Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
anshuman
anshuman
Rising Star

Re: Getting "heartbeat" errors when trying to inst...

by Rising Star anshuman in Community Articles
‎06-26-2019 12:27 AM
‎06-26-2019 12:27 AM
This problem exists even in the latest version of CDH6.2.   Centos 7.4 have tried both installation path b and the automated install. The automated install fails gloriously with 6. systemctl daemon reload connection timeout  I would have preferred installation path b anyways. So installed cloudera-manager-server and attempted to use the embedded server.  all the ipconfigurations look correct dig, nslookup etc. even the short snippet python script. passwordless ssh is setup, ntp exists. openjdk 1.8 b201 everything boots up fine except the agents just fail to register. there is no error in either cloudera-scm-server and also cloudera-scm-agent. havnt yet attempted adding host entries to /etc/hosts because it makes no sense to do so when the ipconfigs are correct. by correct I mean that reverse dns works and all hosts have fqdn.    the automated install also forces oracle jdk down on our necks, how silly is that ? and still fails gloriously. have used the cdh5.x distributions in the past before moving over to hdp2.x .    Are there some known issues, something else to check ? there is nothing in the agent logs or server logs ? ... View more

Update on hortonworks and cloudera merge for data ...

by Rising Star anshuman in Support Questions
‎04-01-2019 06:21 PM
‎04-01-2019 06:21 PM
Hi Wanted to get a sense on which direction the merge will move towards. As we know Cloudera was promoting its MPP based Impala for query and Hortonworks Hive with LLAP. How should organizations planning on implementing future datawarehousing architectures plan ? Do we choose HDP 3.x or CDH 6.x as the base to have the least migration effort down the line ? Or is there something completely new on the horizon ? If so, kindly advise on a migration or best plan forward especially in terms of data-warehousing. ... View more

Re: Java/Python Updates and Ambari Agent TLS Setti...

by Rising Star anshuman in Community Articles
‎09-28-2018 04:15 AM
‎09-28-2018 04:15 AM
This helped resolve our issue of spiking on a migration from oracle jdk 8 to open jdk 8 on centos 6.9 ... View more

Re: ranger ssl does not start embedded tomcat serv...

by Rising Star anshuman in Support Questions
‎04-20-2018 09:51 PM
‎04-20-2018 09:51 PM
When in doubt; doubt SSL. After several errors and trials, the core issue was that the alias in keystore for ranger was incorrect. What was really surprising that tomcat did not throw any errors whatsoever but just failed to start listening on port 6182. Increasing the debug level logs for several pacakges in the log4j for ranger-admin-env and even in /usd/hdp/current/..../ews/WEB-INF/ .... did inot show any error. Usually we have seen errors in a normal tomcat ssl setup. It was very surprising that no error was thrown. The only error was that it did not boot up to listen on port 6182. strange. ... View more

Re: amb_ranger_admin password update

by Rising Star anshuman in Support Questions
‎04-20-2018 09:47 PM
‎04-20-2018 09:47 PM
@Felix Albani Thanks, that did help us (i.e we were able to create the amb_ranger_admin user). However none of the plugins were registered i.e because the plugins kept complaining of wrong password. Wanted to add for a future user, that the core reason was amb_ranger_admin password has some requirements on what the password should be essentially alphanumeric and a length about 8 i think. It should probably not have special characters. That was the reason why plugins did not work. ... View more

Re: amb_ranger_admin password update

by Rising Star anshuman in Support Questions
‎04-20-2018 03:02 PM
‎04-20-2018 03:02 PM
Thanks will give that a shot. In our case the amb_ranger_admin ussr is not created automatically. Going through a few other posts have checked enabling plugins restarting hdfs. Ranger etc. The user is created as part of ranger install or firat startup ? What does it mean of no iser is created ? Can i create the user manually by logging into ranger as admin under user/group s...how do i force the creation of the user ? ... View more

amb_ranger_admin password update

by Rising Star anshuman in Support Questions
‎04-20-2018 06:57 AM
‎04-20-2018 06:57 AM
Is it possible to update the amb_ranger_admin password ? currently my cluster is a fresh install and all services state that the amb_ranger_admin as provided is incorrect. The documentation states that the password is only provided during install time. So if I update in the ranger config (and am not using kerberos) .. then the documentation states that I will need to go to each individual componet which has the ranger plugin and udpate the password .. where exactly ? https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/updating_ranger_admin_passwords.html Also is the password store in a .jceks file ? can it be viewed ? Going through other posts it seems that restarting ranger server / a component with plugin enabled would force create the amb_ranger_admin user .. but that does not seem to be happening .. ... View more
Labels:

Re: ranger ssl does not start embedded tomcat serv...

by Rising Star anshuman in Support Questions
‎04-19-2018 02:54 PM
‎04-19-2018 02:54 PM
@Felix Albani the formatting was off .. have cleaned it up. Thanks ! $ sudo ps -ef | grep rangeradminranger 2009 1 0 07:10 ? 00:01:42 java -Dproc_rangeradmin -XX:MaxPermSize=256m -Xmx1024m -Xms1024m -Duser.timezone=UTC -Dservername=rangeradmin -Dlogdir=/var/log/ranger/admin -Dcatalina.base=/data1/hdp/2.6.4.0-91/ranger-admin/ews -cp /data1/hdp/2.6.4.0-91/ranger-admin/ews/webapp/WEB-INF/classes/conf:/data1/hdp/2.6.4.0-91/ranger-admin/ews/lib/*:/data1/hdp/2.6.4.0-91/ranger-admin/ews/ranger_jaas/*:/data1/hdp/2.6.4.0-91/ranger-admin/ews/webapp/WEB-INF/classes/conf/ranger_jaas:/usr/java/latest/lib/*:/*: org.apache.ranger.server.tomcat.EmbeddedServer $ sudo netstat -anp | grep 2009 tcp 0 0 127.0.0.1:6085 0.0.0.0:* LISTEN 2009/java tcp 0 0 10.108.10.112:44131 10.128.30.110:5432 ESTABLISHED 2009/java tcp 0 0 10.108.10.112:44132 10.128.30.110:5432 ESTABLISHED 2009/java tcp 0 0 10.108.10.112:44130 10.128.30.110:5432 ESTABLISHED 2009/java tcp 0 0 10.108.10.112:44138 10.128.30.110:5432 ESTABLISHED 2009/java tcp 0 0 10.108.10.112:44139 10.128.30.110:5432 ESTABLISHED 2009/java unix 2 [ ] STREAM CONNECTED 9339763 2009/java</property> $ grep https -C2 /data1/hdp/2.6.4.0-91/ranger-admin/conf/ranger-admin-site.xml <property> <name>ranger.externalurl</name> <value>https://myserver:6182</value> </property> <property> <name>ranger.https.attrib.keystore.file</name> <value>/path/to/key/keystore.jks</value> </property> <property> <name>ranger.service.https.attrib.client.auth</name> <value>want</value> </property> <property> <name>ranger.service.https.attrib.clientAuth</name> <value>want</value> </property> <property> <name>ranger.service.https.attrib.keystore.credential.alias</name> <value>keyStoreCredentialAlias</value> </property> <property> <name>ranger.service.https.attrib.keystore.file</name> <value>/path/to/key/keystore.jks</value> </property> <property> <name>ranger.service.https.attrib.keystore.keyalias</name> <value>my_wildcard_alias</value> </property> <property> <name>ranger.service.https.attrib.keystore.pass</name> <value>_</value> </property> <property> <name>ranger.service.https.attrib.ssl.enabled</name> <value>true</value> </property> <property> <name>ranger.service.https.port</name> <value>6182</value> </property> <br> $ ls -l /data1/hdp/2.6.4.0-91/ranger-admin/ews/ total 36 drwxr-xr-x 2 ranger ranger 4096 Apr 19 07:09 lib lrwxrwxrwx 1 ranger ranger 21 Apr 19 00:23 logs -> /var/log/ranger/admin -r-xr--r-- 1 ranger ranger 2192 Jan 4 10:47 ranger-admin-initd -r-xr--r-- 1 ranger ranger 6347 Jan 4 10:47 ranger-admin-services.sh lrwxrwxrwx 1 ranger ranger 58 Apr 19 00:23 ranger-admin-start -> /usr/hdp/2.6.4.0-91/ranger-admin/ews/start-ranger-admin.sh lrwxrwxrwx 1 ranger ranger 57 Apr 19 00:23 ranger-admin-stop -> /usr/hdp/2.6.4.0-91/ranger-admin/ews/stop-ranger-admin.sh drwxr-xr-x 2 ranger ranger 4096 Apr 19 00:23 ranger_jaas -r-xr--r-- 1 ranger ranger 971 Jan 4 10:47 start-ranger-admin.sh -r-xr--r-- 1 ranger ranger 969 Jan 4 10:47 stop-ranger-admin.sh drwxr-xr-x 10 ranger ranger 4096 Apr 19 00:24 webapp drwxr-xr-x 3 ranger ranger 4096 Apr 19 00:33 work <br> ... View more

ranger ssl does not start embedded tomcat server

by Rising Star anshuman in Support Questions
‎04-19-2018 07:03 AM
‎04-19-2018 07:03 AM
Hi We have gone through the entire process of automating our cluster using blueprints and have had several successful deployments using wild cart certs in all our environments. We recently hit a snag in one of our larger environments where the ranger-admin though successfully installed with no errors whatsoever does not init the embedded tomcat server to listen on port 6182 when configured for ssl. on a similar environment this is from the catalina.out on /var/log/ranger/admin Apr 19, 2018 6:02:07 AM org.apache.ranger.server.tomcat.EmbeddedServer start INFO: Adding webapp [/] = path [/data1/hdp/2.6.4.0-91/ranger-admin/ews/webapp] ..... Apr 19, 2018 6:02:07 AM org.apache.catalina.core.StandardContext setPath WARNING: A context path must either be an empty string or start with a '/' and do not end with a '/'. The path [/] does not meet these criteria and has been changed to [] Apr 19, 2018 6:02:08 AM org.apache.ranger.server.tomcat.EmbeddedServer start INFO: Finished init of webapp [/] = path [/data1/hdp/2.6.4.0-91/ranger-admin/ews/webapp]. Apr 19, 2018 6:02:08 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-bio-6182"] Apr 19, 2018 6:02:08 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Tomcat Apr 19, 2018 6:02:08 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.81 Apr 19, 2018 6:02:08 AM org.apache.catalina.loader.WebappClassLoaderBase validateJarFile INFO: validateJarFile(/data1/hdp/2.6.4.0-91/ranger-admin/ews/webapp/WEB-INF/lib/javax.servlet-api-3.1.0.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class but on the environment on which we have the problem the logs are as such ava HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0 log4j:WARN No appenders could be found for logger (org.apache.tomcat.util.IntrospectionUtils). log4j:WARN Please initialize the log4j system properly.log4j:WARN Please initialize the log4j system properly. log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". SLF4J: Defaulting to no-operation (NOP) logger implementationSLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. Apr 19, 2018 6:09:43 AM org.apache.ranger.server.tomcat.EmbeddedServer start INFO: Deriving webapp folder from catalina.base property. folder=/data1/hdp/2.6.4.0-91/ranger-admin/ews/webapp Apr 19, 2018 6:09:43 AM org.apache.ranger.server.tomcat.EmbeddedServer start INFO: Webapp file =/data1/hdp/2.6.4.0-91/ranger-admin/ews/webapp, webAppName = / Apr 19, 2018 6:09:43 AM org.apache.ranger.server.tomcat.EmbeddedServer start INFO: Adding webapp [/] = path [/data1/hdp/2.6.4.0-91/ranger-admin/ews/webapp] ..... Apr 19, 2018 6:09:43 AM org.apache.ranger.server.tomcat.EmbeddedServer start INFO: Finished init of webapp [/] = path [/data1/hdp/2.6.4.0-91/ranger-admin/ews/webapp]. log4j:WARN No such property [maxFileSize] in org.apache.log4j.DailyRollingFileAppender. Apr 19, 2018 6:10:10 AM com.sun.jersey.api.core.PackagesResourceConfig init INFO: Scanning for root resource and provider classes in the packages: org.apache.ranger.rest org.apache.ranger.common xa.rest Apr 19, 2018 6:10:10 AM com.sun.jersey.api.core.ScanningResourceConfig logClasses INFO: Root resource classes found: class org.apache.ranger.rest.TagREST class org.apache.ranger.rest.AssetREST Note the missing logs Apr 19, 2018 6:02:08 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-bio-6182"] Apr 19, 2018 6:02:08 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Tomcat The environments are similar in setup and there is no difference. Tried to enable debugging by setting debug level for apache.ranger and spring.frameworks in log4j.xml and from ranger-admin-log4j.xml in the ui. Still there were no errors. Tomcat does not listen on port 6182 and the work directory under /usr/hdp/.../ranger/admin/ews/ ...doesnt have anything ? Any suggestions on how to further debug this ? (apart from removing the service and re-installing) from the xa_portal.log it looks like the spring application context gets initialized ..which is wierd .. all service install but can't connect to ranger on port 6182 because it is not listening on port 6182 ! ... View more
Labels:

Re: ranger kms blueprint postgres database non-def...

by Rising Star anshuman in Support Questions
‎03-03-2018 05:42 AM
‎03-03-2018 05:42 AM
As a hack I am specifying the port in the host name and that seems to work. Note the db_host below { "kms-properties" : { "properties" : { "KMS_MASTER_KEY_PASSWD" : "foo", "DB_FLAVOR" : "POSTGRES", "db_name" : "rangerkms", "db_user" : "rangerkms", "db_password" : "foo", "REPOSITORY_CONFIG_USERNAME" : "keyadmin", "db_host" : "mydb.server.com:7432" } } } ... View more

Re: ranger kms blueprint postgres database non-def...

by Rising Star anshuman in Support Questions
‎03-03-2018 01:45 AM
‎03-03-2018 01:45 AM
As part of this design I want ranger-kms to be separated from the other databases. So obviously if I just switch ports then ranger-kms gets installed but ranger admin does not because it uses the same library without the port ! ... View more

ranger kms blueprint postgres database non-default...

by Rising Star anshuman in Support Questions
‎03-03-2018 01:06 AM
‎03-03-2018 01:06 AM
Hi I have managed to have a successful deployment of a full blown ambari-stack using blueprints. As part of the next level of our security requirements I am attempting to make rangerkms run in its own database instance of postgres on a non-default port. The corresponding blueprint entry { "dbks-site" : { "properties_attributes" : { }, "properties" : { "ranger.ks.hsm.enabled" : "false", "hadoop.kms.blacklist.DECRYPT_EEK" : "hdfs", "ranger.ks.jpa.jdbc.credential.alias" : "ranger.ks.jdbc.password", "ranger.ks.jpa.jdbc.url" : "jdbc:postgresql://mydb.server.com:7432/rangerkms", "ranger.ks.jpa.jdbc.driver" : "org.postgresql.Driver" } } } During blueprint installation the jisql commands attempt to verify the connection to the database but it doesnt seem to take into account the port that i have configured resource_management.core.exceptions.ExecutionFailed: Execution of 'ambari-python-wrap /usr/hdp/current/ranger-kms/db_setup.py' returned 1. 2018-03-03 00:22:47,004 [I] DB FLAVOR :POSTGRES 2018-03-03 00:22:47,005 [I] --------- Verifying Ranger DB connection --------- 2018-03-03 00:22:47,005 [I] Checking connection 2018-03-03 00:22:47,005 [JISQL] /usr/java/latest/bin/java -cp /usr/hdp/current/ranger-kms/ews/webapp/lib/postgresql-jdbc.jar:/usr/hdp/current/ranger-kms/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://mydb.server.com/rangerkms -u rangerkms -p '********' -noheader -trim -c \; -query "SELECT 1;" SQLException : SQL state: 28000 org.postgresql.util.PSQLException: FATAL: no pg_hba.conf entry for host "192.168.10.21", user "rangerkms", database "rangerkms", SSL off ErrorCode: 0 2018-03-03 00:22:47,182 [E] Can't establish connection However on the same host where kms is being attempted to install say foo.server.com if i specify the port the connection is successful /usr/java/latest/bin/java -cp /usr/hdp/current/ranger-kms/ews/webapp/lib/postgresql-jdbc.jar:/usr/hdp/current/ranger-kms/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://mydb.server.com:7432/rangerkms -u rangerkms -p 'rangerkms' -noheader -trim -c \; -query "SELECT 1;" 1 | How do i get the db connection verifier to use the specified port in the blueprint ? I do have an entry in my pg_hba conf for foo.server.com to access rangerkms db as user rangerkms .. ... View more

HBase Secure Bulk load data from encryption zone

by Rising Star anshuman in Support Questions
‎02-19-2018 06:24 PM
‎02-19-2018 06:24 PM
For the use case where data needs to bulk loaded into hbase from an encryption zone the documentation here https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/bk_security/content/hbase-with-hdfs-encr.html states right at the end Workaround: run the MapReduce job as the hbase user, and specify an output directory that resides in the same encryption zone as the HBase root directory. How would this work ? Say there exists userA with encryption zone /user/userA on hdfs HBase has its own encryption zone under /apps/hbase and the staging directory /apps/hbase/staging This userA creates some sequenceFiles in /user/userA which need to be used to generate the HFiles. How will the workaround work ? the hbase user will not have access to the sequenceFiles in /user/userA ? ... View more

Re: Installing HDP using ambari blueprints

by Rising Star anshuman in Support Questions
‎02-19-2018 06:16 PM
‎02-19-2018 06:16 PM
Download the vdf file wget http://public-repo-1.hortonworks.com/HDP/centos6/2.x/updates/2.6.3.0/HDP-2.6.3.0-235.xml -O /tmp/HDP-2.6.3.0-235.xml Post it curl -v -k -u admin:admin -H "X-Requested-By:ambari" -X POST \ http://ambari-server:8080/api/v1/version_definitions \ -d '{ "VersionDefinition": { "version_url": "file:/tmp/HDP-2.6.3.0-235.xml" } }' the response would be { "href" : "http://ambari-server:8080/api/v1/version_definitions/1", "VersionDefinition" : { "id" : 1, "stack_name" : "HDP", "stack_version" : "2.6" } } version definitions http://ambari-server:8080/api/v1/version_definitions/1 # can use id or version in the blueprint ## id "repository_version_id": "1" ## version "repository_version" : "2.6.3.0-235", ... View more

the role of GENERATE_EEK and GET_METADATA in hdfs ...

by Rising Star anshuman in Support Questions
‎02-16-2018 10:53 PM
‎02-16-2018 10:53 PM
I am little unclear on what the ACL for GENERATE_EEK and GET_METADATA allow. From a naive understanding of HDFS transparent encryption it seems that GENERATE_EEK would be a request to generate an EDEK for an encryption zone (EZ). So say supposed I create a key using the keyadmin user called keyforuserA And create an encryption zone for userA under /ezforuserA given userA read write permissions on that ez. Next create a policy for that key , keyforuserA and give userA DECRYPT_EEK permissions. Now this userA can read and write any file to the EZ in /ezforuserA When a userA wants to perform a write in the EZ the namenode requests KMS to generate and EDEK which is then handed off back to userA and since userA can do a DECRYPT_EEK on keyforuserA he is both able to read and write in the EZ. when does the GENERATE_EEK come into play ? does the hdfs user need this permission for every key ? similar question for GET_METADATA .. when does this come into play ? ... View more

Re: Documentation for setting up SSL postgres and ...

by Rising Star anshuman in Support Questions
‎02-16-2018 06:43 PM
‎02-16-2018 06:43 PM
I would need a knox gateway to set this up ? a simple start may be just 1 way ssl between ambari-server and a ssl enabled postgres db .. where do i provide the configurations for the postgres jdbc driver so that the ssl handshake happens ? ... View more

Documentation for setting up SSL postgres and HDP ...

by Rising Star anshuman in Support Questions
‎02-15-2018 11:27 PM
1 Kudo
‎02-15-2018 11:27 PM
1 Kudo
Cannot find relevant documentation which shows 2-way ssl setup between the ambari-server-database (e.g postgres) and other Ambari (ambari-server)/ HDP(ranger,hive etc) components ... is this supported ? ... View more
Labels:

Re: Installing HDP using ambari blueprints

by Rising Star anshuman in Support Questions
‎02-15-2018 09:44 PM
‎02-15-2018 09:44 PM
When you install blueprint you will need to register a vdf file https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.0.0/bk_ambari-release-notes/content/ambari_relnotes-2.6.0.0-behavioral-changes.html so whatever version u have in there for the repos will be the one which will be installed. ... View more

Re: CA signed cert for Ranger ; plugins don't show...

by Rising Star anshuman in Support Questions
‎02-08-2018 01:27 AM
‎02-08-2018 01:27 AM
The root cause of the issue was that the intermediate AND the root certificates were not imported into the server keystores. Took a bit of debugging the source to figure it out but it worked in the end. There were a couple of hiccups in terms of what ambari blueprints automates in terms of policy configurations vs what it does not. Also need to ensure that commonNameForCertificate is set appropriately to the alias of the certificate. ... View more

Re: Enabling SSL for Ranger Admin UI :

by Rising Star anshuman in Support Questions
‎02-08-2018 01:25 AM
‎02-08-2018 01:25 AM
Thanks, was able to solve our problem as well. It was related to not importing the intermediate AND the root certificates into the server keystores. Took a bit of debugging the source to figure it out but it worked in the end. ... View more

Re: wildcard cert ranger solr audit does not match...

by Rising Star anshuman in Support Questions
‎01-31-2018 06:39 PM
‎01-31-2018 06:39 PM
This problem is solved using the solution outlined https://community.hortonworks.com/content/supportkb/150187/unable-to-view-ranger-audit-when-ssl-is-enabled-on.html ... View more

Re: CA signed cert for Ranger ; plugins don't show...

by Rising Star anshuman in Support Questions
‎01-31-2018 06:29 PM
‎01-31-2018 06:29 PM
I checked my certificate and under Extended Key Usage it has both server Authentication and Client Authentication as a value. ... View more

Re: CA signed cert for Ranger ; plugins don't show...

by Rising Star anshuman in Support Questions
‎01-31-2018 06:25 PM
‎01-31-2018 06:25 PM
@vperiasamy am trying to understand what the relevance of the note at the bottom of this solution . Is that solution upto date ? Note: while creating the client certs, make sure you provide extension as"usr_cert"and server cert as"server_cert", other wise 2 WAY SSL communication would fail. ... View more

Re: Enabling SSL for Ranger Admin UI :

by Rising Star anshuman in Support Questions
‎01-31-2018 06:22 PM
‎01-31-2018 06:22 PM
@Aaryan Reddy were you able to solve your problem ? ... View more

Re: CA signed cert for Ranger ; plugins don't show...

by Rising Star anshuman in Support Questions
‎01-31-2018 06:21 PM
‎01-31-2018 06:21 PM
We are not on a kerberos environment yet. in terms of errors in /var/log/ranger/admin/xa_portal.log 2018-01-31 00:00:17,150 [http-bio-6182-exec-2] ERROR org.apache.ranger.common.ServiceUtil (ServiceUtil.java:1376) - Unauthorized access. Unable to get client certificate. serviceName=HadoopCluster_hbase 2018-01-31 00:00:17,151 [http-bio-6182-exec-2] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:63) - Request failed. loginId=null, logMessage=Unauthorized access - unable to get client ce rtificate javax.ws.rs.WebApplicationException at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56) at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:325) at org.apache.ranger.common.ServiceUtil.isValidateHttpsAuthentication(ServiceUtil.java:1377) at org.apache.ranger.rest.ServiceREST.getServicePoliciesIfUpdated(ServiceREST.java:2567) at org.apache.ranger.rest.ServiceREST$$FastClassBySpringCGLIB$$92dab672.invoke(<generated>) 2018-01-31 00:00:17,151 [http-bio-6182-exec-2] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:326) - Operation error. response=VXResponse={org.apache.ranger.view.VXResponse@2a28b481statu sCode={1} msgDesc={Unauthorized access - unable to get client certificate} messageList={[VXMessage={org.apache.ranger.view.VXMessage@6f0ff521name={OPER_NOT_ALLOWED_FOR_ENTITY} rbKey={xa.error.oper_not_all owed_for_state} message={Operation not allowed for entity} objectId={null} fieldName={null} }]} } javax.ws.rs.WebApplicationException at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56) at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:325) at org.apache.ranger.common.ServiceUtil.isValidateHttpsAuthentication(ServiceUtil.java:1377) at org.apache.ranger.rest.ServiceREST.getServicePoliciesIfUpdated(ServiceREST.java:2567) at org.apache.ranger.rest.ServiceREST$$FastClassBySpringCGLIB$$92dab672.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) in /var/log/ranger/kms/kms.log 2018-01-31 00:00:17,544 ERROR PolicyRefresher - PolicyRefresher(serviceName=HadoopCluster_kms): failed to refresh policies. Will continue to use last known version of policies (-1) java.lang.IllegalArgumentException: SSLContext must not be null at com.sun.jersey.client.urlconnection.HTTPSProperties.<init>(HTTPSProperties.java:106) at org.apache.ranger.plugin.util.RangerRESTClient.buildClient(RangerRESTClient.ja (don't think this is used anywhere .. and can be ignored) 2018-01-31 00:00:17,529 WARN FSInputChecker - Problem opening checksum file: file:/etc/ranger/HadoopCluster_kms/cred.jceks. Ignoring exception: java.io.FileNotFoundException: /etc/ranger/HadoopCluster_kms/.cred.jceks.crc (Permission denied) at java.io.FileInputStream.open0(Native Method) at java.io.FileInputStream.open(FileInputStream.java:195) in /var/log/hadoop/hdfs/hadoop-hdfs-namednode 2018-01-31 18:17:05,296 WARN client.RangerAdminRESTClient (RangerAdminRESTClient.java:getServicePoliciesIfUpdated(162)) - Error getting policies. secureMode=false, user=hdfs (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, serviceName=HadoopCluster_hadoop 2018-01-31 18:17:06,824 INFO BlockStateChange (BlockManager.java:computeReplicationWorkForBlocks(1653)) - BLOCK* neededReplications = 0, pendingReplications = 0. 2018-01-31 18:17:08,325 WARN mortbay.log (Slf4jLog.java:warn(76)) - SSL renegotiate denied: java.nio.channels.SocketChannel[connected local=/192.168.10.20:50470 remote=/192.168.10.20:45972] 2018-01-31 18:17:08,333 WARN mortbay.log (Slf4jLog.java:warn(76)) - SSL renegotiate denied: java.nio.channels.SocketChannel[connected local=/192.168.10.20:50470 remote=/192.168.10.20:45970] In the ranger admin UI logged in as the keyadmin user > service manager > edit kms service > test connection rg.apache.ranger.plugin.client.HadoopException: { "RemoteException" : { "message" : "User:keyadmin not allowed to do 'GET_KEYS'", "exception" : "AuthorizationException", "javaClassName" : "org.apache.hadoop.security.authorize.AuthorizationException" } }. { "RemoteException" : { "message" : "User:keyadmin not allowed to do 'GET_KEYS'", "exception" : "AuthorizationException", "javaClassName" : "org.apache.hadoop.security.authorize.AuthorizationException" } }. ... View more

Re: Custom repo using /etc/yum.repos.d/

by Rising Star anshuman in Support Questions
‎01-31-2018 07:27 AM
‎01-31-2018 07:27 AM
The responses above helped me with the problems i had, however the right answer is that when using blueprints in version 2.6 onwards when the vdf file is registered, we have to specify the repositories in that file. That input is then used to create another ambari-hdp-repo-1.repo which will then be subsequently used. ... View more

Re: Configure SSL between Ranger and Rager HDFS pl...

by Rising Star anshuman in Community Articles
‎01-31-2018 07:21 AM
‎01-31-2018 07:21 AM
@amarnath reddy pappu can you please elaborate on the Note: about providing extension as "usr_cert" and "server_cert" ? I have a wildcard certificate and after following all the above steps and also with modifications as mentioned by @Luis Vazquez the plugins don't show up in the ranger ui and the error is keyadmin is not allowed to do "GET_KEYS". the documentation on setting this up correctly using CA signed certs is suprisingly sparse. ... View more

CA signed cert for Ranger ; plugins don't show up

by Rising Star anshuman in Support Questions
‎01-31-2018 04:38 AM
‎01-31-2018 04:38 AM
Hi I have a CA signed wildcard cert for my company like *.mycompany.com and am attempting to set it up for the cluster ssl setup. I have it setup successfully for all components except solr and ranger. Specific to ranger my intention to use the CA signed cert and key for ALL the ranger plugins and the ranger admin . I understand that without kerberos there can only be 2 way ssl. After following the steps as documented here ranger admin serves up properly however 1. during ranger admin client install the solr cloud cannot create the ranger-audit collection because the cert that it is trying to verify tries to pick up the ip instead of the hostname which i will try and follow up with this 2. None of the hdfs/hbase/hive plugins appear in the ranger admin and when I attempt to test connection in the kms view of ranger admin the test fails saying that keyadmin user has no authorization for "GET keys" so my question is that will the above setup work i.e can i use the same keystore for all plugins and the ranger ui using the wildcard certificate and then use the same truststore for all ? we maintain our own network level security . I am on the hdp 2.6.4 stack ... View more
Labels:

wildcard cert ranger solr audit does not match cer...

by Rising Star anshuman in Support Questions
‎01-31-2018 12:15 AM
‎01-31-2018 12:15 AM
Hi So I am attempting to use my CA signed cert for ranger auditing. Although I don't have the complete setup running yet one of the issues I am facing is that ranger cannot initiate the solr collection because of the following error Note that this is a CA issued wildcard cert for *.my-company.com and it works properly across certs and other products. Why is it that it is trying to use the ip address rather than the hostname which would probably then give the right result. I have looked around in the exported blueprint and I don't any reference to the ip ; just the hostname which all end with *.my-company.com and thus they should be resolved. Am using solr cloud so the ranger.audit.solr.urls = "" and the ranger.audit.solr.zookeepers="server1.my-company.com:2181,server2.my-company.com:2181,server3.my-company.com:2181/infra-solr" No live SolrServers available to handle this request:[https://192.168.10.20:8886/solr] org.apache.solr.client.solrj.SolrServerException: No live SolrServers available to handle this request:[https://192.168.10.20:8886/solr] at org.apache.solr.client.solrj.impl.LBHttpSolrClient.request(LBHttpSolrClient.java:352) at org.apache.solr.client.solrj.impl.CloudSolrClient.sendRequest(CloudSolrClient.java:1121) at org.apache.solr.client.solrj.impl.CloudSolrClient.requestWithRetryOnStaleState(CloudSolrClient.java:891) at org.apache.solr.client.solrj.impl.CloudSolrClient.request(CloudSolrClient.java:827) at org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:149) at org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:166) at org.apache.ambari.logsearch.solr.commands.AbstractSolrRetryCommand.createAndProcessRequest(AbstractSolrRetryCommand.java:43) at org.apache.ambari.logsearch.solr.commands.AbstractRetryCommand.retry(AbstractRetryCommand.java:45) at org.apache.ambari.logsearch.solr.commands.AbstractRetryCommand.run(AbstractRetryCommand.java:40) at org.apache.ambari.logsearch.solr.AmbariSolrCloudClient.listCollections(AmbariSolrCloudClient.java:102) at org.apache.ambari.logsearch.solr.AmbariSolrCloudClient.createCollection(AmbariSolrCloudClient.java:109) at org.apache.ambari.logsearch.solr.AmbariSolrCloudCLI.main(AmbariSolrCloudCLI.java:473) Caused by: org.apache.solr.client.solrj.SolrServerException: IOException occured when talking to server at: https://192.168.10.20:8886/solr at org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:590) at org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:241) at org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:230) at org.apache.solr.client.solrj.impl.LBHttpSolrClient.doRequest(LBHttpSolrClient.java:372) at org.apache.solr.client.solrj.impl.LBHttpSolrClient.request(LBHttpSolrClient.java:325) ... 11 more Caused by: javax.net.ssl.SSLException: Certificate for <192.168.10.20> doesn't match common name of the certificate subject: *.my-company.com at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:172) at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:61) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:140) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:114) at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:569) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:544) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:482) ... 15 more ... View more

is the hdp gpl repo base url incorrect ?

by Rising Star anshuman in Support Questions
‎01-18-2018 10:02 PM
‎01-18-2018 10:02 PM
as part of 2.6.4 the behavioral changes have moved some gpl repos to its own repo .. however the gpl repo has its base url pointing to http://public-repo-1.hortonworks.com/HDP/centos6/2.x/updates/2.6.4.0 in my local repo setup it only worked if the baseurl is set to http://public-repo-1.hortonworks.com/HDP-UTILS-GPL-1.1.0.22/repos/centos6 ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎07-19-2019 02:32 PM
Public Statistics
Date Registered ‎06-26-2019 12:04 AM
Last Visited ‎07-19-2019 02:32 PM
Total Messages Posted 54
Total Kudos Received 4