Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

Ranger errors HTTP/1.1 401 just before succes authentications

Explorer

Hi,

In our clusters we have a strange behavior certainly due to a misconfiguration. In all ranger actions (like downloading policies, asking ranger KMS, get audits , etc....) we have a failed authentication before a success one.

Everything works as expected, but do not appear optimal.

Below is some examples extracted from access logs in ranger admin and kms

192.168.0.1 - - [19/Jul/2017:10:29:52 +0200] "GET /service/plugins/secure/policies/download/clusterName_kafka?lastKnownVersion=42&pluginId=kafka@host.domain-clusterName_kafka HTTP/1.1" 401 -
192.168.0.1 - - [19/Jul/2017:10:29:52 +0200] "GET /service/plugins/secure/policies/download/clusterName_kafka?lastKnownVersion=42&pluginId=kafka@host.domain-clusterName_kafka HTTP/1.1" 304 -


192.168.0.1 - - [17/Jul/2017:14:11:42 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626&startIndex=0&sortBy=eventTime&startDate=07%2F17%2F2017 HTTP/1.1" 401 1113
192.168.0.1 - - [17/Jul/2017:14:11:43 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626&startIndex=0&sortBy=eventTime&startDate=07%2F17%2F2017 HTTP/1.1" 200 11187




192.168.0.1 - - [17/Jul/2017:14:06:03 +0000] "GET /service/plugins/policy/52/versionList HTTP/1.1" 401 1113
192.168.0.1 - - [17/Jul/2017:14:06:03 +0000] "GET /service/plugins/policy/52/versionList HTTP/1.1" 200 23


192.168.0.1 - - [17/Jul/2017:14:06:03 +0000] "GET /service/plugins/policies/eventTime?eventTime=2017-07-17T14%3A05%3A47Z&policyId=52&_=1500297123319 HTTP/1.1" 401 1113
192.168.0.1 - - [17/Jul/2017:14:06:03 +0000] "GET /service/plugins/policies/eventTime?eventTime=2017-07-17T14%3A05%3A47Z&policyId=52&_=1500297123319 HTTP/1.1" 200 708


192.168.0.1 - - [19/Jul/2017:10:20:19 +0200] "OPTIONS /kms/v1/?op=GETDELEGATIONTOKEN&renewer=rm%2Fhost.domain%40CIB.NET HTTP/1.1" 401 997
192.168.0.1 - - [19/Jul/2017:10:20:19 +0200] "OPTIONS /kms/v1/?op=GETDELEGATIONTOKEN&renewer=rm%2Fhost.domain%40CIB.NET HTTP/1.1" 200 3484
192.168.0.1 - - [19/Jul/2017:10:20:19 +0200] "GET /kms/v1/?op=GETDELEGATIONTOKEN&renewer=rm%2Fhost.domain%40CIB.NET HTTP/1.1" 200 132

Is anyone get some idea of what can be wrong? We have secured clusters and two ranger admin/kms hosts on each.

Thanks

1 ACCEPTED SOLUTION

Guru

Hello @Micaël Dias,

HTTP authentication (to be specific SPNEGO authentication) works in two-pass handshake mechanism.

First, when client approaches HTTP server, the server would check the request header and respond by sending 401 'Authentication required' message. We see this response as first log in access log.

192.168.0.1 - - [17/Jul/2017:14:11:42 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626☆tIndex=0&sortBy=eventTime☆tDate=07%2F17%2F2017 HTTP/1.1" 401 1113

To this, the client would again send Negotiate header (indicating the Kerberos authentication token) to server. If everything works out, then server would respond with 200 OK message.

192.168.0.1 - - [17/Jul/2017:14:11:43 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626☆tIndex=0&sortBy=eventTime☆tDate=07%2F17%2F2017 HTTP/1.1" 200 11187

This is totally normal and expected when authentication is enabled for HTTP server.

Hope this helps !

View solution in original post

2 REPLIES 2

Guru

Hello @Micaël Dias,

HTTP authentication (to be specific SPNEGO authentication) works in two-pass handshake mechanism.

First, when client approaches HTTP server, the server would check the request header and respond by sending 401 'Authentication required' message. We see this response as first log in access log.

192.168.0.1 - - [17/Jul/2017:14:11:42 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626☆tIndex=0&sortBy=eventTime☆tDate=07%2F17%2F2017 HTTP/1.1" 401 1113

To this, the client would again send Negotiate header (indicating the Kerberos authentication token) to server. If everything works out, then server would respond with 200 OK message.

192.168.0.1 - - [17/Jul/2017:14:11:43 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626☆tIndex=0&sortBy=eventTime☆tDate=07%2F17%2F2017 HTTP/1.1" 200 11187

This is totally normal and expected when authentication is enabled for HTTP server.

Hope this helps !

Explorer

Hello @Vipin Rathor,

Thanks for your clear explanations.

Regards