Member since
01-23-2019
10
Posts
1
Kudos Received
0
Solutions
06-30-2021
07:10 PM
yeah, I was checking the KMS logs, not sure if there is something mis-configured.... 2021-07-01 10:03:35,980 DEBUG org.apache.ranger.admin.client.RangerAdminRESTClient: ==> RangerAdminRESTClient.getServicePoliciesIfUpdated(-1, 1625097035937)
2021-07-01 10:03:35,980 DEBUG org.apache.ranger.admin.client.RangerAdminRESTClient: Checking Service policy if updated with old api call
2021-07-01 10:03:35,986 DEBUG org.apache.ranger.admin.client.datatype.RESTResponse: fromJson('Unauthenticated access not allowed') failed
org.codehaus.jackson.JsonParseException: Unexpected character ('U' (code 85)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
at [Source: java.io.StringReader@7b831251; line: 1, column: 2]
at org.codehaus.jackson.JsonParser._constructError(JsonParser.java:1433)
at org.codehaus.jackson.impl.JsonParserMinimalBase._reportError(JsonParserMinimalBase.java:521)
at org.codehaus.jackson.impl.JsonParserMinimalBase._reportUnexpectedChar(JsonParserMinimalBase.java:442)
at org.codehaus.jackson.impl.ReaderBasedParser._handleUnexpectedValue(ReaderBasedParser.java:1198)
at org.codehaus.jackson.impl.ReaderBasedParser.nextToken(ReaderBasedParser.java:485)
at org.codehaus.jackson.map.ObjectMapper._initForReading(ObjectMapper.java:2770)
at org.codehaus.jackson.map.ObjectMapper._readMapAndClose(ObjectMapper.java:2718)
at org.codehaus.jackson.map.ObjectMapper.readValue(ObjectMapper.java:1863)
at org.apache.ranger.plugin.util.JsonUtilsV2.jsonToObj(JsonUtilsV2.java:68)
at org.apache.ranger.admin.client.datatype.RESTResponse.fromJson(RESTResponse.java:126)
at org.apache.ranger.admin.client.datatype.RESTResponse.fromClientResponse(RESTResponse.java:100)
at org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:195)
at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:305)
at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:244)
at org.apache.ranger.plugin.util.PolicyRefresher.run(PolicyRefresher.java:206)
2021-07-01 10:03:35,987 WARN org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. secureMode=false, user=kms (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, serviceName=cm_kms
2021-07-01 10:03:35,987 DEBUG org.apache.ranger.admin.client.RangerAdminRESTClient: <== RangerAdminRESTClient.getServicePoliciesIfUpdated(-1, 1625097035937): null
2021-07-01 10:03:35,987 DEBUG org.apache.ranger.plugin.util.PolicyRefresher: PolicyRefresher(serviceName=cm_kms).run(): no update found. lastKnownVersion=-1
2021-07-01 10:03:35,987 DEBUG org.apache.ranger.perf.policyengine.init: [PERF] PolicyRefresher.loadPolicyFromPolicyAdmin(serviceName=cm_kms): 7
2021-07-01 10:03:35,987 DEBUG org.apache.ranger.plugin.util.PolicyRefresher: <== PolicyRefresher(serviceName=cm_kms).loadPolicyfromPolicyAdmin() Ranger KMS authenticatin type is kerberos, I tired to change it to simple and restarted both ranger and rangerkms, it did not help. I don't know where the auth simple come from? Thanks. 2021-07-01 10:03:35,987 WARN org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. secureMode=false, user=kms (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, serviceName=cm_kms
... View more
06-30-2021
03:05 PM
Thanks, but how can I get the policy synced?
... View more
06-30-2021
01:19 AM
Thanks @Scharan I don't think it's in sync since the test connection failed.
... View more
06-29-2021
03:26 PM
Thank you. You might see they are already added in the previous screenshot. Ranger user is added as well but it did not work. tag.download.auth.users=kms,ranger
policy.download.auth.users=keyadmin,rangerkms,ranger
... View more
06-26-2021
05:59 PM
Thanks. However the permissions are already assigned in the default policy: cm_kms
... View more
06-25-2021
04:25 PM
Hello Gurus, I am having Ranger KMS test connection failed, it is POC test. CDP 7.1.6 with Isilon OneFS v8.2.2.0, AD kerberos enabled. Ranger KMS is up and running default policy login as keyadmin test connection failed Already added following lines in kms-site.xml ( added in Ranger KMS -configuration ) hadoop.kms.proxyuser.rangeradmin.hosts=*
hadoop.kms.proxyuser.rangeradmin.groups=*
hadoop.kms.proxyuser.rangeradmin.users=* Ranger KMS debug: 2021-06-26 06:51:38,420 DEBUG org.apache.ranger.plugin.classloader.RangerPluginClassLoader: ==> RangerPluginClassLoader.deactivate()
2021-06-26 06:51:38,420 DEBUG org.apache.ranger.plugin.classloader.RangerPluginClassLoader: <== RangerPluginClassLoader.deactivate()
2021-06-26 06:51:38,420 ERROR org.apache.hadoop.crypto.key.kms.server.KMS: Exception in getkeyNames.
org.apache.hadoop.security.authorize.AuthorizationException: User:ranger not allowed to do 'GET_KEYS'
2021-06-26 06:51:38,420 WARN org.apache.hadoop.crypto.key.kms.server.KMS: User ranger (auth:PROXY) via rangeradmin/n02.py.local@PY.LOCAL (auth:KERBEROS) request GET http://n03.py.local:9292/kms/v1/keys/names?doAs=ranger caused exception.
org.apache.hadoop.security.authorize.AuthorizationException: User:ranger not allowed to do 'GET_KEYS'
2021-06-26 06:52:04,559 INFO org.apache.ranger.audit.provider.BaseAuditHandler: Audit Status Log: name=kms.async.summary.multi_dest.batch.solr, interval=01:00.003 minutes, events=1, deferredCount=1, totalEvents=3, totalDeferredCount=3
2021-06-26 06:52:04,560 INFO org.apache.ranger.audit.destination.SolrAuditDestination: Solr zkHosts=null, solrURLs=null, collectionName=ranger_audits
2021-06-26 06:52:04,560 ERROR org.apache.ranger.audit.queue.AuditFileSpool: Error sending logs to consumer. provider=kms.async.summary.multi_dest.batch, consumer=kms.async.summary.multi_dest.batch.solr
2021-06-26 06:52:04,560 INFO org.apache.ranger.audit.queue.AuditFileSpool: Destination is down. sleeping for 30000 milli seconds. indexQueue=0, queueName=kms.async.summary.multi_dest.batch, consumer=kms.async.summary.multi_dest.batch.solr
2021-06-26 06:52:04,691 INFO org.apache.ranger.audit.provider.BaseAuditHandler: Audit Status Log: name=kms.async.summary.multi_dest.batch.hdfs, interval=01:00.012 minutes, events=1, deferredCount=1, totalEvents=3, totalDeferredCount=3 Is there anything mis-configured or need to be checked? Thank you Best Regards, Jake Zhang
... View more
Labels:
06-10-2021
06:43 PM
@Scharan Appreciated your great help! After adding ranger.plugin.kms.policy.rest.url : Ranger KMS server started up ... Thanks again! Best regards, Jake Zhang
... View more
06-10-2021
06:24 PM
Thank you! yes, I created separated DBs for Ranger and RangerKMS. postgres=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
-----------+----------+----------+-------------+-------------+--------------------------
amon | amon | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
hue | hue | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
metastore | hive | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
oozie | oozie | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
ranger | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =Tc/postgres +
| | | | | postgres=CTc/postgres +
| | | | | rangeradmin=CTc/postgres+
| | | | | rangerkms=CTc/postgres
rangerkms | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =Tc/postgres +
| | | | | postgres=CTc/postgres +
| | | | | rangerkms=CTc/postgres
rman | rman | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
scm | scm | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
(11 rows)
will try ""Ranger KMS Server Advanced Configuration Snippet (Safety Valve) for conf/ranger-kms-security.xml” ranger.plugin.kms.policy.rest.url=http://<rangerhostname>:<port no>" and see if it works. Best regards, Jake Zhang
... View more
06-10-2021
05:53 PM
CDP 7.1.6 with Isilon OneFS v8.2.2.0, AD kerberos enabled. While installing RangerKMS service, it failed to start up with the following errors: [root@n04 ~]# less /var/log/ranger/kms/ranger-kms-n04.gz.local-kms.log 2021-06-11 08:30:32,179 INFO org.apache.hadoop.crypto.key.kms.server.KMSWebApp: ------------------------------------------------------------- 2021-06-11 08:30:32,181 INFO org.apache.hadoop.crypto.key.kms.server.KMSWebApp: Java runtime version : 1.8.0_232-b09 2021-06-11 08:30:32,185 INFO org.apache.hadoop.crypto.key.kms.server.KMSWebApp: KMS Hadoop Version: 3.1.1.7.1.6.0-297 2021-06-11 08:30:32,185 INFO org.apache.hadoop.crypto.key.kms.server.KMSWebApp: ------------------------------------------------------------- 2021-06-11 08:30:32,208 INFO org.apache.ranger.plugin.classloader.RangerPluginClassLoaderUtil: getFilesInDirectory('/opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/ranger-kms/ews/webapp/WEB-INF/classes/lib/ranger-kms-plugin-impl'): adding /opt/cloudera/parcels/CDH-7.1.6-1.cdh7.1.6.p0.10506313/lib/ranger-kms/ews/webapp/WEB-INF/classes/lib/ranger-kms-plugin-impl/solr-solrj-8.4.1.7.1.6.0-297.jar <snip> 2021-06-11 08:31:16,787 INFO org.apache.ranger.audit.provider.AuditProviderFactory: RangerAsyncAuditCleanup: Waiting to audit cleanup start signal 2021-06-11 08:31:16,856 ERROR org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer: Error Enabling RangerKMSPlugin java.lang.IllegalArgumentException: bound must be positive at java.util.Random.nextInt(Random.java:388) at org.apache.ranger.plugin.util.RangerRESTClient.<init>(RangerRESTClient.java:124) at org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:771) at org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:116) at org.apache.ranger.plugin.service.RangerBasePlugin.createAdminClient(RangerBasePlugin.java:659) at org.apache.ranger.plugin.util.PolicyRefresher.<init>(PolicyRefresher.java:93) at org.apache.ranger.plugin.service.RangerBasePlugin.init(RangerBasePlugin.java:182) at org.apache.ranger.authorization.kms.authorizer.RangerKMSPlugin.init(RangerKmsAuthorizer.java:347) at org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer.init(RangerKmsAuthorizer.java:304) at org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer.<init>(RangerKmsAuthorizer.java:128) at org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer.<init>(RangerKmsAuthorizer.java:154) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442) at org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer.init(RangerKmsAuthorizer.java:71) at org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer.<init>(RangerKmsAuthorizer.java:51) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:133) at org.apache.hadoop.crypto.key.kms.server.KMSWebApp.getAcls(KMSWebApp.java:239) at org.apache.hadoop.crypto.key.kms.server.KMSWebApp.contextInitialized(KMSWebApp.java:138) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4689) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5155) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1412) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1402) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 2021-06-11 08:31:16,863 INFO org.apache.ranger.audit.provider.AuditProviderFactory: ==> JVMShutdownHook.run() 2021-06-11 08:31:16,864 INFO org.apache.ranger.audit.provider.AuditProviderFactory: JVMShutdownHook: Signalling async audit cleanup to start. 2021-06-11 08:31:16,864 INFO org.apache.ranger.audit.provider.AuditProviderFactory: JVMShutdownHook: Waiting up to 30 seconds for audit cleanup to finish. 2021-06-11 08:31:16,864 INFO org.apache.ranger.audit.provider.AuditProviderFactory: RangerAsyncAuditCleanup: Starting cleanup 2021-06-11 08:31:16,864 INFO org.apache.ranger.audit.destination.HDFSAuditDestination: Flush called. name=kms.async.summary.multi_dest.batch.hdfs 2021-06-11 08:31:16,864 INFO org.apache.ranger.audit.queue.AuditAsyncQueue: Stop called. name=kms.async 2021-06-11 08:31:16,864 INFO org.apache.ranger.audit.queue.AuditAsyncQueue: Interrupting consumerThread. name=kms.async, consumer=kms.async.summary 2021-06-11 08:31:16,865 INFO org.apache.ranger.audit.provider.AuditProviderFactory: RangerAsyncAuditCleanup: Done cleanup 2021-06-11 08:31:16,865 INFO org.apache.ranger.audit.provider.AuditProviderFactory: RangerAsyncAuditCleanup: Waiting to audit cleanup start signal 2021-06-11 08:31:16,865 INFO org.apache.ranger.audit.provider.AuditProviderFactory: JVMShutdownHook: Audit cleanup finished after 1 milli seconds 2021-06-11 08:31:16,865 INFO org.apache.ranger.audit.provider.AuditProviderFactory: JVMShutdownHook: Interrupting ranger async audit cleanup thread 2021-06-11 08:31:16,865 INFO org.apache.ranger.audit.provider.AuditProviderFactory: <== JVMShutdownHook.run() 2021-06-11 08:31:16,865 INFO org.apache.ranger.audit.provider.AuditProviderFactory: RangerAsyncAuditCleanup: Interrupted while waiting for audit startCleanup signal! Exiting the thread... java.lang.InterruptedException at java.util.concurrent.locks.AbstractQueuedSynchronizer.doAcquireSharedInterruptibly(AbstractQueuedSynchronizer.java:998) at java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireSharedInterruptibly(AbstractQueuedSynchronizer.java:1304) at java.util.concurrent.Semaphore.acquire(Semaphore.java:312) at org.apache.ranger.audit.provider.AuditProviderFactory$RangerAsyncAuditCleanup.run(AuditProviderFactory.java:506) at java.lang.Thread.run(Thread.java:748) 2021-06-11 08:31:16,865 INFO org.apache.ranger.audit.queue.AuditAsyncQueue: Caught exception in consumer thread. Shutdown might be in progress
... View more
07-01-2020
04:21 PM
1 Kudo
Hi all, I had faced the same issue while kerberizing a HDP 3.1.0 cluster integrated with Iislon. The Ambari serer is a built on a Postgres DB cluster, hence it was NOT in the hadoop cluster. so it was NOT on the host list. [root@hdpdb ~]# curl -H "X-Requested-By: ambari" -u admin:admin "http://hdpdb.gz.local:8080/api/v1/clusters/Panyu/hosts" I had to add the ambari server from adding host wizard and just install the clients. It worked around the "Host not found, hostname= xxxx" issue in my case. Hope it will help, cheer!
... View more