Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger errors HTTP/1.1 401 just before succes authentications

Solved Go to solution

Ranger errors HTTP/1.1 401 just before succes authentications

New Contributor

Hi,

In our clusters we have a strange behavior certainly due to a misconfiguration. In all ranger actions (like downloading policies, asking ranger KMS, get audits , etc....) we have a failed authentication before a success one.

Everything works as expected, but do not appear optimal.

Below is some examples extracted from access logs in ranger admin and kms

192.168.0.1 - - [19/Jul/2017:10:29:52 +0200] "GET /service/plugins/secure/policies/download/clusterName_kafka?lastKnownVersion=42&pluginId=kafka@host.domain-clusterName_kafka HTTP/1.1" 401 -
192.168.0.1 - - [19/Jul/2017:10:29:52 +0200] "GET /service/plugins/secure/policies/download/clusterName_kafka?lastKnownVersion=42&pluginId=kafka@host.domain-clusterName_kafka HTTP/1.1" 304 -


192.168.0.1 - - [17/Jul/2017:14:11:42 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626&startIndex=0&sortBy=eventTime&startDate=07%2F17%2F2017 HTTP/1.1" 401 1113
192.168.0.1 - - [17/Jul/2017:14:11:43 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626&startIndex=0&sortBy=eventTime&startDate=07%2F17%2F2017 HTTP/1.1" 200 11187




192.168.0.1 - - [17/Jul/2017:14:06:03 +0000] "GET /service/plugins/policy/52/versionList HTTP/1.1" 401 1113
192.168.0.1 - - [17/Jul/2017:14:06:03 +0000] "GET /service/plugins/policy/52/versionList HTTP/1.1" 200 23


192.168.0.1 - - [17/Jul/2017:14:06:03 +0000] "GET /service/plugins/policies/eventTime?eventTime=2017-07-17T14%3A05%3A47Z&policyId=52&_=1500297123319 HTTP/1.1" 401 1113
192.168.0.1 - - [17/Jul/2017:14:06:03 +0000] "GET /service/plugins/policies/eventTime?eventTime=2017-07-17T14%3A05%3A47Z&policyId=52&_=1500297123319 HTTP/1.1" 200 708


192.168.0.1 - - [19/Jul/2017:10:20:19 +0200] "OPTIONS /kms/v1/?op=GETDELEGATIONTOKEN&renewer=rm%2Fhost.domain%40CIB.NET HTTP/1.1" 401 997
192.168.0.1 - - [19/Jul/2017:10:20:19 +0200] "OPTIONS /kms/v1/?op=GETDELEGATIONTOKEN&renewer=rm%2Fhost.domain%40CIB.NET HTTP/1.1" 200 3484
192.168.0.1 - - [19/Jul/2017:10:20:19 +0200] "GET /kms/v1/?op=GETDELEGATIONTOKEN&renewer=rm%2Fhost.domain%40CIB.NET HTTP/1.1" 200 132

Is anyone get some idea of what can be wrong? We have secured clusters and two ranger admin/kms hosts on each.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Ranger errors HTTP/1.1 401 just before succes authentications

Guru

Hello @Micaël Dias,

HTTP authentication (to be specific SPNEGO authentication) works in two-pass handshake mechanism.

First, when client approaches HTTP server, the server would check the request header and respond by sending 401 'Authentication required' message. We see this response as first log in access log.

192.168.0.1 - - [17/Jul/2017:14:11:42 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626☆tIndex=0&sortBy=eventTime☆tDate=07%2F17%2F2017 HTTP/1.1" 401 1113

To this, the client would again send Negotiate header (indicating the Kerberos authentication token) to server. If everything works out, then server would respond with 200 OK message.

192.168.0.1 - - [17/Jul/2017:14:11:43 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626☆tIndex=0&sortBy=eventTime☆tDate=07%2F17%2F2017 HTTP/1.1" 200 11187

This is totally normal and expected when authentication is enabled for HTTP server.

Hope this helps !

2 REPLIES 2

Re: Ranger errors HTTP/1.1 401 just before succes authentications

Guru

Hello @Micaël Dias,

HTTP authentication (to be specific SPNEGO authentication) works in two-pass handshake mechanism.

First, when client approaches HTTP server, the server would check the request header and respond by sending 401 'Authentication required' message. We see this response as first log in access log.

192.168.0.1 - - [17/Jul/2017:14:11:42 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626☆tIndex=0&sortBy=eventTime☆tDate=07%2F17%2F2017 HTTP/1.1" 401 1113

To this, the client would again send Negotiate header (indicating the Kerberos authentication token) to server. If everything works out, then server would respond with 200 OK message.

192.168.0.1 - - [17/Jul/2017:14:11:43 +0000] "GET /service/assets/accessAudit?page=0&pageSize=25&total_pages=66&totalCount=1626☆tIndex=0&sortBy=eventTime☆tDate=07%2F17%2F2017 HTTP/1.1" 200 11187

This is totally normal and expected when authentication is enabled for HTTP server.

Hope this helps !

Re: Ranger errors HTTP/1.1 401 just before succes authentications

New Contributor

Hello @Vipin Rathor,

Thanks for your clear explanations.

Regards

Don't have an account?
Coming from Hortonworks? Activate your account here