Support Questions
Find answers, ask questions, and share your expertise

Ranger can't get client certificate - Error when starting KMS

Ranger can't get client certificate - Error when starting KMS

Contributor

Whenever I start up the KMS server, I get the following errors:

2016-08-11 16:39:23,561 DEBUG PolicyRefresher - ==> PolicyRefresher(serviceName=clusterprod_kms).PolicyRefresher()
2016-08-11 16:39:23,561 DEBUG PolicyRefresher - <== PolicyRefresher(serviceName=clusterprod_kms).PolicyRefresher()
2016-08-11 16:39:23,561 DEBUG PolicyRefresher - ==> PolicyRefresher(serviceName=clusterprod_kms).loadPolicy()
2016-08-11 16:39:23,561 DEBUG PolicyRefresher - ==> PolicyRefresher(serviceName=clusterprod_kms).loadPolicyfromPolicyAdmin()
2016-08-11 16:39:23,561 DEBUG RangerAdminRESTClient - ==> RangerAdminRESTClient.getServicePoliciesIfUpdated(-1)
2016-08-11 16:39:24,240 ERROR RangerAdminRESTClient - Error getting policies. request=https://cluster004.localhost.local:6182/service/plugins/policies/download/clusterprod_kms?lastKnownVersion=-1&pluginId=kms@cluster004-clusterprod_kms, response={"httpStatusCode":400,"statusCode":1,"msgDesc":"Unauthorized access - unable to get client certificate","messageList":[{"name":"OPER_NOT_ALLOWED_FOR_ENTITY","rbKey":"xa.error.oper_not_allowed_for_state","message":"Operation not allowed for entity"}]}, serviceName=clusterprod_kms
2016-08-11 16:39:24,240 ERROR PolicyRefresher - PolicyRefresher(serviceName=clusterprod_kms): failed to refresh policies. Will continue to use last known version of policies (-1)
java.lang.Exception: Unauthorized access - unable to get client certificate
	at org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:83)
	at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:205)
	at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:175)
	at org.apache.ranger.plugin.util.PolicyRefresher.startRefresher(PolicyRefresher.java:132)
	at org.apache.ranger.plugin.service.RangerBasePlugin.init(RangerBasePlugin.java:106)
	at org.apache.ranger.authorization.kms.authorizer.RangerKMSPlugin.init(RangerKmsAuthorizer.java:358)
	at org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer.init(RangerKmsAuthorizer.java:280)
	at org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer.<init>(RangerKmsAuthorizer.java:114)
	at org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer.<init>(RangerKmsAuthorizer.java:132)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
	at org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:132)
	at org.apache.hadoop.crypto.key.kms.server.KMSWebApp.getAcls(KMSWebApp.java:241)
	at org.apache.hadoop.crypto.key.kms.server.KMSWebApp.contextInitialized(KMSWebApp.java:134)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4992)
	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5490)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
	at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1575)
	at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1565)
	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
2016-08-11 16:39:24,241 DEBUG PolicyRefresher - <== PolicyRefresher(serviceName=clusterprod_kms).loadPolicyfromPolicyAdmin()
2016-08-11 16:39:24,241 DEBUG PolicyRefresher - ==> PolicyRefresher(serviceName=clusterprod_kms).loadFromCache()
2016-08-11 16:39:24,243 DEBUG PolicyRefresher - <== PolicyRefresher(serviceName=clusterprod_kms).loadFromCache()
2016-08-11 16:39:24,243 DEBUG PolicyRefresher - <== PolicyRefresher(serviceName=clusterprod_kms).loadPolicy()
2016-08-11 16:39:24,244 DEBUG PolicyRefresher - ==> PolicyRefresher(serviceName=clusterprod_kms).run()
2016-08-11 16:39:24,244 DEBUG PolicyRefresher - ==> PolicyRefresher(serviceName=clusterprod_kms).loadPolicy()
2016-08-11 16:39:24,244 DEBUG PolicyRefresher - ==> PolicyRefresher(serviceName=clusterprod_kms).loadPolicyfromPolicyAdmin()
2016-08-11 16:39:24,244 DEBUG RangerAdminRESTClient - ==> RangerAdminRESTClient.getServicePoliciesIfUpdated(-1)
2016-08-11 16:39:24,245 DEBUG RangerKmsAuthorizer - <== RangerkmsAuthorizer.init()
2016-08-11 16:39:24,275 INFO  log - Logging to org.slf4j.impl.Log4jLoggerAdapter(org.mortbay.log) via org.mortbay.log.Slf4jLog
2016-08-11 16:39:24,275 INFO  log - ------------------ Ranger KMSWEbApp---------------------
2016-08-11 16:39:24,275 INFO  log - provider string = dbks://http@localhost:9292/kms
2016-08-11 16:39:24,275 INFO  log - URI = dbks://http@localhost:9292/kms scheme = dbks
2016-08-11 16:39:24,275 INFO  log - kmsconf size= 427 kms classname=org.apache.hadoop.conf.Configuration
2016-08-11 16:39:24,275 INFO  log - ----------------INstantiating key provider ---------------
2016-08-11 16:39:24,292 ERROR RangerAdminRESTClient - Error getting policies. request=https://cluster004.localhost.local:6182/service/plugins/policies/download/clusterprod_kms?lastKnownVersion=-1&pluginId=kms@cluster004-clusterprod_kms, response={"httpStatusCode":400,"statusCode":1,"msgDesc":"Unauthorized access - unable to get client certificate","messageList":[{"name":"OPER_NOT_ALLOWED_FOR_ENTITY","rbKey":"xa.error.oper_not_allowed_for_state","message":"Operation not allowed for entity"}]}, serviceName=clusterprod_kms
2016-08-11 16:39:24,292 ERROR PolicyRefresher - PolicyRefresher(serviceName=clusterprod_kms): failed to refresh policies. Will continue to use last known version of policies (-1)
java.lang.Exception: Unauthorized access - unable to get client certificate
	at org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:83)
	at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:205)
	at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:175)
	at org.apache.ranger.plugin.util.PolicyRefresher.run(PolicyRefresher.java:154)
2016-08-11 16:39:24,293 DEBUG PolicyRefresher - <== PolicyRefresher(serviceName=clusterprod_kms).loadPolicyfromPolicyAdmin()

I've already installed the certificates using keytool, all configs are pointed to the correct keystores. Ranger is SSL enabled.

Also seems like the KMS plugin isn't being installed correctly.

HDP: 2.3.4.7 Ambari: 2.2.2.0

Any thoughts?

1 REPLY 1
Highlighted

Re: Ranger can't get client certificate - Error when starting KMS

@Ed Gleeck can you please follow the following docs to configure the ssl.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_Ranger_KMS_Admin_Guide/content/ch_ranger...

please check whether you created the ranger admin keystore certificate and then imported it to the ranger kms trusttore and vice versa