Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

SSL Configuration for Custom Ranger Plugin

Highlighted

SSL Configuration for Custom Ranger Plugin

New Contributor

I have a Ranger plugin (presto-ranger) which itself doesn't live on an Ambari server. Our Ranger admin is SSL enabled, and I'm unable to connect to Ranger via Presto. I keep finding myself at dead ends when trying to configure SSL because unlike HDFS, hiveserver, etc, there are no configurations for Presto within the ambari server, so this documentation doesn't really help me: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/configure_non_ambari_ra...

The Ranger REST Client, available on the ranger plugin tools within Presto, seems to want four properties:

xasecure.policymgr.clientssl.keystore=
xasecure.policymgr.clientssl.truststore=
xasecure.policymgr.clientssl.keystore.credential.file=
xasecure.policymgr.clientssl.truststore.credential.file=

each of which would normally be available in an xml file on Ambari. In this case, these properties are provided in an access-control.properties file (the only file in which I can provide properties to a Presto plugin). We aren't using the CredentialsProvider API for anything else, but it seems that it's required by the Ranger plugin REST client code. I keep getting the following errors:

2018-10-01T13:34:45.053-0700ERRORThread-99org.apache.ranger.authorization.hadoop.utils.RangerCredentialProviderUnable to get the Credential Provider from the Configuration
java.lang.IllegalArgumentException: The value of property hadoop.security.credential.provider.path must not be null
at com.google.common.base.Preconditions.checkArgument(Preconditions.java:141)
at org.apache.hadoop.conf.Configuration.set(Configuration.java:1134)
at org.apache.hadoop.conf.Configuration.set(Configuration.java:1115)
at org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider.getCredentialProviders(RangerCredentialProvider.java:68)
at org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider.getCredentialString(RangerCredentialProvider.java:46)
at org.apache.ranger.plugin.util.RangerRESTClient.getCredential(RangerRESTClient.java:370)
at org.apache.ranger.plugin.util.RangerRESTClient.getTrustManagers(RangerRESTClient.java:311)
at org.apache.ranger.plugin.util.RangerRESTClient.buildClient(RangerRESTClient.java:188)
at org.apache.ranger.plugin.util.RangerRESTClient.getClient(RangerRESTClient.java:175)
at org.apache.ranger.plugin.util.RangerRESTClient.getResource(RangerRESTClient.java:155)
at org.apache.ranger.admin.client.RangerAdminRESTClient.createWebResource(RangerAdminRESTClient.java:271)
at org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:122)
at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:264)
at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:202)

at org.apache.ranger.plugin.util.PolicyRefresher.run(PolicyRefresher.java:171)

AND

2018-10-01T13:34:45.053-0700ERRORThread-99org.apache.ranger.plugin.util.PolicyRefresherPolicyRefresher(serviceName=presto-ranger-plugin): failed to refresh policies. Will continue to use last known version of policies (-1)

java.lang.IllegalArgumentException: SSLContext must not be null
at com.sun.jersey.client.urlconnection.HTTPSProperties.<init>(HTTPSProperties.java:106)
at org.apache.ranger.plugin.util.RangerRESTClient.buildClient(RangerRESTClient.java:200)
at org.apache.ranger.plugin.util.RangerRESTClient.getClient(RangerRESTClient.java:175)
at org.apache.ranger.plugin.util.RangerRESTClient.getResource(RangerRESTClient.java:155)
at org.apache.ranger.admin.client.RangerAdminRESTClient.createWebResource(RangerAdminRESTClient.java:271)
at org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:122)
at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:264)
at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:202)

at org.apache.ranger.plugin.util.PolicyRefresher.run(PolicyRefresher.java:171)