Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger errors HTTP/1.1 401 just before succes authentications

Labels:
avatar
author-rank Micael
Contributor

Created ‎07-19-2017 08:55 AM

Hi,

In our clusters we have a strange behavior certainly due to a misconfiguration. In all ranger actions (like downloading policies, asking ranger KMS, get audits , etc....) we have a failed authentication before a success one.

Everything works as expected, but do not appear optimal.

Below is some examples extracted from access logs in ranger admin and kms

192.168.0.1 - - [19/Jul/2017:10:29:52 +0200] "GET /service/plugins/secure/policies/download/clusterName_kafka?lastKnownVersion=42&pluginId=kafka@host.domain-clusterName_kafka HTTP/1.1" 401 -
192.168.0.1 - - [19/Jul/2017:10:29:52 +0200] "GET /service/plugins/secure/policies/download/clusterName_kafka?lastKnownVersion=42&pluginId=kafka@host.domain-clusterName_kafka HTTP/1.1" 304 -


192.168.0.1 - - [17/Jul/2017:14:11:42 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626&startIndex=0&sortBy=eventTime&startDate=07%2F17%2F2017 HTTP/1.1" 401 1113
192.168.0.1 - - [17/Jul/2017:14:11:43 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626&startIndex=0&sortBy=eventTime&startDate=07%2F17%2F2017 HTTP/1.1" 200 11187




192.168.0.1 - - [17/Jul/2017:14:06:03 +0000] "GET /service/plugins/policy/52/versionList HTTP/1.1" 401 1113
192.168.0.1 - - [17/Jul/2017:14:06:03 +0000] "GET /service/plugins/policy/52/versionList HTTP/1.1" 200 23


192.168.0.1 - - [17/Jul/2017:14:06:03 +0000] "GET /service/plugins/policies/eventTime?eventTime=2017-07-17T14%3A05%3A47Z&policyId=52&_=1500297123319 HTTP/1.1" 401 1113
192.168.0.1 - - [17/Jul/2017:14:06:03 +0000] "GET /service/plugins/policies/eventTime?eventTime=2017-07-17T14%3A05%3A47Z&policyId=52&_=1500297123319 HTTP/1.1" 200 708


192.168.0.1 - - [19/Jul/2017:10:20:19 +0200] "OPTIONS /kms/v1/?op=GETDELEGATIONTOKEN&renewer=rm%2Fhost.domain%40CIB.NET HTTP/1.1" 401 997
192.168.0.1 - - [19/Jul/2017:10:20:19 +0200] "OPTIONS /kms/v1/?op=GETDELEGATIONTOKEN&renewer=rm%2Fhost.domain%40CIB.NET HTTP/1.1" 200 3484
192.168.0.1 - - [19/Jul/2017:10:20:19 +0200] "GET /kms/v1/?op=GETDELEGATIONTOKEN&renewer=rm%2Fhost.domain%40CIB.NET HTTP/1.1" 200 132

Is anyone get some idea of what can be wrong? We have secured clusters and two ranger admin/kms hosts on each.

Thanks

3,611 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank VR46 author-rank
Guru

Created ‎07-19-2017 08:45 PM

Hello @Micaël Dias,

HTTP authentication (to be specific SPNEGO authentication) works in two-pass handshake mechanism.

First, when client approaches HTTP server, the server would check the request header and respond by sending 401 'Authentication required' message. We see this response as first log in access log.

192.168.0.1 - - [17/Jul/2017:14:11:42 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626☆tIndex=0&sortBy=eventTime☆tDate=07%2F17%2F2017 HTTP/1.1" 401 1113

To this, the client would again send Negotiate header (indicating the Kerberos authentication token) to server. If everything works out, then server would respond with 200 OK message.

192.168.0.1 - - [17/Jul/2017:14:11:43 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626☆tIndex=0&sortBy=eventTime☆tDate=07%2F17%2F2017 HTTP/1.1" 200 11187

This is totally normal and expected when authentication is enabled for HTTP server.

Hope this helps !

View solution in original post

3,367 Views
2 REPLIES 2

avatar
author-rank VR46 author-rank
Guru

Created ‎07-19-2017 08:45 PM

Hello @Micaël Dias,

HTTP authentication (to be specific SPNEGO authentication) works in two-pass handshake mechanism.

First, when client approaches HTTP server, the server would check the request header and respond by sending 401 'Authentication required' message. We see this response as first log in access log.

192.168.0.1 - - [17/Jul/2017:14:11:42 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626☆tIndex=0&sortBy=eventTime☆tDate=07%2F17%2F2017 HTTP/1.1" 401 1113

To this, the client would again send Negotiate header (indicating the Kerberos authentication token) to server. If everything works out, then server would respond with 200 OK message.

192.168.0.1 - - [17/Jul/2017:14:11:43 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626☆tIndex=0&sortBy=eventTime☆tDate=07%2F17%2F2017 HTTP/1.1" 200 11187

This is totally normal and expected when authentication is enabled for HTTP server.

Hope this helps !

3,368 Views

avatar
author-rank Micael
Contributor

Created ‎07-20-2017 07:11 AM

Hello @Vipin Rathor,

Thanks for your clear explanations.

Regards

3,367 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements