7 had some issue regarding setting those params to 0. But if you are using Older version of amabri then it should work fine.

https://issues.apache.org/jira/browse/AMBARI-25159

Hence i suggested you to try setting them to 0 in ambari.properties foillowed by AmbariServer restart (hit browser in incognito mode) , it works fine in 2.6.x versions. (by the way what is your ambari version)

http.strict-transport-security=max-age=0
views.http.strict-transport-security=max-age=0

View solution in original post

Shelton · ‎06-06-2019

@Aishwarya Dixit

To disable HTTPS for Ranger UI from Ambari go to:

Ambari UI--> Ranger-->config filter with HTTPS Settings:

Older HDP versions

External URL https://<hostname>:6182

HTTPS enabled - Un-check

HDP 2.6.x

Advanced ranger-admin-site:

ranger.service.https.attrib.ssl.enabled = false

Hope that helps

aishwaryamdixit · ‎06-06-2019

@Geoffrey Shelton Okot Can you please help us with the issue?

aishwaryamdixit · ‎06-06-2019

Hi,

We have HDP 2.6.5 in our cluster. The property mentioned by you is already disabled.

The link to which it is getting redirected to is "https:/<hostname>:6080"

jsensharma · ‎06-06-2019

@Aishwarya Dixit

Can you please try this If you are trying to access the Ranger UI link Via Ambari Quicklinks and if it is getting redirected to Https Ranger url.

1. Stop Ambari Server.

# ambari-server stop

2. Edit the "/etc/ambari-server/conf/ambari.properties" file and update the values of these two properties as 0

http.strict-transport-security=max-age=0
views.http.strict-transport-security=max-age=0

3. Restart Ambari Server.

# ambari-server start

.

4. Open Fresh Incognito Mode Browser (to avoid any browser caching issue)

Then try to access the links for ranger.

aishwaryamdixit · ‎06-07-2019

Hi @Jay Kumar SenSharma, can you please explain more about these properties?

jsensharma · ‎06-07-2019

@Aishwarya Dixit

By Any chance do you have the Ranger and Ambari Server installed on the same host?

Because by chance iif the Ranger and Ambari are installed on the same host then Ambari might be redirecting the URLs of components like Ranger here from HTTP to HTTPS.

What strict-transport-security does?

When using SSL, this will be used to set the Strict-Transport-Securityresponse header.

HTTP Strict Transport Security (HSTS) is a security policy which is necessary to protect secure HTTPS websites against downgrade attacks. It also aids protection against cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.

Browser knows the hostname (but it does not know in that host Ambari is running or Ranger) Ambari might be setting (it because ambari is set for SSL) that property to some age. But ranger does not want it as it is not set for ssl.

So when from the same browser you are hitting the Ranger ... because of same hostname it might be sending that header back.

Ambari 2.7 had some issue regarding setting those params to 0. But if you are using Older version of amabri then it should work fine.

https://issues.apache.org/jira/browse/AMBARI-25159

Hence i suggested you to try setting them to 0 in ambari.properties foillowed by AmbariServer restart (hit browser in incognito mode) , it works fine in 2.6.x versions. (by the way what is your ambari version)

http.strict-transport-security=max-age=0
views.http.strict-transport-security=max-age=0

aishwaryamdixit · ‎06-07-2019

Hi @Jay Kumar SenSharma, Yes, we have installed Ambari and Ranger on the same node. And we are using HDP 2.6.5 in our cluster.

Now I have a clear picture on why we are getting this error. Thank you so much for answering and your detailed explanation.

Cloudera Community

Support Questions

Ranger UI is opening with HTTPS instead of HTTP though SSL is not enabled for Ranger. SSL is enabled for only Ambari UI

Setup Ranger to use Ambari Infra Solr enabled in S...

Ranger SSL - pitfalls

How to enable SSL for Storm UI

Enable SSL for Livy Server

Enable HTTPS for Ambari using JKS

Apache Ranger Admin UI Login Question

Enabling Https for AmbariServer and troubleshootin...

HDP 2.5 Ranger service plugins fail to upload audi...

Kafka Broker not starting after enabling ranger

Enable 2 way SSL between Ambari-Server and Ambari-...