Support Questions

ben_grant · ‎01-31-2018

having trouble with Ranger usersync from Active Directory. Just trying ldap, not ldaps at the moment. I can see in the usersync.log that it connect to my AD server & finds the users and groups I have set in my filters. When it goes to try to push these into Ranger, I'm getting

com.sun.jersey.api.client.UniformInterfaceException: GET http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized

It looks like the usersync can't push to Ranger.

ben_grant · ‎02-08-2018

we ended up just dropping the cluster, deploying Ranger & Ranger usersync, then enabling Kerberos. works perfect if you deploy ranger first.

View solution in original post

vperiasamy · ‎01-31-2018

Is this kerberos env? If so make sure all the necessary keytabs are there with right permissions.

ben_grant · ‎01-31-2018

yes, kerberos is enabled. I see a rangerusersync.service.keytab, rangeradmin.service.keytab, and rangerlookup.service.keytab in /etc/security/keytabs all owned by ranger

vperiasamy · ‎01-31-2018

Do you see any errors in ranger usersync log or ranger admin log?

ben_grant · ‎01-31-2018

yes. here is the full error I'm seeing

com.sun.jersey.api.client.UniformInterfaceException: GET http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:429)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$000(PolicyMgrUserGroupBuilder.java:72)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$1.run(PolicyMgrUserGroupBuilder.java:180)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$1.run(PolicyMgrUserGroupBuilder.java:176)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:176)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:163)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:51)
at java.lang.Thread.run(Thread.java:745)

when I look in the ranger database, I see the following users: Admin, rangerusersync, keyadmin, rangertagsync. So the rangerusersync user exists.

vperiasamy · ‎01-31-2018

Do you see any error on ranger admin log? Is there core-site.xml under /etc/ranger/admin/conf ?

What is the HDP version?

ben_grant · ‎01-31-2018

yes, there is a core-site.xml under /etc/ranger/admin/conf. There are errors in my xa_portal.log. I will attach a .zip with the core-site.xml and xa_portal.log. This is HDF not HDP but the Ranger distro is the same between the builds. HDF 3.0.1 cworkhdfissue.zip

vperiasamy · ‎01-31-2018

I don't see any related errors. You can enable DEBUG and kerberos debug to get more info. Also zip does not contain core-site.xml

ben_grant · ‎01-31-2018

I see how to enable DEBUG for Ranger admin, but not certain where you're talking about enabling for Kerberos.

https://community.hortonworks.com/content/supportkb/49445/how-to-enable-debug-logging-for-ranger-adm...

cworkhdfcore-site.xml

vperiasamy · ‎01-31-2018

You need to make sure rangerusersync is sending kerberos request.

To enable kerberos debug, you can add below arguments to ranger start via JAVA_OPTS in ranger-admin-services.sh

-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -Djava.security.debug="logincontext,policy,scl,gssloginconfig"

Cloudera Community

Support Questions

Ranger usersync 401 unauthorized