I asked around on the Ranger mailing list, but was unable to find a solution to my problem. (https://email@example.com)
I’m currently running HDP-184.108.40.206 / Ranger – 0.6.0 and have Ranger Usersync setup and running with Active Directory. (I've been informed that usersync and Ranger-Admin are two different setups / connections to AD, so this isn't particularly helpful).
My problem is that AD users that come in from usersync are unable to login to the Ranger Admin UI.
I get “Wrong Password” messages in the Ranger Audit > Login Sessions when I try to login with my Active Directory account. (I modified my account to be an “Admin” Role following the initial import from usersync)
So far I've been able to troubleshoot down to a possible issue with the Ranger-Admin keystore, so now I’m looking for the location for the correct keystore where I would import my certificate from AD for Ranger-Admin.
Is this the correct location: ranger.credential.provider.path?
It seems like the jceks file associated with that, rangeradmin.jceks, has a blank password. Do you know where I would configure that password?
I've considered exporting the keys, configuring a new keystore with a password and re-importing, but my concern is: how would Ranger-Admin know the password?
Hopefully I've explained my problem coherently. Please let me know if anyone needs more clarification.
For anyone who was following along, I believe I found the solution to this issue.
I configured ranger.truststore.file and ranger.https.attrib.keystore.file to point to my $JAVA_HOME cacerts file (which had my AD cert previously imported), and I’m now able to log in to the Ranger-Admin UI with my AD credentials.
I’m not sure what other ramifications this may have, but it solved my issue.
It’s also raised another question, in that many HortonWorks components each have their own configurations for various keystores. Is there any recommendations or best practices for consolidating all of these keystore locations into one place (like I did with the above solution)?
One issue with this is that if you upgrade your version of Java in the future it may overwrite your cacerts file. Best practice would be to put in a separate location. Forexample, /etc/ssl/ranger/trust.jks, etc.
Are you aware of any guidance or best practices for managing the many keystores associated with the various HDP components? ...just make one keystore in /etc and configure all the references? Maybe there's a consolidated list of all the configs that would have to be changed?