Support Questions
Find answers, ask questions, and share your expertise

"Test Connection" for ranger kms repository fails

I followed the document for setting ranger kms on kerberized cluster.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Ranger_KMS_Admin_Guide/content/ch03s02.h...

While doing test connection to default repository of Ranger KMS it gives error as shown below -

Can you please help how to resolve this ?

2016-03-31 20:02:05,403 [timed-executor-pool-0] INFO  apache.ranger.services.kms.client.KMSClient (KMSClient.java:214) - getKeyList():response.getStatus()= 401 for URL http://node1.example.com:9292/kms/v1/keys/names?user.name=keyadmin, so returning null list
2016-03-31 20:02:05,408 [timed-executor-pool-0] ERROR apache.ranger.services.kms.client.KMSResourceMgr (KMSResourceMgr.java:43) - <== KMSResourceMgr.validateConfig Error: org.apache.ranger.plugin.client.HadoopException: <html><head><title>Apache Tomcat/7.0.55 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - Authentication required</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Authentication required</u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.55</h3></body></html>
1 ACCEPTED SOLUTION

In Kerberized environments, repository config user should be a valid kerberos principal. Please create a valid principal like keyadmin@DOMAIN.COM with password and configure this in KMS repo - this needs to be done in ranger UI. Steps are listed here. Although this is from latest documentation, these steps should work.

After repository is updated, Ranger and KMS needs to be restarted.

Also make sure you have a link to core-site.xml under /etc/ranger/kms/conf as described here

View solution in original post

9 REPLIES 9

In Kerberized environments, repository config user should be a valid kerberos principal. Please create a valid principal like keyadmin@DOMAIN.COM with password and configure this in KMS repo - this needs to be done in ranger UI. Steps are listed here. Although this is from latest documentation, these steps should work.

After repository is updated, Ranger and KMS needs to be restarted.

Also make sure you have a link to core-site.xml under /etc/ranger/kms/conf as described here

New Contributor

This links are not working now.

Community Manager

I found the Ranger KMS Admin Guide for HDP 2.4.0, hopefully this is what you are looking for.


Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Guru

From the log, looks like you are still using the username as 'keyadmin' which won't work if you have setup Kerberos. The KMSClient code looks for keyadmin@REALM if kerberos is enabled. Please set that restart the Ranger and KMS services after the change.

Guru

Uhh just saw that @vperiasamy had already replied. And that is pretty much correct. Cheers Vel !

Contributor

Hi Vipin,

In my case also, user name coming as only 'keyadmin" instead of keyadmin@realm but I am giving username as

keyadmin@realm in UI:-

UNAUTHENTICATED RemoteHost:127.0.0.1 Method:GET URL:http://hostname:9292/kms/v1/keys/names?doAs=keyadmin ErrorMsg:'Authentication required'.

which property should I change for this?

please help.

Thanks in advance

Expert Contributor

@Vipin Rathor

Hi Vipin,

I am having the same issue, the ranger logs show "returning null list"

I am able to login into Ranger as keyadmin / password (as created in AD), I can kinit as keyadmin

I am not seeing the user in Ranger user tab, however can see the user in usersync log

2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:312) - Getting KmsClient for datasource: hubhdpdevcluster01_kms 2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:313) - configMap: {password=*****, provider=kms://http@hadooplinux.xxx.com:9292/kms, username=keyadmin@HADOOPDOM.COM} 2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:73) - Kms Client is build with url [kms://http@hadooplinux.xxx.com:9292/kms] user: [keyadmin@HADOOPDOM.COM] 2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:144) - Getting Kms Key list for keyNameMatching : 2016-08-19 03:38:10,994 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:181) - getKeyList():calling http://hadooplinux.xxx.com:9292/kms/v1/keys/names?doAs=keyadmin 2016-08-19 03:38:10,994 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:185) - getKeyList():response.getStatus()= 401 2016-08-19 03:38:10,994 [timed-executor-pool-0] INFO apache.ranger.services.kms.client.KMSClient (KMSClient.java:214) - getKeyList():response.getStatus()= 401 for URL http://hadooplinux.xxx.com:9292/kms/v1/keys/names?doAs=keyadmin so returning null list 2016-08-19 03:38:10,995 [timed-executor-pool-0] ERROR apache.ranger.services.kms.client.KMSResourceMgr (KMSResourceMgr.java:43) - <== KMSResourceMgr.validateConfig Error: org.apache.ranger.plugin.client.HadoopException:

Is there some other settings for AD-KDC in Ranger KMS?

Ranger KMS was setup and the cluster was kerbersized later. Does it have to be setup after kerberzing?

Thanks,

Avijeet

@vperiasamy the issue is resolved. I just took solution from @Vipin Rathor before checking you comment 😜

But it helped. Thanks for reply.

Contributor

Hi Vipin,

In my case also, user name coming as only 'keyadmin" instead of keyadmin@realm but I am giving username as

keyadmin@realm in UI:-

UNAUTHENTICATED RemoteHost:127.0.0.1 Method:GET URL:http://hostname:9292/kms/v1/keys/names?doAs=keyadmin ErrorMsg:'Authentication required'.

which property should I change for this?

please help.

Thanks in advance

; ;