Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger usersync 401 unauthorized

avatar
Explorer

having trouble with Ranger usersync from Active Directory. Just trying ldap, not ldaps at the moment. I can see in the usersync.log that it connect to my AD server & finds the users and groups I have set in my filters. When it goes to try to push these into Ranger, I'm getting

com.sun.jersey.api.client.UniformInterfaceException: GET http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized

It looks like the usersync can't push to Ranger.

1 ACCEPTED SOLUTION

avatar
Explorer

we ended up just dropping the cluster, deploying Ranger & Ranger usersync, then enabling Kerberos. works perfect if you deploy ranger first.

View solution in original post

13 REPLIES 13

avatar

Is this kerberos env? If so make sure all the necessary keytabs are there with right permissions.

avatar
Explorer

yes, kerberos is enabled. I see a rangerusersync.service.keytab, rangeradmin.service.keytab, and rangerlookup.service.keytab in /etc/security/keytabs all owned by ranger

avatar

Do you see any errors in ranger usersync log or ranger admin log?

avatar
Explorer

yes. here is the full error I'm seeing

com.sun.jersey.api.client.UniformInterfaceException: GET http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:429)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$000(PolicyMgrUserGroupBuilder.java:72)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$1.run(PolicyMgrUserGroupBuilder.java:180)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$1.run(PolicyMgrUserGroupBuilder.java:176)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:176)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:163)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:51)
at java.lang.Thread.run(Thread.java:745)

when I look in the ranger database, I see the following users: Admin, rangerusersync, keyadmin, rangertagsync. So the rangerusersync user exists.

avatar

Do you see any error on ranger admin log? Is there core-site.xml under /etc/ranger/admin/conf ?

What is the HDP version?

avatar
Explorer

yes, there is a core-site.xml under /etc/ranger/admin/conf. There are errors in my xa_portal.log. I will attach a .zip with the core-site.xml and xa_portal.log. This is HDF not HDP but the Ranger distro is the same between the builds. HDF 3.0.1 cworkhdfissue.zip

avatar

I don't see any related errors. You can enable DEBUG and kerberos debug to get more info. Also zip does not contain core-site.xml

avatar
Explorer

I see how to enable DEBUG for Ranger admin, but not certain where you're talking about enabling for Kerberos.

https://community.hortonworks.com/content/supportkb/49445/how-to-enable-debug-logging-for-ranger-adm...

cworkhdfcore-site.xml

avatar

You need to make sure rangerusersync is sending kerberos request.

To enable kerberos debug, you can add below arguments to ranger start via JAVA_OPTS in ranger-admin-services.sh

-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -Djava.security.debug="logincontext,policy,scl,gssloginconfig"