Support Questions
Find answers, ask questions, and share your expertise

hiveserver2 ranger-plugin ssl communication

Explorer

Friends, I need your advise/help on the following issue:

We have successfully configured Hiveserver2 / SSL Ranger Plugin / Kerberos, but i never tested earlier, but recently i found a hive / ranger plugin issue, that is @ when I tried to connect hiveserver2 through beeline, i was able to connect to hiveserver2, but when i typed 'show databases' i was not getting any result, but in hiveserver2 logs,i found the following errors:

Here is the hiveserver2 log:

2017-03-11 22:46:56,026 ERROR [Thread-9]: util.RangerRESTClient (RangerRESTClient.java:getTrustManagers(342)) - Unable to read the necessary SSL Keystore and TrustStore Files java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:225) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.ranger.plugin.util.RangerRESTClient.getTrustManagers(RangerRESTClient.java:323) at org.apache.ranger.plugin.util.RangerRESTClient.buildClient(RangerRESTClient.java:190) at org.apache.ranger.plugin.util.RangerRESTClient.getClient(RangerRESTClient.java:177) at org.apache.ranger.plugin.util.RangerRESTClient.getResource(RangerRESTClient.java:157) at org.apache.ranger.admin.client.RangerAdminRESTClient.createWebResource(RangerAdminRESTClient.java:162) at org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:70) at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:215) at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:183) at org.apache.ranger.plugin.util.PolicyRefresher.run(PolicyRefresher.java:156) Caused by: java.security.UnrecoverableKeyException: Password verification failed at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778) ... 13 more 2017-03-11 22:46:56,027 ERROR [Thread-9]: util.PolicyRefresher (PolicyRefresher.java:loadPolicyfromPolicyAdmin(238)) - PolicyRefresher(serviceName=TEST_hive): failed to refresh policies. Will continue to use last known version of policies (-1) java.lang.IllegalArgumentException: SSLContext must not be null

I have verified the "java keystore & trust store password" as i was able to list those two stores (keytool command) with the passwords.

Can anyone please help me on resolving this issue.

Thank you,

Subrah

2 REPLIES 2

Super Mentor

@hdpadmin overlandpark

Have you created a create principal as

kadmin.local: addprinc -randkey HTTPS/<host>@EXAMPLE.COM

And added it to the keytab ?

kadmin.local: ktadd -norandkey -kt /etc/security/keytabs/spnego.service.keytab HTTPS/<host>@EXAMPLE.COM

.

After that please try verifying the same using klist command, that you are able to do kinit and get the ticket.

.

Can you please check yout ranger truststore/keystore configs.

<property>
    <name>ranger.truststore.file</name>
    <value>/PATH/TO/yourtruststore.jks</value>
</property>
<property>
    <name>ranger.service.https.attrib.keystore.file</name>
    <value>/PATH/TO/yourKeyStore.jks</value>
</property> 

Also please check if you have imported the hiveserver2 certificate to the truststore?

.

Explorer

Hi Jay,

Thank you for the response. Actually we got all these things in place, but i realized that our trust store password was incorrect and i was able to fix that issue, later it complained about a self signed cert on the ranger admin server, so I imported hive cert into ranger trust store and did set common name correctly on hive/ranger configuration and finally my issue was resolved. Thanks again for the reply.

Subrah.

; ;