About ben_grant

ben_grant · ‎02-08-2018

we ended up just dropping the cluster, deploying Ranger & Ranger usersync, then enabling Kerberos. works perfect if you deploy ranger first.

ben_grant · ‎01-31-2018

is there a way to change the usersync account so that it uses just username/password instead of Kerberos?

ben_grant · ‎01-31-2018

cworkhdfnew-folderusersync-issue2.zip I believe I enabled correctly & restarted. when I check the log files I don't see any extra Kerberos information.

ben_grant · ‎01-31-2018

I see how to enable DEBUG for Ranger admin, but not certain where you're talking about enabling for Kerberos. https://community.hortonworks.com/content/supportkb/49445/how-to-enable-debug-logging-for-ranger-admin.html cworkhdfcore-site.xml

ben_grant · ‎01-31-2018

yes, there is a core-site.xml under /etc/ranger/admin/conf. There are errors in my xa_portal.log. I will attach a .zip with the core-site.xml and xa_portal.log. This is HDF not HDP but the Ranger distro is the same between the builds. HDF 3.0.1 cworkhdfissue.zip

ben_grant · ‎01-31-2018

yes. here is the full error I'm seeing com.sun.jersey.api.client.UniformInterfaceException: GET http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686) at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:429) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$000(PolicyMgrUserGroupBuilder.java:72) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$1.run(PolicyMgrUserGroupBuilder.java:180) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$1.run(PolicyMgrUserGroupBuilder.java:176) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:360) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:176) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:163) at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:51) at java.lang.Thread.run(Thread.java:745) when I look in the ranger database, I see the following users: Admin, rangerusersync, keyadmin, rangertagsync. So the rangerusersync user exists.

ben_grant · ‎01-31-2018

yes, kerberos is enabled. I see a rangerusersync.service.keytab, rangeradmin.service.keytab, and rangerlookup.service.keytab in /etc/security/keytabs all owned by ranger

ben_grant · ‎01-31-2018

having trouble with Ranger usersync from Active Directory. Just trying ldap, not ldaps at the moment. I can see in the usersync.log that it connect to my AD server & finds the users and groups I have set in my filters. When it goes to try to push these into Ranger, I'm getting com.sun.jersey.api.client.UniformInterfaceException: GET http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized It looks like the usersync can't push to Ranger.

Online	Offline
Last Visited	‎04-02-2018 06:37 PM

Member Since	‎01-17-2018 08:24 PM
Last Visited	‎04-02-2018 06:37 PM
Posts	10

Cloudera Community

Re: Ranger usersync 401 unauthorized

Re: Ranger usersync 401 unauthorized

Re: Ranger usersync 401 unauthorized

Re: Ranger usersync 401 unauthorized

Re: Ranger usersync 401 unauthorized

Re: Ranger usersync 401 unauthorized

Re: Ranger usersync 401 unauthorized

Re: Ranger usersync 401 unauthorized

Ranger usersync 401 unauthorized