Support Questions
Find answers, ask questions, and share your expertise

When I enable Ranger (KnoxSSO) Show me: The username or password you entered is incorrect.

When I enable Ranger (KnoxSSO) Show me: The username or password you entered is incorrect.

New Contributor

GATEWAY.LOG

2017-10-01 23:30:51,945 INFO hadoop.gateway (GatewayServer.java:start(582)) - Topology port mapping feature enabled: true 2017-10-01 23:30:54,669 INFO hadoop.gateway (GatewayServer.java:start(607)) - Monitoring topologies in directory: /usr/hdp/2.6.2.0-205/knox/bin/../conf/topologies 2017-10-01 23:30:54,688 INFO hadoop.gateway (GatewayServer.java:startGateway(321)) - Started gateway on port 8,443. 2017-10-01 23:44:22,589 INFO hadoop.gateway (KnoxLdapRealm.java:getUserDn(691)) - Computed userDn: cn=hdpadmin,ou=hadoop,dc=prosqladmin,dc=local using dnTemplate for principal: hdpadmin 2017-10-01 23:44:22,846 INFO hadoop.gateway (KnoxLdapRealm.java:doGetAuthenticationInfo(203)) - Could not login: org.apache.shiro.authc.UsernamePasswordToken - hdpadmin, rememberMe=false (192.168.0.254) 2017-10-01 23:44:22,847 ERROR hadoop.gateway (KnoxLdapRealm.java:doGetAuthenticationInfo(205)) - Shiro unable to login: javax.naming.CommunicationException: simple bind failed: svr-ad.prosqladmin.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

GATEWAY-AUDIT.LOG

17/10/01 23:44:22 ||db72b38f-49a9-41f7-b3e6-c298919a7e9e|audit|192.168.0.254|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://server2.tele.local:6080/|unavailable|Request method: POST 17/10/01 23:44:22 ||db72b38f-49a9-41f7-b3e6-c298919a7e9e|audit|192.168.0.254|KNOXSSO||||authentication|principal|hdpadmin|failure|LDAP naming error while attempting to authenticate user. 17/10/01 23:44:22 ||db72b38f-49a9-41f7-b3e6-c298919a7e9e|audit|192.168.0.254|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://server2.tele.local:6080/|success|Response status: 401

2 REPLIES 2
Highlighted

Re: When I enable Ranger (KnoxSSO) Show me: The username or password you entered is incorrect.

Mentor

@Vicente Ciampa

For a CA-signed certificate, follow the steps in Section 10 "Gateway Security" of the HDP doc Knox Gateway Admin Guide.

Additional details are available in the Keystores section of the Apache Knox User Guide.

Make the following changes,go to Knox->Configs->Advanced Config->Advanced topology and add
 <service>
     <role>WEBHDFS</role>
    http://<namenode-host>:<namenode-port>/webhdfs 
</service>
Hope that helps
Highlighted

Re: When I enable Ranger (KnoxSSO) Show me: The username or password you entered is incorrect.

Hi @Vicente Ciampa,

Did you export knox's gateway.jks file and put it in Ranger's SSO config? If not then follow the below steps

1) Export the cert. Run the following command in Knox host

$JAVA_HOME/bin/keytool -export -alias gateway-identity -rfc -file cert.pem -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks

Enter the knox master password when it prompts for password. Copy the contents of cert.pem

2) Go to Ranger -> Configs -> Advanced -> Knox SSO Settings.

Under SSO public key , paste the contents of cert.pem. Save the config and restart Ranger.

Thanks,

Aditya