About pbhagade

pbhagade · ‎01-20-2022

If SSL is enabled on the cluster, make sure you import Namenode cert or RootCA certificate in Ambari Truststore

pbhagade · ‎01-20-2022

Did u see these alerts once you enabled SSL in the cluster?

pbhagade · ‎12-01-2021

Increase Solr Heap and restart the service, See if it fixes the issue

pbhagade · ‎12-01-2021

HI @mike_bronson7 , Please go through the link https://www.youtube.com/watch?v=GjswCzMaW9k Let us know if you have any concerns.

pbhagade · ‎12-01-2021

Currently, there is no such authentication feature for Ranger and Atlas.

pbhagade · ‎11-29-2021

Yes, you need to add one user at a time, You cannot add multiple users in a single JSON file.

pbhagade · ‎08-20-2019

Hi, We don't share personal information like contacts, As you are facing Ambari Server issue and Agents issue is resolved, Please open a new question for Ambari Server, Also, check the Ambari Server logs you see some exceptions, attach those exceptions.

pbhagade · ‎08-20-2019

kill the process which is using port 8670 netstat -tulpn | grep 8670 kill -9 <process pid>

pbhagade · ‎08-20-2019

Use below cmds, PID means pid of the process. kill12998 kill 23758 Restart ambari agent

pbhagade · ‎08-20-2019

Hi @Manoj690 , Try to find the ambari agent pid and kill is manually. Below cmds will usefull # ps aux | grep main.py | grep -v grep # kill PID Once the process is killed then you can start the agent. Please accept the answer once issue resolved.

pbhagade · ‎02-21-2019

Hi, Please share your topology file.

pbhagade · ‎02-21-2019

Hi @rajendra, Disabling Spnego for Ambari Infra will affect Atlas Startup from Ambari UI. Because Atlas runs curl cmd over Infra using --negotiate option and doesn't get expected output, startup fails. Do kinit with admin user and try to check. or try setting up [domain_realm] in krb5.conf of infra server

pbhagade · ‎12-08-2018

Please share the correct cmd to avoid confusion. Please use below cmd: keytool -v -importkeystore -srckeystore eneCert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS Earlier you were passing incorrect deststoretype and no need of -alias this cmd. or try below. keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12 -srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks] -deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST]

pbhagade · ‎12-07-2018

Which doc you followed to configure HDFS SSL? Regarding other error, You should see something like below when you hit the cmd. I java used by the keytool cmd. [root@alpha ~]# /usr/jdk64/jdk1.8.0_112/bin/keytool -genkey -keyalg RSA -alias rangerHdfsAgent -keystore ranger-plugin-keystore.jks -storepass myKeyFilePassword -validity 360 -keysize 2048 What is your first and last name? [Unknown]: What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]:

pbhagade · ‎12-06-2018

Hi @Harish More , I see you have two issues here. As, you mentioned RM UI is not reachable, is it just RM UI is not accessible? Can u access HDFS UI? Do you see any exceptions in RM logs? Regarding policy sync. Once you enabled Ranger SSL, did you configured Ranger Plugin SSL for each components for which you have enabled plugin. Like example for HDFS: Configuring the Ranger HDFS Plugin for SSL

pbhagade · ‎12-06-2018

Hi @Sajesh PP Currently, I see a hadoop_logs collection which logsearch uses is in down state and not recovering, due to which leader is not assigned to the collection. For fix this issue, you can drop the collection. If cluster is kerberized follow below step: kinit with ambari-infra keytab # curl -i -v --negotiate -u : "http://<SOLR_HOST>:8886/solr/admin/collections?action=DELETE&name=hadoop_logs" Restart LogSearch, which will create hadoop_logs. If the cluster is Non-Kerberos just normal url in a browser that will also work. Same method, can be used for other collections, if they are in DOWN state. You can access Solr UI -> Cloud -> check the status of collections

pbhagade · ‎01-20-2018

Please below article for Self Signed: Ranger Admin SSL Self Signed Ranger Admin CA Signed

pbhagade · ‎01-19-2018

I have hostname mentioned in SAN field, still, the service is not coming up.

pbhagade · ‎01-19-2018

Issue with Ranger Admin SSL with Internal CA with SAN entries where CN is not FQDN of ranger host, SAN entry contains Ranger Admin host entry. Ranger Admin is stuck at. 2018-01-19 05:05:15,951 [alpha1.openstacklocal-startStop-1] DEBUG org.apache.ranger.biz.ServiceDBStore (ServiceDBStore.java:341) - <== ServiceDefDBStore.initStore() 2018-01-19 05:05:16,244 [alpha1.openstacklocal-startStop-1] DEBUG apache.ranger.security.web.authentication.RangerAuthenticationEntryPoint (RangerAuthenticationEntryPoint.java:66) - AjaxAwareAuthenticationEntryPoint(): constructor 2018-01-19 05:05:16,350 [alpha1.openstacklocal-startStop-1] INFO apache.ranger.security.web.filter.RangerCSRFPreventionFilter (RangerCSRFPreventionFilter.java:81) - Adding cross-site request forgery (CSRF) protection So, For Ranger Admin is it necessary to have CN as FQDN of Ranger admin host. SAN entry's are check first than CN entry right?

pbhagade · ‎01-19-2018

Hello, is cluster kerberised? Do you want use Self signed or CA signed? In Non-Kerberos, Ranger SSL with CA-signed will have two way SSL. # while creating the client certs, make sure you provide extension as "usr_cert" and server cert as "server_cert", other wise 2 WAY SSL communication would fail

pbhagade · ‎01-06-2018

Is it possible to share the ldapsearch output for a specific user you're trying to access webhdfs. or use main.ldapRealm.userSearchBase=OU=Domain Users & Groups,DC=ragaca,DC=com and let me know if it works

pbhagade · ‎01-06-2018

can you correct the user search base seems to be incorrect. Refer : Using Apache Knox with ActiveDirector <param> <name>main.ldapRealm.userSearchBase</name> <value>Users,OU=Domain Users & Groups,DC=ragaca,DC=com</value> </param>

pbhagade · ‎11-10-2017

Hi All, I have HDP 2.6.3, Amabri 2.6.0, SS 1.4.3.2.6.0.0-267. Fresh installation. Getting errors. HDFS Dashboard : ERROR 1012 (42M03): Table undefined. tableName=ACTIVITY.HDFS_USER_FILE_SUMMARY  MapReduce & Tez Dashboard : ERROR 1012 (42M03): Table undefined. tableName=ACTIVITY.JOB  YARN Dashboard : ERROR 1012 (42M03): Table undefined. tableName=ACTIVITY.YARN_APPLICATION

pbhagade · ‎11-10-2017

Hi, According to log: <name>knoxsso.redirect.whitelist.regex</name> <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*{replace0}lt;/value> make sure have correct knoxsso.redirect.whitelist.regex. Description: A semicolon-separated list of regex expressions. The incoming originalUrl must match one of the expressions in order for KnoxSSO to redirect to it after authentication. The default allows only relative paths and localhost with or without SSL for development usecases. This needs to be opened up for production use and actual participating applications. Note that cookie use is still constrained to redirect destinations in the same domain as the KnoxSSO service - regardless of the expressions specified here. NOTE: LDAP Authentication for Ambari must be enabled for Knox SSO. The LDAP server needs to be sync’d into the Ambari truststore. Ex: <param> <name>knoxsso.redirect.whitelist.regex</name> <value>^https?:\/\/(node1\.openstacklocal|172\.26\.113\.193|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> </param>

pbhagade · ‎11-08-2017

audit events are caused due to ambari alert for checking Resource Manager UI status. So, disabling Ambari Alert for Resource Manger UI will resolve the issue. or reduce the frequency of these audit events, increase the "Resource Manager web UI" alert to a higher value

pbhagade · ‎11-05-2017

Hi @GN_Exp Knox SSO providing WebSSO capabilities to the Hadoop cluster. For now, HDP supports SSO for Ambari, Ranger, Atas. Means when you login into Ambari using Knox credentials, you can login into Ranger UI an Atlas UI without credentials on Web Console. In Next major release we will be supporting All components for SSO, probably in HDP 3.0. https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/bk_security/content/knox_sso.html Please let me know if you require any more info on Knox SSO.

pbhagade · ‎11-05-2017

Hi @Pit Err, are you managing your admin topology by Ambari UI? In knox service repo, we configured the service url as "https://pravin1.openstacklocal:8443/gateway/admin/api/v1/topologies" Which is an admin topology explicitly used to list the topology names in Knox. And authentication for this usually is configured for LDAP, which you can verify from admin topology like below. === <provider> <role>authentication</role> <name>ShiroProvider</name> <enabled>true</enabled> <param> === So authentication credentials should be set based on admin topology "authentication" module in admin.xml (or from ambari Advanced admin-topology). Also : URL doesn't seem correct to me. https://hdphost03.mydomain.local@MYDOMAIN.LOCAL/gateway/admin/api/v1/topologies, responseStatus: 401 Please check the knox.url * in the service repo . Also, are you using Ranger Acl for KNOX? One more thing, Ranger Test Connection is an additional feature to test. To confirm ranger acl are working properly for knox you need to check access logs of Ranger. If you want to use "rangerlookup" for Ranger KNOX plugin. You need to specify accordingly. Lookup is handled by the user which is configured in the Service Repository in Ranger UI, Also check that user has the policy to do the hive query. It has to be hadoop user for the user to get authorized. In secure cluster it has to be principal with password from kdc i.e. hive@EXAMPLE.COM or in your case rangerlookup Prepare Ranger Lookup

pbhagade · ‎10-18-2017

HDP 2.6.1 I have enabled Ranger Security for yarn policy using below steps: Configure YARN to use only Ranger ACLs (i.e ignore YARN ACLs) Ambari > YARN > Custom ranger-yarn-security > add below property and restart YARN ranger.add-yarn-authorization = false I have tested to scenarios: Scenario I: yarn.acl.enable = true ranger.add-yarn-authorization = false -->Only Ranger ACL are applied Scenario II: yarn.acl.enable = false ranger.add-yarn-authorization=false -->Both YARN Acl & Ranger ACL are invalid when we set yarn.acl.enable = false, yarn acl and ranger acl are invalid(lose efficiency).I don't know why.

pbhagade · ‎10-11-2017

Hi @skothari, From where do we get -srcalias <src-alias> from Step 3 ?

pbhagade · ‎10-05-2017

Cloudbreak contains mini KNOX which is not managed by Ambari. Below are the steps to replace Self Signed Certificate with CA Signed Certificates Step 1: Remove below two entries from /usr/hdp/current/knox-server/conf/gateway-site.xml and save it. <property> <name>gateway.signing.keystore.name</name> <value>signing.jks</value> </property> <property> <name>gateway.signing.key.alias</name> <value>signing-identity</value> </property> Step 2: Take a backup of original configuration: [~]$ cd /usr/hdp/current/knox-server/data/security/keystores/ [~]$ mkdir backup [~]$ mv __gateway-credentials.jceks gateway.jks backup/ Step 3: Create a keystore in PKCS12 format from your private key file, certificate, Intermediate certificate and root certificate [~]$ openssl pkcs12 -export -out corp_cert_chain.pfx -inkey <private-key>.key -in <cert.cer> -certfile <root_intermediate>.cer -certfile <root_ca>.cer Step 4: Regenerate Master Key. Use the same password for master key and keystore. # rm -rf /usr/hdp/current/knox-server/data/security/master # ls -l /usr/hdp/current/knox-server/data/security/master # /usr/hdp/current/knox-server/bin/knoxcli.sh create-master Step 5: Generate Knox keystore [~]$ cp corp_cert_chain.pfx /usr/hdp/current/knox-server/data/security/keystores/ [~]$ cd /usr/hdp/current/knox-server/data/security/keystores/ [~]$ keytool -importkeystore -srckeystore corp_cert_chain.pfx -srcstoretype pkcs12 -destkeystore gateway.jks -deststoretype jks -srcstorepass <src-keystore-password> -deststorepass <knox-master-secret> -destkeypass <knox-master-secret> Step 6: Replace the alias of keystore keytool -changealias -alias "1" -destalias "gateway-identity" -keypass keypass -keystore gateway.jks-storepass storepass Step 7: Store the keystore password in jceks file [~]$ /usr/hdp/current/knox-server/bin/knoxcli.sh create-alias gateway-identity-passphrase --value <knox-master-secret> Step 8: Restart Knox, you should see the below-highlighted lines in your knox logs [~]$ tail –f /var/log/knox/gateway.log

Online	Offline
Last Visited	‎04-06-2022 06:29 AM

Date Registered	‎05-22-2017 08:41 AM
Last Visited	‎04-06-2022 06:29 AM
Total Messages Posted	56
Total Kudos Received	12

Re: Add Users to Ranger via RESTAPI

Re: Ambari-infra solr failed

Re: Not able to upload a simple file using Ambari ...

Re: Connection failed on HIVE server

Re: Ranger: Error running solr query

Re: Ranger KMS + why files that copy to encrypted ...

Re: Apache Ranger and Atlas

Re: Add Users to Ranger via RESTAPI

Re: ambari server not running

Re: ambari agent not running

Re: ambari agent not running

Re: ambari agent not running

Re: Knox setup error in authentication

Re: Error 403 Unauthorized request in Solr Admin U...

Re: After Enabling Ranger with SSL, YARN & HDFS ar...

Re: After Enabling Ranger with SSL, YARN & HDFS ar...

Re: After Enabling Ranger with SSL, YARN & HDFS ar...

Re: Ambari-infra solr failed

Re: Enabling SSL for Ranger Admin UI :

Re: Issue with Ranger Admin SSL with Internal CA ...

Issue with Ranger Admin SSL with Internal CA with...

Re: Enabling SSL for Ranger Admin UI :

Re: Knox Response status: 401

Re: Knox Response status: 401

SmartSense error while accessing HDFS/Yarn/MR dash...

Re: Configuration knox with active directory does ...

Re: HTTP user audits in ranger

Re: Please help me understand how Knoxsso setup wo...

Re: KNOX - Kerberos authentication in admin topolo...

Want to enable Ranger Security for Yarn Policy

Re: Replace Knox self-signed certificate with CA c...

Replace Cloudbreak Mini Knox self-signed certifica...