Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

usersync and Ranger UI Login

Labels:
Jon_Morisi
Explorer

Created ‎04-26-2017 08:41 PM

Hi,

I asked around on the Ranger mailing list, but was unable to find a solution to my problem. (https://lists.apache.org/list.html?user@ranger.apache.org)

I’m currently running HDP-2.5.3.0 / Ranger – 0.6.0 and have Ranger Usersync setup and running with Active Directory. (I've been informed that usersync and Ranger-Admin are two different setups / connections to AD, so this isn't particularly helpful).

My problem is that AD users that come in from usersync are unable to login to the Ranger Admin UI.

I get “Wrong Password” messages in the Ranger Audit > Login Sessions when I try to login with my Active Directory account. (I modified my account to be an “Admin” Role following the initial import from usersync)

So far I've been able to troubleshoot down to a possible issue with the Ranger-Admin keystore, so now I’m looking for the location for the correct keystore where I would import my certificate from AD for Ranger-Admin.

Is this the correct location: ranger.credential.provider.path?

It seems like the jceks file associated with that, rangeradmin.jceks, has a blank password. Do you know where I would configure that password?

I've considered exporting the keys, configuring a new keystore with a password and re-importing, but my concern is: how would Ranger-Admin know the password?

Hopefully I've explained my problem coherently. Please let me know if anyone needs more clarification.

Thanks,

Jon

1,656 Views
0 Kudos
3 REPLIES 3

Jon_Morisi
Explorer

Created ‎04-26-2017 08:45 PM

For anyone who was following along, I believe I found the solution to this issue.

I configured ranger.truststore.file and ranger.https.attrib.keystore.file to point to my $JAVA_HOME cacerts file (which had my AD cert previously imported), and I’m now able to log in to the Ranger-Admin UI with my AD credentials.

I’m not sure what other ramifications this may have, but it solved my issue.

It’s also raised another question, in that many HortonWorks components each have their own configurations for various keystores. Is there any recommendations or best practices for consolidating all of these keystore locations into one place (like I did with the above solution)?

1,210 Views
0 Kudos

dvillarreal
Guru

Created ‎05-11-2017 11:16 PM

One issue with this is that if you upgrade your version of Java in the future it may overwrite your cacerts file. Best practice would be to put in a separate location. Forexample, /etc/ssl/ranger/trust.jks, etc.

1,210 Views

Jon_Morisi
Explorer

Created ‎05-12-2017 04:54 PM

Are you aware of any guidance or best practices for managing the many keystores associated with the various HDP components? ...just make one keystore in /etc and configure all the references? Maybe there's a consolidated list of all the configs that would have to be changed?

1,210 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
What's New @ Cloudera
Cloudera Machine Learning launches "Add Data" feature to simplify data ingestion
What's New @ Cloudera
Simplify Data Access with Custom Connection Support in CML
View More Announcements