Support Questions

yes, kerberos is enabled. I see a rangerusersync.service.keytab, rangeradmin.service.keytab, and rangerlookup.service.keytab in /etc/security/keytabs all owned by ranger

Do you see any errors in ranger usersync log or ranger admin log?

yes. here is the full error I'm seeing

com.sun.jersey.api.client.UniformInterfaceException: GET http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:429)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$000(PolicyMgrUserGroupBuilder.java:72)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$1.run(PolicyMgrUserGroupBuilder.java:180)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$1.run(PolicyMgrUserGroupBuilder.java:176)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:176)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:163)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:51)
at java.lang.Thread.run(Thread.java:745)

when I look in the ranger database, I see the following users: Admin, rangerusersync, keyadmin, rangertagsync. So the rangerusersync user exists.

Do you see any error on ranger admin log? Is there core-site.xml under /etc/ranger/admin/conf ?

What is the HDP version?

yes, there is a core-site.xml under /etc/ranger/admin/conf. There are errors in my xa_portal.log. I will attach a .zip with the core-site.xml and xa_portal.log. This is HDF not HDP but the Ranger distro is the same between the builds. HDF 3.0.1 cworkhdfissue.zip

I don't see any related errors. You can enable DEBUG and kerberos debug to get more info. Also zip does not contain core-site.xml

I see how to enable DEBUG for Ranger admin, but not certain where you're talking about enabling for Kerberos.

https://community.hortonworks.com/content/supportkb/49445/how-to-enable-debug-logging-for-ranger-adm...

You need to make sure rangerusersync is sending kerberos request.

To enable kerberos debug, you can add below arguments to ranger start via JAVA_OPTS in ranger-admin-services.sh

-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -Djava.security.debug="logincontext,policy,scl,gssloginconfig"

cworkhdfnew-folderusersync-issue2.zip I believe I enabled correctly & restarted. when I check the log files I don't see any extra Kerberos information.

Kerberos debug messages will be in catalina.out

Not sure if ranger admin is properly spnego enabled. Please enable DEBUG for ranger admin logs.

One thing you can try is to manually kinit using rangerusersync keytab and perform the same request via Curl. http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000☆tIndex=0

is there a way to change the usersync account so that it uses just username/password instead of Kerberos?