Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger Usersync is not working. Unable to sync 'linux' users

Ranger Usersync is not working. Unable to sync 'linux' users

New Contributor

Hi.

We are running HDP 3.0.1 which is Kerberized.

We are not able to sync the 'linux' users to Ranger.

Below is the error observed in usersync log file.

03 Dec 2018 18:03:40INFO UserGroupSync [UnixUserSyncThread] - Begin: update user/group from source==>sink
03 Dec 2018 18:03:40 ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to communicate Ranger Admin :
com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:155)
at com.sun.jersey.api.client.Client.handle(Client.java:652)
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:570)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.tryUploadEntityWithCred(PolicyMgrUserGroupBuilder.java:895)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.cookieBasedUploadEntity(PolicyMgrUserGroupBuilder.java:1248)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.getUserGroupAuditInfo(PolicyMgrUserGroupBuilder.java:1688)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$1000(PolicyMgrUserGroupBuilder.java:79)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$8.run(PolicyMgrUserGroupBuilder.java:1660)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$8.run(PolicyMgrUserGroupBuilder.java:1656)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addUserGroupAuditInfo(PolicyMgrUserGroupBuilder.java:1656)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.postUserGroupAuditInfo(PolicyMgrUserGroupBuilder.java:1615)
at org.apache.ranger.unixusersync.process.UnixUserGroupBuilder.updateSink(UnixUserGroupBuilder.java:186)
at org.apache.ranger.usergroupsync.UserGroupSync.syncUserGroup(UserGroupSync.java:107)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:85)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Menlo; color: #000000} span.s1 {font-variant-ligatures: no-common-ligatures}
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1316)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1291)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler$1$1.getOutputStream(URLConnectionClientHandler.java:238)
at com.sun.jersey.api.client.CommittingOutputStream.commitStream(CommittingOutputStream.java:117)
at com.sun.jersey.api.client.CommittingOutputStream.write(CommittingOutputStream.java:89)
at sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:221)
at sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:291)
at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:295)
at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:141)
at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:229)
at java.io.BufferedWriter.flush(BufferedWriter.java:254)
at com.sun.jersey.core.util.ReaderWriter.writeToAsString(ReaderWriter.java:191)
at com.sun.jersey.core.provider.AbstractMessageReaderWriterProvider.writeToAsString(AbstractMessageReaderWriterProvider.java:128)
at com.sun.jersey.core.impl.provider.entity.StringProvider.writeTo(StringProvider.java:88)
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Menlo; color: #000000} span.s1 {font-variant-ligatures: no-common-ligatures}
at com.sun.jersey.core.impl.provider.entity.StringProvider.writeTo(StringProvider.java:58)
at com.sun.jersey.api.client.RequestWriter.writeRequestEntity(RequestWriter.java:300)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:217)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:153)
... 18 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 46 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 52 more
03 Dec 2018 18:03:40INFO UserGroupSync [UnixUserSyncThread] - End: update user/group from source==>sink
03 Dec 2018 18:04:40INFO UserGroupSync [UnixUserSyncThread] - Begin: update user/group from source==>sink
03 Dec 2018 18:04:40 ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to communicate Ranger Admin :
com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:155)
at com.sun.jersey.api.client.Client.handle(Client.java:652)

I've also followed below HW Support KB but still no luck.

https://community.hortonworks.com/content/supportkb/49025/ranger-usersync-fails-with-unable-to-find-...

Any technical help will be highly appreciated.

Thanks,

4 REPLIES 4

Re: Ranger Usersync is not working. Unable to sync 'linux' users

Cloudera Employee

Hi @Shesh Kumar,

Were you able to follow the doc?

https://docs.hortonworks.com/HDPDocuments/HDP3/HDP-3.0.1/configuring-wire-encryption/content/configu...

I could enable ssl and kerberos following this doc.

Hope this help.

Regards,

AQ

Re: Ranger Usersync is not working. Unable to sync 'linux' users

New Contributor

Hi @aquilodran,

Thanks for the suggestion. I've removed the SSL for Ranger now and still its not working.

Even in our stage cluster (Kerberized), we are not able to sync the unix users which does not have SSL enabled since beginning.

Following is the attached logs from Stage cluster. Please check and provide your thoughts.

Here's a small intercept from the usersync log:

12 Dec 2018 09:32:55  INFO UnixAuthenticationService [main] - Starting User Sync Service!
12 Dec 2018 09:32:55  WARN UnixUserGroupBuilder [UnixUserSyncThread] - DEPRECATED: Unix backend is configured to use /etc/passwd and /etc/group files directly instead of standard system mechanisms.
12 Dec 2018 09:32:55  INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
12 Dec 2018 09:32:56  INFO PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Using principal = rangerusersync/stg-agent001-stg-cloud009.XXXXXX.nm2@XXXXXX.COM and keytab = /etc/security/keytabs/rangerusersync.service.keytab
12 Dec 2018 09:32:57  INFO PolicyMgrUserGroupBuilder [UnixUserSyncThread] - valid cookie saved 
12 Dec 2018 09:32:58  WARN UnixUserGroupBuilder [UnixUserSyncThread] - DEPRECATED: Unix backend is configured to use /etc/passwd and /etc/group files directly instead of standard system mechanisms.
12 Dec 2018 09:32:58  INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.unixusersync.process.UnixUserGroupBuilder
12 Dec 2018 09:32:58  INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
12 Dec 2018 09:32:58 ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add portal user
12 Dec 2018 09:32:58 ERROR UnixUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: Failed to add portal user, for user: mahendra.aricent, groups: [mahendra.aricent, dev]
12 Dec 2018 09:32:58 ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add portal user
12 Dec 2018 09:32:58 ERROR UnixUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: Failed to add portal user, for user: jatin, groups: [jatin, dev]
12 Dec 2018 09:32:58 ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add portal user
12 Dec 2018 09:32:58 ERROR UnixUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: Failed to add portal user, for user: ankit, groups: [ankit, dev]
12 Dec 2018 09:32:58 ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add portal user
12 Dec 2018 09:32:58 ERROR UnixUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: Failed to add portal user, for user: jithin.jose, groups: [jithin.jose, dev]
12 Dec 2018 09:32:58 ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add portal user

Full Log: usersync.txt

Thanks,

Shesh Kumar

Re: Ranger Usersync is not working. Unable to sync 'linux' users

New Contributor
Highlighted

Re: Ranger Usersync is not working. Unable to sync 'linux' users

New Contributor

Hi @Shahbaj Sayyad,

We disabled the SSL for Ranger (I edited the original description). Still we see the error.

Even in our stage cluster (Kerberized), we are not able to sync the unix users which does not have SSL enabled since beginning. I have attached the logs from stage cluster. Please check and kindly guide me.usersync.txt

Thanks,

Shesh

Don't have an account?
Coming from Hortonworks? Activate your account here