Hello Team, We have enabled SSL for Ranger Admin Web UI. We can access ranger Admin Web UI on port 6182. But Hive Server2 daemon is failing to refresh policies after enabling SSL for Ranger Admin Web UI. We are using internal CA signed certificate. Our Hive Server2 is SSL enabled. We have done all configuration for enabling two-way SSL between Ranger and Hive. We have imported Ranger Admin's certificate in Hiveserver2 Truststore and Hiveserver2 certificate in Ranger Admin's Truststore. We have setup Keystore for Hiveserver2 and Ranger Admin. Also, added hmaster.test.org as Common Name for Certificate in Hive and Ranger policy. In Hive Server2 log, we are getting following error: 2018-08-27 06:40:31,785 ERROR [main]: client.RangerAdminRESTClient (RangerAdminRESTClient.java:getServicePoliciesIfUpdated(124)) - Error getting policies. secureMode=false, user=hive (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":1,"msgDesc":"Unauthorized access - unable to get client certificate","messageList":[{"name":"OPER_NOT_ALLOWED_FOR_ENTITY","rbKey":"xa.error.oper_not_allowed_for_state","message":"Operation not allowed for entity"}]}, serviceName=C03_hive 2018-08-27 06:40:31,786 ERROR [main]: util.PolicyRefresher (PolicyRefresher.java:loadPolicyfromPolicyAdmin(255)) - PolicyRefresher(serviceName=C03_hive): failed to refresh policies. Will continue to use last known version of policies (-1) java.lang.Exception: Unauthorized access - unable to get client certificate at org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:126) at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:232) at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:188) at org.apache.ranger.plugin.util.PolicyRefresher.startRefresher(PolicyRefresher.java:136) In Ranger Admin log, we are getting following error: 2018-08-27 11:45:02,556 [http-bio-6182-exec-5] ERROR org.apache.ranger.common.ServiceUtil (ServiceUtil.java:1367) - Unauthorized access. Unable to get client certificate. serviceName=C03_hive 2018-08-27 11:45:02,557 [http-bio-6182-exec-5] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:65) - Request failed. SessionId=null, loginId=null, logMessage=Unauthorized access - unable to get client certificate javax.ws.rs.WebApplicationException at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56) at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:335) at org.apache.ranger.common.ServiceUtil.isValidateHttpsAuthentication(ServiceUtil.java:1368) at org.apache.ranger.rest.ServiceREST.getServicePoliciesIfUpdated(ServiceREST.java:1817) How to solve it? Please suggest. Thanks, Bhushan ... View more

Hi All, While trying to sync users in Ambari with AD getting following exception: [root@ip-172-10-31-216 keytabs]# ambari-server setup-ldap Using python /usr/bin/python Setting up LDAP properties... Primary URL* {host:port} (172.10.138.164:389): Secondary URL {host:port} : Use SSL* [true/false] (false): User object class* (person): User name attribute* (sAMAccountName): Group object class* (group): Group name attribute* (cn): Group member attribute* (member): Distinguished name attribute* (distinguishedName): Base DN* (ou=usercn,dc=testad,dc=com): Referral method [follow/ignore] : Bind anonymously* [true/false] (false): Handling behavior for username collisions [convert/skip] for LDAP sync* (convert): Manager DN* (cn=testhdp,ou=admincn,ou=testad,dc=com): Enter Manager Password* : Re-enter password: ==================== Review Settings ==================== authentication.ldap.managerDn: cn=testhdp,ou=admincn,ou=testad,dc=com authentication.ldap.managerPassword: ***** Save settings [y/n] (y)? y Saving...done Ambari Server 'setup-ldap' completed successfully. [root@ip-172-10-31-216 keytabs]# service ambari-server restart Using python /usr/bin/python Restarting ambari-server Waiting for server stop... Ambari Server stopped Ambari Server running with administrator privileges. Organizing resource files at /var/lib/ambari-server/resources... Ambari database consistency check started... Server PID at: /var/run/ambari-server/ambari-server.pid Server out at: /var/log/ambari-server/ambari-server.out Server log at: /var/log/ambari-server/ambari-server.log Waiting for server start................ Server started listening on 8080 DB configs consistency check: no errors and warnings were found. [root@ip-172-10-31-216 keytabs]# ambari-server sync-ldap --all Using python /usr/bin/python Syncing with LDAP... Enter Ambari Admin login: admin Enter Ambari Admin password: Syncing all...ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580] [root@ip-172-10-31-216 keytabs]# How to resolve it? Attached AD scrreshots ad1.png ad2.png Please suggest. Thanks, Bhushan ... View more