Support Questions
Find answers, ask questions, and share your expertise

Ranger user group sync not working in UnixUserSync method

I am using HDP Sandbox 2.5 vmware image and have kerberized the cluster using the web UI.
I have created a user as user1 and this user1 belongs to group1(which also created by me). But the problem is this user and group is not reflecting in Ranger because of which I am not able assign any policy to this user or group. Attaching the logs of usersync process :

Any help/clues to resolve this problem is appreciated

com.sun.jersey.api.client.UniformInterfaceException: POST http://sandbox.hortonworks.com:6080/service/xusers/users/userinfo returned a response status of 401 Unauthorized
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
        at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:568)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.getUsergroupInfo(PolicyMgrUserGroupBuilder.java:567)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$500(PolicyMgrUserGroupBuilder.java:72)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$2.run(PolicyMgrUserGroupBuilder.java:539)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$2.run(PolicyMgrUserGroupBuilder.java:535)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:360)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addUserGroupInfo(PolicyMgrUserGroupBuilder.java:535)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addOrUpdateUser(PolicyMgrUserGroupBuilder.java:340)
        at org.apache.ranger.unixusersync.process.UnixUserGroupBuilder.updateSink(UnixUserGroupBuilder.java:140)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
        at java.lang.Thread.run(Thread.java:745)
22 Aug 2017 16:45:55 ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User :
com.sun.jersey.api.client.UniformInterfaceException: POST http://sandbox.hortonworks.com:6080/service/users/default returned a response status of 401 Unauthorized
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
        at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:568)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.getMUser(PolicyMgrUserGroupBuilder.java:838)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$800(PolicyMgrUserGroupBuilder.java:72)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$5.run(PolicyMgrUserGroupBuilder.java:811)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$5.run(PolicyMgrUserGroupBuilder.java:807)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:360)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addMUser(PolicyMgrUserGroupBuilder.java:807)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addOrUpdateUser(PolicyMgrUserGroupBuilder.java:335)
        at org.apache.ranger.unixusersync.process.UnixUserGroupBuilder.updateSink(UnixUserGroupBuilder.java:140)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
        at java.lang.Thread.run(Thread.java:745)
22 Aug 2017 16:45:55 ERROR PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User Group Info :
com.sun.jersey.api.client.UniformInterfaceException: POST http://sandbox.hortonworks.com:6080/service/xusers/users/userinfo returned a response status of 401 Unauthorized
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
        at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:568)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.getUsergroupInfo(PolicyMgrUserGroupBuilder.java:567)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$500(PolicyMgrUserGroupBuilder.java:72)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$2.run(PolicyMgrUserGroupBuilder.java:539)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$2.run(PolicyMgrUserGroupBuilder.java:535)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:360)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addUserGroupInfo(PolicyMgrUserGroupBuilder.java:535)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addOrUpdateUser(PolicyMgrUserGroupBuilder.java:340)
        at org.apache.ranger.unixusersync.process.UnixUserGroupBuilder.updateSink(UnixUserGroupBuilder.java:140)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
        at java.lang.Thread.run(Thread.java:745)
22 Aug 2017 16:45:55  INFO UserGroupSync [UnixUserSyncThread] - End: initial load of user/group from source==>sink
22 Aug 2017 16:45:55  INFO UserGroupSync [UnixUserSyncThread] - Done initializing user/group source and sink

6 REPLIES 6

Mentor

@sachin gupta

For users and groups to appear in Ranger you need to Synchronize LDAP Users and Groups did you do that if so can you upload the logs?

I am not using LDAP as of now and want only os level users and groups to be synced in Ranger. Do I have to use LDAP ?

Explorer

Have you check your properties in Ambari -> ranger -> Advanced ranger-ugsync-site

If not please refer to this page

yes the keytabs are there and working, I have already gone through all these pages.

Mentor

@sachin gupta

I have just span a HDP 2.6 single node cluster with Ranger 0.70 and KMS 0.70. I will proceed to create user1 and group_1. Can you tell me the unix ID's if you

# cat /etc/passwd
# cat /etc/group

Revert

group1:x:1026:user1

user1:x:1026:1026::/home/user1:/bin/bash