Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

"Test Connection" for ranger kms repository fails

Labels:
avatar
author-rank sshimpi
Super Guru

Created ‎03-31-2016 04:11 PM

I followed the document for setting ranger kms on kerberized cluster.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Ranger_KMS_Admin_Guide/content/ch03s02.h...

While doing test connection to default repository of Ranger KMS it gives error as shown below -

Can you please help how to resolve this ?

2016-03-31 20:02:05,403 [timed-executor-pool-0] INFO  apache.ranger.services.kms.client.KMSClient (KMSClient.java:214) - getKeyList():response.getStatus()= 401 for URL http://node1.example.com:9292/kms/v1/keys/names?user.name=keyadmin, so returning null list
2016-03-31 20:02:05,408 [timed-executor-pool-0] ERROR apache.ranger.services.kms.client.KMSResourceMgr (KMSResourceMgr.java:43) - <== KMSResourceMgr.validateConfig Error: org.apache.ranger.plugin.client.HadoopException: <html><head><title>Apache Tomcat/7.0.55 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - Authentication required</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Authentication required</u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.55</h3></body></html>
7,109 Views
1 ACCEPTED SOLUTION

avatar
author-rank vperiasamy author-rank
Guru

Created ‎03-31-2016 05:51 PM

In Kerberized environments, repository config user should be a valid kerberos principal. Please create a valid principal like keyadmin@DOMAIN.COM with password and configure this in KMS repo - this needs to be done in ranger UI. Steps are listed here. Although this is from latest documentation, these steps should work.

After repository is updated, Ranger and KMS needs to be restarted.

Also make sure you have a link to core-site.xml under /etc/ranger/kms/conf as described here

View solution in original post

5,728 Views
9 REPLIES 9

avatar
author-rank vperiasamy author-rank
Guru

Created ‎03-31-2016 05:51 PM

In Kerberized environments, repository config user should be a valid kerberos principal. Please create a valid principal like keyadmin@DOMAIN.COM with password and configure this in KMS repo - this needs to be done in ranger UI. Steps are listed here. Although this is from latest documentation, these steps should work.

After repository is updated, Ranger and KMS needs to be restarted.

Also make sure you have a link to core-site.xml under /etc/ranger/kms/conf as described here

5,729 Views

avatar
author-rank arturbrandys
Explorer

Created ‎09-20-2019 05:06 AM

This links are not working now.

5,657 Views
0 Kudos

avatar
author-rank cjervis author-rank
Community Manager

Created ‎09-20-2019 06:28 AM

I found the Ranger KMS Admin Guide for HDP 2.4.0, hopefully this is what you are looking for.


Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
5,652 Views
0 Kudos

avatar
author-rank VR46 author-rank
Guru

Created ‎03-31-2016 07:59 PM

From the log, looks like you are still using the username as 'keyadmin' which won't work if you have setup Kerberos. The KMSClient code looks for keyadmin@REALM if kerberos is enabled. Please set that restart the Ranger and KMS services after the change.

5,728 Views

avatar
author-rank VR46 author-rank
Guru

Created ‎03-31-2016 08:01 PM

Uhh just saw that @vperiasamy had already replied. And that is pretty much correct. Cheers Vel !

5,728 Views
0 Kudos

avatar
author-rank trip_ankit87
Rising Star

Created ‎05-23-2016 08:21 PM

Hi Vipin,

In my case also, user name coming as only 'keyadmin" instead of keyadmin@realm but I am giving username as

keyadmin@realm in UI:-

UNAUTHENTICATED RemoteHost:127.0.0.1 Method:GET URL:http://hostname:9292/kms/v1/keys/names?doAs=keyadmin ErrorMsg:'Authentication required'.

which property should I change for this?

please help.

Thanks in advance

5,728 Views
0 Kudos

avatar
author-rank avijeetd
Super Collaborator

Created ‎08-19-2016 07:32 AM

@Vipin Rathor

Hi Vipin,

I am having the same issue, the ranger logs show "returning null list"

I am able to login into Ranger as keyadmin / password (as created in AD), I can kinit as keyadmin

I am not seeing the user in Ranger user tab, however can see the user in usersync log

2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:312) - Getting KmsClient for datasource: hubhdpdevcluster01_kms 2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:313) - configMap: {password=*****, provider=kms://http@hadooplinux.xxx.com:9292/kms, username=keyadmin@HADOOPDOM.COM} 2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:73) - Kms Client is build with url [kms://http@hadooplinux.xxx.com:9292/kms] user: [keyadmin@HADOOPDOM.COM] 2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:144) - Getting Kms Key list for keyNameMatching : 2016-08-19 03:38:10,994 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:181) - getKeyList():calling http://hadooplinux.xxx.com:9292/kms/v1/keys/names?doAs=keyadmin 2016-08-19 03:38:10,994 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:185) - getKeyList():response.getStatus()= 401 2016-08-19 03:38:10,994 [timed-executor-pool-0] INFO apache.ranger.services.kms.client.KMSClient (KMSClient.java:214) - getKeyList():response.getStatus()= 401 for URL http://hadooplinux.xxx.com:9292/kms/v1/keys/names?doAs=keyadmin so returning null list 2016-08-19 03:38:10,995 [timed-executor-pool-0] ERROR apache.ranger.services.kms.client.KMSResourceMgr (KMSResourceMgr.java:43) - <== KMSResourceMgr.validateConfig Error: org.apache.ranger.plugin.client.HadoopException:

Is there some other settings for AD-KDC in Ranger KMS?

Ranger KMS was setup and the cluster was kerbersized later. Does it have to be setup after kerberzing?

Thanks,

Avijeet

5,728 Views
0 Kudos

avatar
author-rank sshimpi
Super Guru

Created ‎04-01-2016 11:30 AM

@vperiasamy the issue is resolved. I just took solution from @Vipin Rathor before checking you comment 😜

But it helped. Thanks for reply.

5,728 Views

avatar
author-rank trip_ankit87
Rising Star

Created ‎05-23-2016 10:58 PM

Hi Vipin,

In my case also, user name coming as only 'keyadmin" instead of keyadmin@realm but I am giving username as

keyadmin@realm in UI:-

UNAUTHENTICATED RemoteHost:127.0.0.1 Method:GET URL:http://hostname:9292/kms/v1/keys/names?doAs=keyadmin ErrorMsg:'Authentication required'.

which property should I change for this?

please help.

Thanks in advance

5,728 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements