Member since
01-17-2018
10
Posts
0
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
5618 | 02-08-2018 06:17 PM |
04-02-2018
06:37 PM
I don't see any errors in /var/log/ranger/admin/xa_portal.log when I restart kafka & recreate the error. Am I looking in the wrong spot? I've tried setting it from info to debug per https://community.hortonworks.com/content/supportkb/49445/how-to-enable-debug-logging-for-ranger-admin.html and still don't see anything logged here when I recreate the problem
... View more
04-02-2018
02:11 PM
having an error after enabling kerberos on HDF stack. Enabled kafka ranger plugin and restarted kafka. getting messages below when I check the path, it looks like the client kerberos cc file is created with kafka:hadoop permissions & I can use klist to check that it appears valid. It looks like this is an issue with the Ranger UI site not accepting the kerberos TGT 2018-04-02 08:55:36,133 - Repository creation failed
2018-04-02 08:56:06,160 - checked_call['/usr/bin/kinit -c /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_kafka_cc_12337536370f7a202550f5ffcbb478eb -kt /etc/security/keytabs/kafka.service.keytab kafka/sho-t-sdapap-01.sentry.com@SENTRY.COM > /dev/null'] {'user': 'kafka'}
2018-04-02 08:56:06,254 - checked_call returned (0, '')
2018-04-02 08:56:06,255 - call['ambari-sudo.sh su kafka -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/e3590509-62a8-4d79-8e34-e63d4e8dd705 -c /var/lib/ambari-agent/tmp/cookies/e3590509-62a8-4d79-8e34-e63d4e8dd705 '"'"'http://sho-t-sdapap-01.sentry.com:6080/service/public/v2/api/service?serviceName=test_kafka&serviceType=kafka&isEnabled=true'"'"' --connect-timeout 10 --max-time 12 -X GET 1>/tmp/tmpKpySPR 2>/tmp/tmpCu42_h''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_kafka_cc_12337536370f7a202550f5ffcbb478eb'}}
2018-04-02 08:56:06,350 - call returned (0, '')
2018-04-02 08:56:06,351 - call['/usr/bin/klist -s /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_kafka_cc_12337536370f7a202550f5ffcbb478eb'] {'user': 'kafka'}
2018-04-02 08:56:06,427 - call returned (0, '')
2018-04-02 08:56:06,429 - call['ambari-sudo.sh su kafka -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/03e5f985-e8d9-4137-b64a-35ad4ad2e90b -c /var/lib/ambari-agent/tmp/cookies/03e5f985-e8d9-4137-b64a-35ad4ad2e90b http://sho-t-sdapap-01.sentry.com:6080/service/public/v2/api/service --connect-timeout 10 --max-time 12 -H '"'"'Content-Type: application/json'"'"' -X POST -d '"'"'{"assetType": "1", "name": "test_kafka", "repositoryType": "kafka", "configs": {"username": "admin", "tag.download.auth.users": "kafka", "ambari.service.check.user": "ambari-qa", "policy.download.auth.users": "kafka", "zookeeper.connect": "sho-t-sdapap-01.sentry.com:2181,sho-t-sdapap-02.sentry.com:2181,sho-t-sdapap-03.sentry.com:2181", "password": "x7KsV487fs8aQdN7", "commonNameForCertificate": ""}, "type": "kafka", "isEnabled": "true", "description": "kafka repo"}'"'"' 1>/tmp/tmpSUfkfC 2>/tmp/tmpwMO3Z6''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_kafka_cc_12337536370f7a202550f5ffcbb478eb'}}
2018-04-02 08:56:06,517 - call returned (0, '')
2018-04-02 08:56:06,518 - Repository creation failed
... View more
Labels:
- Labels:
-
Apache Ranger
02-08-2018
06:17 PM
we ended up just dropping the cluster, deploying Ranger & Ranger usersync, then enabling Kerberos. works perfect if you deploy ranger first.
... View more
01-31-2018
07:41 PM
is there a way to change the usersync account so that it uses just username/password instead of Kerberos?
... View more
01-31-2018
07:04 PM
cworkhdfnew-folderusersync-issue2.zip I believe I enabled correctly & restarted. when I check the log files I don't see any extra Kerberos information.
... View more
01-31-2018
06:09 PM
I see how to enable DEBUG for Ranger admin, but not certain where you're talking about enabling for Kerberos. https://community.hortonworks.com/content/supportkb/49445/how-to-enable-debug-logging-for-ranger-admin.html cworkhdfcore-site.xml
... View more
01-31-2018
05:39 PM
yes, there is a core-site.xml under /etc/ranger/admin/conf. There are errors in my xa_portal.log. I will attach a .zip with the core-site.xml and xa_portal.log. This is HDF not HDP but the Ranger distro is the same between the builds. HDF 3.0.1 cworkhdfissue.zip
... View more
01-31-2018
05:08 PM
yes. here is the full error I'm seeing com.sun.jersey.api.client.UniformInterfaceException: GET http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686) at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:429) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$000(PolicyMgrUserGroupBuilder.java:72) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$1.run(PolicyMgrUserGroupBuilder.java:180) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$1.run(PolicyMgrUserGroupBuilder.java:176) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:360) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:176) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:163) at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:51) at java.lang.Thread.run(Thread.java:745) when I look in the ranger database, I see the following users: Admin, rangerusersync, keyadmin, rangertagsync. So the rangerusersync user exists.
... View more
01-31-2018
03:09 PM
yes, kerberos is enabled. I see a rangerusersync.service.keytab, rangeradmin.service.keytab, and rangerlookup.service.keytab in /etc/security/keytabs all owned by ranger
... View more
01-31-2018
01:59 PM
having trouble with Ranger usersync from Active Directory. Just trying ldap, not ldaps at the moment. I can see in the usersync.log that it connect to my AD server & finds the users and groups I have set in my filters. When it goes to try to push these into Ranger, I'm getting com.sun.jersey.api.client.UniformInterfaceException: GET http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized It looks like the usersync can't push to Ranger.
... View more
Labels:
- Labels:
-
Apache Ranger