Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

"Test Connection" for ranger kms repository fails

Solved Go to solution

"Test Connection" for ranger kms repository fails

I followed the document for setting ranger kms on kerberized cluster.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Ranger_KMS_Admin_Guide/content/ch03s02.h...

While doing test connection to default repository of Ranger KMS it gives error as shown below -

Can you please help how to resolve this ?

2016-03-31 20:02:05,403 [timed-executor-pool-0] INFO  apache.ranger.services.kms.client.KMSClient (KMSClient.java:214) - getKeyList():response.getStatus()= 401 for URL http://node1.example.com:9292/kms/v1/keys/names?user.name=keyadmin, so returning null list
2016-03-31 20:02:05,408 [timed-executor-pool-0] ERROR apache.ranger.services.kms.client.KMSResourceMgr (KMSResourceMgr.java:43) - <== KMSResourceMgr.validateConfig Error: org.apache.ranger.plugin.client.HadoopException: <html><head><title>Apache Tomcat/7.0.55 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - Authentication required</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Authentication required</u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.55</h3></body></html>
1 ACCEPTED SOLUTION

Accepted Solutions

Re: "Test Connection" for ranger kms repository fails

In Kerberized environments, repository config user should be a valid kerberos principal. Please create a valid principal like keyadmin@DOMAIN.COM with password and configure this in KMS repo - this needs to be done in ranger UI. Steps are listed here. Although this is from latest documentation, these steps should work.

After repository is updated, Ranger and KMS needs to be restarted.

Also make sure you have a link to core-site.xml under /etc/ranger/kms/conf as described here

9 REPLIES 9

Re: "Test Connection" for ranger kms repository fails

In Kerberized environments, repository config user should be a valid kerberos principal. Please create a valid principal like keyadmin@DOMAIN.COM with password and configure this in KMS repo - this needs to be done in ranger UI. Steps are listed here. Although this is from latest documentation, these steps should work.

After repository is updated, Ranger and KMS needs to be restarted.

Also make sure you have a link to core-site.xml under /etc/ranger/kms/conf as described here

Re: "Test Connection" for ranger kms repository fails

New Contributor

This links are not working now.

Highlighted

Re: "Test Connection" for ranger kms repository fails

Community Manager

I found the Ranger KMS Admin Guide for HDP 2.4.0, hopefully this is what you are looking for.



Cy Jervis, Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:
Community Guidelines
How to use the forum

Re: "Test Connection" for ranger kms repository fails

Guru

From the log, looks like you are still using the username as 'keyadmin' which won't work if you have setup Kerberos. The KMSClient code looks for keyadmin@REALM if kerberos is enabled. Please set that restart the Ranger and KMS services after the change.

Re: "Test Connection" for ranger kms repository fails

Guru

Uhh just saw that @vperiasamy had already replied. And that is pretty much correct. Cheers Vel !

Re: "Test Connection" for ranger kms repository fails

Contributor

Hi Vipin,

In my case also, user name coming as only 'keyadmin" instead of keyadmin@realm but I am giving username as

keyadmin@realm in UI:-

UNAUTHENTICATED RemoteHost:127.0.0.1 Method:GET URL:http://hostname:9292/kms/v1/keys/names?doAs=keyadmin ErrorMsg:'Authentication required'.

which property should I change for this?

please help.

Thanks in advance

Re: "Test Connection" for ranger kms repository fails

Expert Contributor

@Vipin Rathor

Hi Vipin,

I am having the same issue, the ranger logs show "returning null list"

I am able to login into Ranger as keyadmin / password (as created in AD), I can kinit as keyadmin

I am not seeing the user in Ranger user tab, however can see the user in usersync log

2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:312) - Getting KmsClient for datasource: hubhdpdevcluster01_kms 2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:313) - configMap: {password=*****, provider=kms://http@hadooplinux.xxx.com:9292/kms, username=keyadmin@HADOOPDOM.COM} 2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:73) - Kms Client is build with url [kms://http@hadooplinux.xxx.com:9292/kms] user: [keyadmin@HADOOPDOM.COM] 2016-08-19 03:38:10,633 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:144) - Getting Kms Key list for keyNameMatching : 2016-08-19 03:38:10,994 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:181) - getKeyList():calling http://hadooplinux.xxx.com:9292/kms/v1/keys/names?doAs=keyadmin 2016-08-19 03:38:10,994 [timed-executor-pool-0] DEBUG apache.ranger.services.kms.client.KMSClient (KMSClient.java:185) - getKeyList():response.getStatus()= 401 2016-08-19 03:38:10,994 [timed-executor-pool-0] INFO apache.ranger.services.kms.client.KMSClient (KMSClient.java:214) - getKeyList():response.getStatus()= 401 for URL http://hadooplinux.xxx.com:9292/kms/v1/keys/names?doAs=keyadmin so returning null list 2016-08-19 03:38:10,995 [timed-executor-pool-0] ERROR apache.ranger.services.kms.client.KMSResourceMgr (KMSResourceMgr.java:43) - <== KMSResourceMgr.validateConfig Error: org.apache.ranger.plugin.client.HadoopException:

Is there some other settings for AD-KDC in Ranger KMS?

Ranger KMS was setup and the cluster was kerbersized later. Does it have to be setup after kerberzing?

Thanks,

Avijeet

Re: "Test Connection" for ranger kms repository fails

@vperiasamy the issue is resolved. I just took solution from @Vipin Rathor before checking you comment ;P

But it helped. Thanks for reply.

Re: "Test Connection" for ranger kms repository fails

Contributor

Hi Vipin,

In my case also, user name coming as only 'keyadmin" instead of keyadmin@realm but I am giving username as

keyadmin@realm in UI:-

UNAUTHENTICATED RemoteHost:127.0.0.1 Method:GET URL:http://hostname:9292/kms/v1/keys/names?doAs=keyadmin ErrorMsg:'Authentication required'.

which property should I change for this?

please help.

Thanks in advance