Ranger admin error when creating service repo in Knox plugin

nhgodwal · ‎03-08-2018

I am trying to enable Ranger Knox plugin. I created a service called 'knoxdev' and test connection is successful. But still I am not able to see service 'knoxdev' in audit->Plugins tab.

- The knox url tested in connection is:- https://localhost:8443/gateway/admin/api/v1/topologies

- The authorization provider I am using in admin topology is AclsAuthz. If I change it to XAsecurePDPknox then I do not get get successful connection. Need to know what provider should be used.

I have hdfs plugin enabled too and service created for same as 'hadoopdev'. I am able to see 'hadoodev' in audit->Plugins tab but not 'knoxdev'.

Then I checked gateway.log and gateway-audit.log. I can see response code as 200.

Then I checked ranger_admin.log, and there I find this error:

ERROR org.apache.ranger.plugin.util.PasswordUtils (PasswordUtils.java:130) - Unable to decrypt password due to error
javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher
        at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:936)
        at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847)
        at com.sun.crypto.provider.PBES1Core.doFinal(PBES1Core.java:416)
        at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316)
        at javax.crypto.Cipher.doFinal(Cipher.java:2165)
        at org.apache.ranger.plugin.util.PasswordUtils.decryptPassword(PasswordUtils.java:115)
        at org.apache.ranger.services.knox.client.KnoxClient.getTopologyList(KnoxClient.java:79)
        at org.apache.ranger.services.knox.client.KnoxClient$2.call(KnoxClient.java:406)
        at org.apache.ranger.services.knox.client.KnoxClient$2.call(KnoxClient.java:402)
        at org.apache.ranger.services.knox.client.KnoxClient.timedTask(KnoxClient.java:431)
        at org.apache.ranger.services.knox.client.KnoxClient.getKnoxResources(KnoxClient.java:410)
        at org.apache.ranger.services.knox.client.KnoxClient.connectionTest(KnoxClient.java:315)
        at org.apache.ranger.services.knox.client.KnoxResourceMgr.validateConfig(KnoxResourceMgr.java:43)
        at org.apache.ranger.services.knox.RangerServiceKnox.validateConfig(RangerServiceKnox.java:56)
        at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:560)
        at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:547)
        at org.apache.ranger.biz.ServiceMgr$TimedCallable.call(ServiceMgr.java:508)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
2018-03-08 18:23:16,315 [timed-executor-pool-0] INFO  apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:81) - Password decryption failed; trying knox connection with received password string

Can anyone help?

gcunha · ‎03-13-2018

Hi @GN_Exp,

If you are using Oracle JDK, check if you have JCE installed for your Java version.

You can follow this Support KB regarding on how to check if JCE is installed and how to install:

https://community.hortonworks.com/content/supportkb/48974/how-to-check-if-jce-is-unlimited.html

Hope it helps.

Gonçalo

vperiasamy · ‎03-13-2018

Auth provider should be XAsecurePDPknox for Ranger to be enabled.

Knox plugin does not download policies upon initialization, hence you are not seeing that in Audit plugins. Upon first request to Knox (you can use curl to trigger any knox url), knox plugin will download the policies from ranger admin.

massoudm · ‎05-16-2019

Did this issue get resolved?

I'm using HDP 3.1 with Ranger 1.2.0, and I have the correct Unlimited JCE, but still get this error when using the test connection button.