Created 03-08-2018 08:08 PM
I am trying to enable Ranger Knox plugin. I created a service called 'knoxdev' and test connection is successful. But still I am not able to see service 'knoxdev' in audit->Plugins tab.
- The knox url tested in connection is:- https://localhost:8443/gateway/admin/api/v1/topologies
- The authorization provider I am using in admin topology is AclsAuthz. If I change it to XAsecurePDPknox then I do not get get successful connection. Need to know what provider should be used.
I have hdfs plugin enabled too and service created for same as 'hadoopdev'. I am able to see 'hadoodev' in audit->Plugins tab but not 'knoxdev'.
Then I checked gateway.log and gateway-audit.log. I can see response code as 200.
Then I checked ranger_admin.log, and there I find this error:
ERROR org.apache.ranger.plugin.util.PasswordUtils (PasswordUtils.java:130) - Unable to decrypt password due to error javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:936) at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847) at com.sun.crypto.provider.PBES1Core.doFinal(PBES1Core.java:416) at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316) at javax.crypto.Cipher.doFinal(Cipher.java:2165) at org.apache.ranger.plugin.util.PasswordUtils.decryptPassword(PasswordUtils.java:115) at org.apache.ranger.services.knox.client.KnoxClient.getTopologyList(KnoxClient.java:79) at org.apache.ranger.services.knox.client.KnoxClient$2.call(KnoxClient.java:406) at org.apache.ranger.services.knox.client.KnoxClient$2.call(KnoxClient.java:402) at org.apache.ranger.services.knox.client.KnoxClient.timedTask(KnoxClient.java:431) at org.apache.ranger.services.knox.client.KnoxClient.getKnoxResources(KnoxClient.java:410) at org.apache.ranger.services.knox.client.KnoxClient.connectionTest(KnoxClient.java:315) at org.apache.ranger.services.knox.client.KnoxResourceMgr.validateConfig(KnoxResourceMgr.java:43) at org.apache.ranger.services.knox.RangerServiceKnox.validateConfig(RangerServiceKnox.java:56) at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:560) at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:547) at org.apache.ranger.biz.ServiceMgr$TimedCallable.call(ServiceMgr.java:508) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 2018-03-08 18:23:16,315 [timed-executor-pool-0] INFO apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:81) - Password decryption failed; trying knox connection with received password string
Can anyone help?
Created 03-13-2018 09:29 AM
Hi @GN_Exp,
If you are using Oracle JDK, check if you have JCE installed for your Java version.
You can follow this Support KB regarding on how to check if JCE is installed and how to install:
https://community.hortonworks.com/content/supportkb/48974/how-to-check-if-jce-is-unlimited.html
Hope it helps.
Gonçalo
Created 03-13-2018 06:07 PM
Auth provider should be XAsecurePDPknox for Ranger to be enabled.
Knox plugin does not download policies upon initialization, hence you are not seeing that in Audit plugins. Upon first request to Knox (you can use curl to trigger any knox url), knox plugin will download the policies from ranger admin.
Created 05-16-2019 12:01 AM
Did this issue get resolved?
I'm using HDP 3.1 with Ranger 1.2.0, and I have the correct Unlimited JCE, but still get this error when using the test connection button.