Support Questions

Find answers, ask questions, and share your expertise

Ranger user group sync not working in UnixUserSync method

avatar
Rising Star

I am using HDP Sandbox 2.5 vmware image and have kerberized the cluster using the web UI.
I have created a user as user1 and this user1 belongs to group1(which also created by me). But the problem is this user and group is not reflecting in Ranger because of which I am not able assign any policy to this user or group. Attaching the logs of usersync process :

Any help/clues to resolve this problem is appreciated

com.sun.jersey.api.client.UniformInterfaceException: POST http://sandbox.hortonworks.com:6080/service/xusers/users/userinfo returned a response status of 401 Unauthorized
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
        at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:568)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.getUsergroupInfo(PolicyMgrUserGroupBuilder.java:567)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$500(PolicyMgrUserGroupBuilder.java:72)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$2.run(PolicyMgrUserGroupBuilder.java:539)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$2.run(PolicyMgrUserGroupBuilder.java:535)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:360)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addUserGroupInfo(PolicyMgrUserGroupBuilder.java:535)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addOrUpdateUser(PolicyMgrUserGroupBuilder.java:340)
        at org.apache.ranger.unixusersync.process.UnixUserGroupBuilder.updateSink(UnixUserGroupBuilder.java:140)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
        at java.lang.Thread.run(Thread.java:745)
22 Aug 2017 16:45:55 ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User :
com.sun.jersey.api.client.UniformInterfaceException: POST http://sandbox.hortonworks.com:6080/service/users/default returned a response status of 401 Unauthorized
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
        at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:568)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.getMUser(PolicyMgrUserGroupBuilder.java:838)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$800(PolicyMgrUserGroupBuilder.java:72)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$5.run(PolicyMgrUserGroupBuilder.java:811)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$5.run(PolicyMgrUserGroupBuilder.java:807)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:360)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addMUser(PolicyMgrUserGroupBuilder.java:807)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addOrUpdateUser(PolicyMgrUserGroupBuilder.java:335)
        at org.apache.ranger.unixusersync.process.UnixUserGroupBuilder.updateSink(UnixUserGroupBuilder.java:140)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
        at java.lang.Thread.run(Thread.java:745)
22 Aug 2017 16:45:55 ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User Group Info :
com.sun.jersey.api.client.UniformInterfaceException: POST http://sandbox.hortonworks.com:6080/service/xusers/users/userinfo returned a response status of 401 Unauthorized
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
        at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:568)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.getUsergroupInfo(PolicyMgrUserGroupBuilder.java:567)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$500(PolicyMgrUserGroupBuilder.java:72)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$2.run(PolicyMgrUserGroupBuilder.java:539)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$2.run(PolicyMgrUserGroupBuilder.java:535)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:360)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addUserGroupInfo(PolicyMgrUserGroupBuilder.java:535)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addOrUpdateUser(PolicyMgrUserGroupBuilder.java:340)
        at org.apache.ranger.unixusersync.process.UnixUserGroupBuilder.updateSink(UnixUserGroupBuilder.java:140)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
        at java.lang.Thread.run(Thread.java:745)
22 Aug 2017 16:45:55  INFO UserGroupSync [UnixUserSyncThread] - End: initial load of user/group from source==>sink
22 Aug 2017 16:45:55  INFO UserGroupSync [UnixUserSyncThread] - Done initializing user/group source and sink

6 REPLIES 6

avatar
Master Mentor

@sachin gupta

For users and groups to appear in Ranger you need to Synchronize LDAP Users and Groups did you do that if so can you upload the logs?

avatar
Rising Star

I am not using LDAP as of now and want only os level users and groups to be synced in Ranger. Do I have to use LDAP ?

avatar
Explorer

Have you check your properties in Ambari -> ranger -> Advanced ranger-ugsync-site

If not please refer to this page

avatar
Rising Star

yes the keytabs are there and working, I have already gone through all these pages.

avatar
Master Mentor

@sachin gupta

I have just span a HDP 2.6 single node cluster with Ranger 0.70 and KMS 0.70. I will proceed to create user1 and group_1. Can you tell me the unix ID's if you

# cat /etc/passwd
# cat /etc/group

Revert

avatar
Rising Star

group1:x:1026:user1

user1:x:1026:1026::/home/user1:/bin/bash