My pleasure! @Jasper ... View more

My pleasure! @Jasper ... View more

@V_A nOn the unsecure ldap 389 port tcpdump the traffic when login fails and post it here for me to look at the error. ... View more

@David Liu Hi, Check that sssd returns group on id username on all nodes. Then check your core-site.xml make sure to remove any references to ldap or other configs that aren't default in this area. It is possible to map multiple providers here so it may be a configuration issue with core-site.xml. Make sure you also restart full MR, and YARN as well as HDFS. ... View more

Keep in mind, Taxonomy feature is still in Tech Preview (ie. not recommended for production use) and will not be supported. Taxonomy will be production ready or GA in HDP 3.0 ... View more

Hi @Kyunam Kim, I am not sure of your full requirements, but why not use webhdfs through the knox gateway? It may make things much easier for you. https://knox.apache.org/books/knox-1-0-0/user-guide.html#WebHDFS Best regards, David ... View more

Hi @subbiram Padala, Not sure if this fits for your use case but I found this tutorial that may shed light on the process. https://hortonworks.com/hadoop-tutorial/searching-data-solr/ ... View more

Hi @V_A n, I think there is a problem with your configuration for HDP. It looks like it is failing on the code to get user roles from shiro.ini. /*** * Get user roles from shiro.ini for Zeppelin LdapRealm * @param r * @return */ public List<String> getRolesList(LdapRealm r) { List<String> roleList = new ArrayList<>(); Map<String, String> roles = r.getListRoles(); if (roles != null) { Iterator it = roles.entrySet().iterator(); while (it.hasNext()) { Map.Entry pair = (Map.Entry) it.next(); if (LOG.isDebugEnabled()) { LOG.debug("RoleKeyValue: " + pair.getKey() + " = " + pair.getValue()); } roleList.add((String) pair.getKey()); } } return roleList; } Please check the following has been done correctly for HDP. https://community.hortonworks.com/articles/105169/hdp-26-configuring-zeppelin-for-active-directory-u.html ... View more

Hi @ay mu, If you are on the newer releases of ranger you could just create a new ranger database in mysql and import the policies over using the import/export policy feature. https://cwiki.apache.org/confluence/display/RANGER/User+Guide+For+Import-Export ... View more

Hi @Karl Fredrickson Check this out. https://github.com/rajkrrsingh/HiveServer2JDBCSample/blob/master/src/main/java/HiveJDBCOverHTTP.java Hope it helps. ... View more

Hi @datta ningole, Here is an example how you would do this. https://github.com/HortonworksUniversity/Security_Labs/blob/master/HDP-2.6-AD.md#setup-ados-integration-via-sssd ... View more

Can you have multiple nested groups? Say you have some nested groups in ou=groups and ou=groups2 If you set the base to have ou=groups,dc=test,dc=com;ou=groups2,dc=test,dc=test,dc=com will it pick up the hierarchy levels for each ou? ... View more

This may not work depending on your version because of this bug https://issues.apache.org/jira/browse/RANGER-1554 Should be fixed in HDP 2.6.1. ... View more

Most likely something wrong with your load balancer configuration. Here is an example : http://knox.apache.org/books/knox-0-12-0/user-guide.html#High+Availability+with+Apache+HTTP+Server+++mod_proxy+++mod_proxy_balancer ... View more

Here it is working on my server. Maybe this may shed some light. [root@groot1 topologies]# curl -ivk -u dvillarreal 'https://localhost:8443/gateway/default/webhdfs/v1/zone_encr/?op=LISTSTATUS' Enter host password for user 'dvillarreal': * About to connect() to localhost port 8443 (#0) * Trying 127.0.0.1... connected * Connected to localhost (127.0.0.1) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=groot1.openstacklocal,OU=Test,O=Hadoop,L=Test,ST=Test,C=US * start date: Apr 27 20:08:39 2017 GMT * expire date: Apr 27 20:08:39 2018 GMT * common name: groot1.openstacklocal * issuer: CN=groot1.openstacklocal,OU=Test,O=Hadoop,L=Test,ST=Test,C=US * Server auth using Basic with user 'dvillarreal' > GET /gateway/default/webhdfs/v1/zone_encr/?op=LISTSTATUS HTTP/1.1 > Authorization: Basic ZHZpbGxhcnJlYWw6aGFkb29wMTIzNDUh > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: localhost:8443 > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Date: Thu, 11 May 2017 23:33:08 GMT Date: Thu, 11 May 2017 23:33:08 GMT < Set-Cookie: JSESSIONID=ayrhe6eilreq1egldq6hc6uu4;Path=/gateway/default;Secure;HttpOnly Set-Cookie: JSESSIONID=ayrhe6eilreq1egldq6hc6uu4;Path=/gateway/default;Secure;HttpOnly < Expires: Thu, 01 Jan 1970 00:00:00 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT < Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Wed, 10-May-2017 23:33:09 GMT Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Wed, 10-May-2017 23:33:09 GMT < Cache-Control: no-cache Cache-Control: no-cache < Expires: Thu, 11 May 2017 23:33:09 GMT Expires: Thu, 11 May 2017 23:33:09 GMT < Date: Thu, 11 May 2017 23:33:09 GMT Date: Thu, 11 May 2017 23:33:09 GMT < Pragma: no-cache Pragma: no-cache < Expires: Thu, 11 May 2017 23:33:09 GMT Expires: Thu, 11 May 2017 23:33:09 GMT < Date: Thu, 11 May 2017 23:33:09 GMT Date: Thu, 11 May 2017 23:33:09 GMT < Pragma: no-cache Pragma: no-cache < X-FRAME-OPTIONS: SAMEORIGIN X-FRAME-OPTIONS: SAMEORIGIN < Content-Type: application/json; charset=UTF-8 Content-Type: application/json; charset=UTF-8 < Server: Jetty(6.1.26.hwx) Server: Jetty(6.1.26.hwx) < Content-Length: 1419 Content-Length: 1419 < {"FileStatuses":{"FileStatus":[{"accessTime":0,"blockSize":0,"childrenNum":0,"encBit":true,"fileId":37375,"group":"hdfs","length":0,"modificationTime":1494457290326,"owner":"hdfs","pathSuffix":".Trash","permission":"1777","replication":0,"storagePolicy":0,"type":"DIRECTORY"},{"accessTime":1494520647770,"blockSize":134217728,"childrenNum":0,"encBit":true,"fileId":38869,"group":"hdfs","length":0,"modificationTime":1494520647770,"owner":"dvillarreal","pathSuffix":"Screen Shot 2017-04-28 at 3.40.25 PM.png","permission":"644","replication":3,"storagePolicy":0,"type":"FILE"},{"accessTime":1494521001429,"blockSize":134217728,"childrenNum":0,"encBit":true,"fileId":38879,"group":"hdfs","length":52624,"modificationTime":1494521002174,"owner":"dvillarreal","pathSuffix":"Screen Shot 2017-04-28 at 3.43.55 PM.png","permission":"644","replication":3,"storagePolicy":0,"type":"FILE"},{"accessTime":1494519148636,"blockSize":134217728,"childrenNum":0,"encBit":true,"fileId":38834,"group":"hdfs","length":0,"modificationTime":1494* Connection #0 to host localhost left intact * Closing connection #0 519148636,"owner":"dvillarreal","pathSuffix":"mag7.jpg","permission":"644","replication":3,"storagePolicy":0,"type":"FILE"},{"accessTime":1494457615918,"blockSize":134217728,"childrenNum":0,"encBit":true,"fileId":37384,"group":"hdfs","length":28,"modificationTime":1494457616450,"owner":"dvillarreal","pathSuffix":"test.txt","permission":"644","replication":3,"storagePolicy":0,"type":"FILE [root@groot1 topologies]# curl -ivLk -u dvillarreal 'https://localhost:8443/gateway/default/webhdfs/v1/zone_encr/test.txt?op=OPEN' Enter host password for user 'dvillarreal': * About to connect() to localhost port 8443 (#0) * Trying 127.0.0.1... connected * Connected to localhost (127.0.0.1) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=groot1.openstacklocal,OU=Test,O=Hadoop,L=Test,ST=Test,C=US * start date: Apr 27 20:08:39 2017 GMT * expire date: Apr 27 20:08:39 2018 GMT * common name: groot1.openstacklocal * issuer: CN=groot1.openstacklocal,OU=Test,O=Hadoop,L=Test,ST=Test,C=US * Server auth using Basic with user 'dvillarreal' > GET /gateway/default/webhdfs/v1/zone_encr/test.txt?op=OPEN HTTP/1.1 > Authorization: Basic ZHZpbGxhcnJlYWw6aGFkb29wMTIzNDUh > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: localhost:8443 > Accept: */* > < HTTP/1.1 307 Temporary Redirect HTTP/1.1 307 Temporary Redirect < Date: Thu, 11 May 2017 23:33:53 GMT Date: Thu, 11 May 2017 23:33:53 GMT < Set-Cookie: JSESSIONID=cmi3xz9vz22aztv01vy60fje;Path=/gateway/default;Secure;HttpOnly Set-Cookie: JSESSIONID=cmi3xz9vz22aztv01vy60fje;Path=/gateway/default;Secure;HttpOnly < Expires: Thu, 01 Jan 1970 00:00:00 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT < Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Wed, 10-May-2017 23:33:54 GMT Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Wed, 10-May-2017 23:33:54 GMT < Cache-Control: no-cache Cache-Control: no-cache < Expires: Thu, 11 May 2017 23:33:54 GMT Expires: Thu, 11 May 2017 23:33:54 GMT < Date: Thu, 11 May 2017 23:33:54 GMT Date: Thu, 11 May 2017 23:33:54 GMT < Pragma: no-cache Pragma: no-cache < Expires: Thu, 11 May 2017 23:33:54 GMT Expires: Thu, 11 May 2017 23:33:54 GMT < Date: Thu, 11 May 2017 23:33:54 GMT Date: Thu, 11 May 2017 23:33:54 GMT < Pragma: no-cache Pragma: no-cache < X-FRAME-OPTIONS: SAMEORIGIN X-FRAME-OPTIONS: SAMEORIGIN < Content-Type: application/octet-stream Content-Type: application/octet-stream < Location: https://localhost:8443/gateway/default/webhdfs/data/v1/webhdfs/v1/zone_encr/test.txt?_=AAAACAAAABAAAAEQGeIZcVX_mUa9HOTHUCBIZ7b_iNiz924O7UBVlI3ZPZeYbhzO8LW0SVhKlX3zUvhuykF7TisStFefLuYdHNSYIOmsoeB3MPAoVIGUvnTHmlEBko2aDm6r7OvYm0Ytkk4WhS5Xtn-TSWPt5OGYsa-trOUi2OyTY5lkGw0Iy-iKrlSV_svcO_0hX53C73NnCCMBJYVV8NiCHUX0qpv7IzcYZGCS2wyiuwwNnhPexTUpJcCZhT40MjMCCDauex_uaUdgYHPZKFH1BzFtIJKWYUbGKe_KiB4goWEyVqF2NHj0R58-jLcYewuPClbmquX3A8VHt9O2YSw-_WWtb_nIsTx1HMYFC5iPajfqsk9FKxtSTBtpP0dkhrjBnWfa15chNgfrZIaZ5cr5Er4 Location: https://localhost:8443/gateway/default/webhdfs/data/v1/webhdfs/v1/zone_encr/test.txt?_=AAAACAAAABAAAAEQGeIZcVX_mUa9HOTHUCBIZ7b_iNiz924O7UBVlI3ZPZeYbhzO8LW0SVhKlX3zUvhuykF7TisStFefLuYdHNSYIOmsoeB3MPAoVIGUvnTHmlEBko2aDm6r7OvYm0Ytkk4WhS5Xtn-TSWPt5OGYsa-trOUi2OyTY5lkGw0Iy-iKrlSV_svcO_0hX53C73NnCCMBJYVV8NiCHUX0qpv7IzcYZGCS2wyiuwwNnhPexTUpJcCZhT40MjMCCDauex_uaUdgYHPZKFH1BzFtIJKWYUbGKe_KiB4goWEyVqF2NHj0R58-jLcYewuPClbmquX3A8VHt9O2YSw-_WWtb_nIsTx1HMYFC5iPajfqsk9FKxtSTBtpP0dkhrjBnWfa15chNgfrZIaZ5cr5Er4 < Server: Jetty(6.1.26.hwx) Server: Jetty(6.1.26.hwx) < Content-Length: 0 Content-Length: 0 < * Connection #0 to host localhost left intact * Issue another request to this URL: 'https://localhost:8443/gateway/default/webhdfs/data/v1/webhdfs/v1/zone_encr/test.txt?_=AAAACAAAABAAAAEQGeIZcVX_mUa9HOTHUCBIZ7b_iNiz924O7UBVlI3ZPZeYbhzO8LW0SVhKlX3zUvhuykF7TisStFefLuYdHNSYIOmsoeB3MPAoVIGUvnTHmlEBko2aDm6r7OvYm0Ytkk4WhS5Xtn-TSWPt5OGYsa-trOUi2OyTY5lkGw0Iy-iKrlSV_svcO_0hX53C73NnCCMBJYVV8NiCHUX0qpv7IzcYZGCS2wyiuwwNnhPexTUpJcCZhT40MjMCCDauex_uaUdgYHPZKFH1BzFtIJKWYUbGKe_KiB4goWEyVqF2NHj0R58-jLcYewuPClbmquX3A8VHt9O2YSw-_WWtb_nIsTx1HMYFC5iPajfqsk9FKxtSTBtpP0dkhrjBnWfa15chNgfrZIaZ5cr5Er4' * Re-using existing connection! (#0) with host localhost * Connected to localhost (127.0.0.1) port 8443 (#0) * Server auth using Basic with user 'dvillarreal' > GET /gateway/default/webhdfs/data/v1/webhdfs/v1/zone_encr/test.txt?_=AAAACAAAABAAAAEQGeIZcVX_mUa9HOTHUCBIZ7b_iNiz924O7UBVlI3ZPZeYbhzO8LW0SVhKlX3zUvhuykF7TisStFefLuYdHNSYIOmsoeB3MPAoVIGUvnTHmlEBko2aDm6r7OvYm0Ytkk4WhS5Xtn-TSWPt5OGYsa-trOUi2OyTY5lkGw0Iy-iKrlSV_svcO_0hX53C73NnCCMBJYVV8NiCHUX0qpv7IzcYZGCS2wyiuwwNnhPexTUpJcCZhT40MjMCCDauex_uaUdgYHPZKFH1BzFtIJKWYUbGKe_KiB4goWEyVqF2NHj0R58-jLcYewuPClbmquX3A8VHt9O2YSw-_WWtb_nIsTx1HMYFC5iPajfqsk9FKxtSTBtpP0dkhrjBnWfa15chNgfrZIaZ5cr5Er4 HTTP/1.1 > Authorization: Basic ZHZpbGxhcnJlYWw6aGFkb29wMTIzNDUh > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: localhost:8443 > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Date: Thu, 11 May 2017 23:33:54 GMT Date: Thu, 11 May 2017 23:33:54 GMT < Set-Cookie: JSESSIONID=vhf31ukoxmintdfe2h5ekg2y;Path=/gateway/default;Secure;HttpOnly Set-Cookie: JSESSIONID=vhf31ukoxmintdfe2h5ekg2y;Path=/gateway/default;Secure;HttpOnly < Expires: Thu, 01 Jan 1970 00:00:00 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT < Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Wed, 10-May-2017 23:33:54 GMT Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Wed, 10-May-2017 23:33:54 GMT < Access-Control-Allow-Methods: GET Access-Control-Allow-Methods: GET < Access-Control-Allow-Origin: * Access-Control-Allow-Origin: * < Content-Type: application/octet-stream Content-Type: application/octet-stream < Connection: close Connection: close < Server: Jetty(9.2.15.v20160210) Server: Jetty(9.2.15.v20160210) < This is a test for enc zone * Closing connection #0 ... View more

Maybe I am not understanding the scenario completely but I don't think this is possible. ... View more

One issue with this is that if you upgrade your version of Java in the future it may overwrite your cacerts file. Best practice would be to put in a separate location. Forexample, /etc/ssl/ranger/trust.jks, etc. ... View more

Have you tried the following method? Then import subsequent certificates using option 5 with different aliases. https://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_set_up_truststore_for_ambari_server.html ... View more

Each service has its own default service account that ambari will create and these service can belong to hadoop group. You can customize these if needed. https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.0.3/bk_ambari-administration/content/defining_service_users_and_groups_for_a_hdp_2x_stack.html Is ec2-user the user account that ambari service runs as? Maybe that is what you did? ... View more