Member since
09-03-2017
55
Posts
0
Kudos Received
0
Solutions
06-10-2020
09:00 AM
Hi all WARN org.apache.hadoop.security.LdapGroupsMapping: Failed to get groups for user impala (retry=1) by javax.naming.CommunicationException: simple bind failed: ad.corporate:<port> [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] as we are seeing the above error message with Sentry Service on Cloudera 5.14 after applying new root and intermediate certificates. from error message it clearly says certificate is missing. But which certificates is missing to debug the issue for java application do as below. for to debug the issue : we added to sentry under Java Options configuration " -Djavax.net.debug=ssl " and Examined the Sentry stdout.log from CM UI after the restart of affected services. Therefore under stdout.log it says certificate is missing. Therefore we need to import required certificate to the truststore appropriately or use latest version truststore. Try to keep this flag until the issue resolves.. Hope this helps for someone. Thanks, PR
... View more
04-18-2018
09:31 AM
@JZ Can you please suggest - as per https://community.hortonworks.com/questions/167502/nifi-ssl-unable-to-find-valid-certification-path-t.html
... View more
11-17-2017
07:32 AM
I found the solution. Issue is fixed now. In my case, one of LDAP username is 'dvteam' but in LDAP database there was full description of username as 'architecture dev team, locations, team details, etc'. Error messages I found in nifi-user.log. is 'architecture dev team' user was trying to authenticate with nifi nodes. Authentication was successful but authorizations not happening. The username which I've mentioned in initial admin identity was 'dvteam'.(cn=dvteam,ou=xx,ou=xx,ou=xx,ou=xx,dc=abc,dc=com) Then as per logs, I changed it to (cn=architecture dev team,ou=xx,ou=xx,ou=xx,ou=xx,dc=abc,dc=com) Also there was some mismatch about host names in node identities section. 'hostname -f' shows a hostname ip-zz-xx-ec2-internal. So, I have given 'ip-zz-xx-ec2-internal' in node identities section but that was not working. Then I have changed the hostnames to 'nifi1.abc.local' and mentioned in node identities. In 'Template for login-identity-providers.xml' I've made some changes. Earlier I had set 'use_username' in '<property name="Identity Strategy">USE_DN</property>' this section. later I've changed to use_dn. because as per nifi-user log authentication is happening with LDAP user 'architecture dev team'. So in my case user_username was not working for authentications. Every configurations changes I used to remove authorizations.xml and users.xml file from my all nifi nodes. Also There was confusion on about 'OU' in Node identities section. What does it mean OU in node identities section? I don't know yet. Later I've mentioned 'OU=nifi' and also gave host names as 'nifi1.abc.local' , 'nifi2.abc.local', etc. I have added AD/LDAP user in Initial Admin Identity(cn=architecture dev team,ou=xx,ou=xx,ou=xx,ou=xx,dc=abc,dc=com) After setting above all, I was facing an error about setting nifi.security.identity.mapping.pattern.dn. There was a challenge about the pattern definition. There was 4 'ou' I have defined in initial admin identities and login-identity-providers.xml. So I've used below pattern and it worked well. ^cn=(.?),ou=(.?),ou=(.?),ou=(.?),ou=(.?),dc=(.?),dc=(.?)$ Note: I have removed Ranger completely. Thanks, Suraj
... View more
11-02-2017
03:30 PM
@Jobin George Can you please suggest how to remove anonymous user by getting default login to Nifi UI. I can login Nifi UI with my LDAP user but Nifi is also accessible with anonymous user without password. I wanted to disable it. In ranger policy if I remove {user} from user section then I cannot login Nifi UI with LDAP user and also it doesn't get default login with anonymous. Please suggest. Brief description is mentioned on below link. https://community.hortonworks.com/questions/142667/how-to-give-permissions-to-users-to-access-nifi-ui.html?childToView=145984#answer-145984
... View more