ollie1
Explorer
My Accepted Solutions
Show All

Re: Metron/Elasticsearch not indexing new datasour...

by Explorer in Support Questions
‎08-29-2017 09:45 PM
‎08-29-2017 09:45 PM
Yes - going back to basics fixed the issue: 1. I updated ambari parsers configuration to include only the auditd parser 2. Ensured timestampField: timestamp was included in parserConfig 3. Restarted parser's service in ambari's metron service I then started to see data being added to the enrichments kafka topic. ... View more

Can NiFi + Ranger plugin audit log to HDFS?

by Explorer in Support Questions
‎08-08-2017 01:26 PM
‎08-08-2017 01:26 PM
For HDP it doesn't seem too much hassle getting services writing their ranger audit logs to HDFS. However, it is far less clear for NiFi. Out the box the only facility for access logs appears to be SOLR (which is not a viable option for me right now). Is it possible to get NiFi writing Ranger audit logs to HDFS? If not is it possible to configure NiFi (through log4j) to SYSLOG the ranger audit logs somewhere? Thanks ... View more
Labels:

Re: Metron Parser not passing messages upstream

by Explorer in Support Questions
‎07-27-2017 02:20 PM
‎07-27-2017 02:20 PM
Hi @Bharath Phatak, I've had no luck debugging what is causing this issue yet. Just tweaking the infrastructure to resolve some other issues I've been facing. Once that's completed I will get back to debugging this issue. If I find anything I'll update you. Cheers, Ollie ... View more

Metron Parser not passing messages upstream

by Explorer in Support Questions
‎07-19-2017 03:50 PM
‎07-19-2017 03:50 PM
I'm using a GROK parser, consuming from kafka queue 'auditd'. The STORM topology for the 'auditd' parser looks like it's working correctly: We can see 9540 messages 'Acked', with only a handful of reported errors in the logs (for records which didn't match my GROK expression). We can also see within Metron UI that it's reporting throughput: However, this data never makes it to the enrichment or indexing topology. As we can see the STORM topology's have never received any data: For some reason the data is not being passed properly down stream. FWIW I used the Metron UI to configure this telemetry source. I can also see json files defined for the predefined telemetry sources in: /usr/metron/0.4.0/config/zookeeper/{indexing,parsers,enrichments} However in these folders I do not see any configuration files for the new auditd source. I have assumed that this is not required because the REST API configures the topology via UI. Is there anything obviously missing that might explain why these messages are not being passed upstream? Thanks in advance ... View more
Labels:

Re: Metron/Elasticsearch not indexing new datasour...

by Explorer in Support Questions
‎07-14-2017 10:21 AM
‎07-14-2017 10:21 AM
@Laurens Vets - unfortunately auditd* didn't work, elasticsearch is not listing any new indexes. I can confirm that adding the new data type creates a new auditd topology, and it looks to be running without errors, acknowledging messages. The enrichment topology is also running without issues (which I believe is responsbile for indexing?) ... View more

Metron/Elasticsearch not indexing new datasource

by Explorer in Support Questions
‎07-12-2017 02:18 PM
‎07-12-2017 02:18 PM
I have deployed the 10 node automated amazon AWS, using the ansible playbook. Everything looks to be working OK, but a new data source I've added isn't showing up in elasticsearch. I'm a bit stumped at how to start debugging this. The incoming flow looks like: AuditD -> SYSLOG -> NiFi -> Kafka It's then picked up in Kafka by the Appreciate any tips to help figure out where my data is disappearing to! Cheers ... View more
Labels:

NiFi DBCPConnectionPool supporting kerberos (or AD...

by Explorer in Support Questions
‎07-06-2017 03:12 PM
1 Kudo
‎07-06-2017 03:12 PM
1 Kudo
I'm trying to connect to MSSQL Server using the ExecuteSQL processor and a DBCPConnectionPool service. I'm constrained (or rather, strongly encouraged), to use domain credentials, preferably with kerberos to authenticate to the SQL Server. Reading the docs for DBCPConnectionPool it doesn't seem like this is possible? Is there any workaround's to achieve this? ... View more
Labels:

Reporting nifi flow change auditing data

by Explorer in Support Questions
‎06-28-2017 05:33 PM
‎06-28-2017 05:33 PM
I want to setup a reporting task that exposes all flow changes (whats they did, who did it), to an external system. I found this https://issues.apache.org/jira/browse/NIFI-986 Which shows that some work has been done to enable this functionality, but looking at the reporting tasks in NiFi (1.2.0) its not self explanatory how to achieve it. Any suggestion to get started would be greatly appreciated! ... View more
Labels:

Issue producing data into Kerborized Kafka cluster

by Explorer in Support Questions
‎04-11-2017 12:39 PM
‎04-11-2017 12:39 PM
Hi, I'm trying to produce data into a kerborized 3 node kafka cluster with SimpleAclAuthorizer. When I run: [root@domain bin]# ./kafka-console-producer.sh --broker-list host.domain.net:6667 --topic topic1 --security-protocol SASL_PLAINTEXT Test [2017-04-11 09:07:43,821] WARN Error while fetching metadata with correlation id 0 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:44,022] WARN Error while fetching metadata with correlation id 1 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:44,122] WARN Error while fetching metadata with correlation id 2 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:44,223] WARN Error while fetching metadata with correlation id 3 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:44,323] WARN Error while fetching metadata with correlation id 4 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:44,423] WARN Error while fetching metadata with correlation id 5 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:44,523] WARN Error while fetching metadata with correlation id 6 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:44,624] WARN Error while fetching metadata with correlation id 7 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:43,821] WARN Error while fetching metadata with correlation id 0 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:44,022] WARN Error while fetching metadata with correlation id 1 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:44,122] WARN Error while fetching metadata with correlation id 2 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:44,223] WARN Error while fetching metadata with correlation id 3 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:44,323] WARN Error while fetching metadata with correlation id 4 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:44,423] WARN Error while fetching metadata with correlation id 5 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:44,523] WARN Error while fetching metadata with correlation id 6 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) [2017-04-11 09:07:44,624] WARN Error while fetching metadata with correlation id 7 : {topic1=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient) I can see my topic if I run: [root@domain bin]# ./kafka-topics.sh --list --zookeeper host.domain.net:2181 topic1 I can see the ACL's I've applied: [root@domain bin]# ./kafka-acls.sh --list --authorizer-properties zookeeper.connect=host.domain.net:2181 --topic topic1 Current ACLs for resource `Topic:topic1`: User:nifi/host.domain.net has Allow permission for operations: Write from hosts: * User:nifi/host.domain.net has Allow permission for operations: Write from hosts: * I've run kinit: [root@domain bin]# klist Ticket cache: FILE:/tmp/krb5cc_... Default principal: nifi/host.domain.net@DOMAIN.NET Valid starting Expires Service principal 04/11/17 08:59:42 04/11/17 18:59:42 krbtgt/DOMAIN.NET@DOMAIN.NET renew until 04/18/17 08:59:42 Default principal: nifi/host.domain.net@DOMAIN.NET Valid starting Expires Service principal 04/11/17 08:59:42 04/11/17 18:59:42 krbtgt/DOMAIN.NET@DOMAIN.NET renew until 04/18/17 08:59:42 Thanks in advance for any help. Ollie ... View more
Labels:

Apache Ranger <> NiFi integration not showing prov...

by Explorer in Support Questions
‎03-09-2017 04:48 PM
‎03-09-2017 04:48 PM
Fairly simple issue: I have a 3 node clustered NiFi secured with the ranger plugin (all kerborised). I've created a very simple flow for some testing, but when I query provenance I see no results. I've added my AD principal into the default all resources policy ('*') within ranger. I've also created an 'Administrator' policy where I've added as many combinations of permission's I could come up with, all without any luck. Any suggestion's? Thanks in advance ... View more
Labels:

Re: NiFi login redirect issue: 'Success - You are ...

by Explorer in Support Questions
‎02-02-2017 04:08 PM
‎02-02-2017 04:08 PM
@Matt I was a bit unclear. If I attempt to authorise myself to the UI of node1 in my cluster, node2 will throw that error at that moment. The logs in node1 will show a successful authentication. Node 1 will then just happily redirect me to a generic success message page, which I can't progress pass. EDIT CLUE 2: If I regenerate self signed certs (not my signed certs) using the NIFA CA then login this message goes away! ... View more

NiFi login redirect issue: 'Success - You are alre...

by Explorer in Support Questions
‎02-02-2017 02:21 PM
‎02-02-2017 02:21 PM
I have configured kerberos authentication, with file backed authorize. NiFi is using SSL with signed certificates from a windows domain CA, with the relevant DN's added to Node Identities. I can login, and authenticate successfully, but I seem to hit a strange redirect loop on login. I simply endlessly redirect to: Success You are already logged in. With 'log out' and 'home' buttons available. If I hit home I am redirected to the same message. Despite what it's telling me it doesn't feel very successful! Any ideas? Cheers EDIT: A bit more info: I have a cluster of two nodes. If I authenticate to node1 my node1 nifi-user.log will show success messages, node2 will throw an error: ERROR [NiFi Web Server-16] o.a.nifi.web.security.jwt.JwtService There was an error validating the JWT io.jsonwebtoken.JwtException: Unable to validate the access token. ... Caused by: io.jsonwebtoken.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted. Like wise if I authenticate on node2, node1 will show this error. ... View more
Labels:

NiFi support for Active Directory Groups

by Explorer in Support Questions
‎02-02-2017 10:37 AM
‎02-02-2017 10:37 AM
I'm trying to permission NiFi using Active Directory groups. I'm aware there is a problem using groups in AD with the NiFi-Ranger plugin, but I'm attempting to authorize using the Kerberos identity provider and and the file provider within NiFi itself. Is there any way to pull in AD groups into the NiFi application, and use them to authorize access? Ideally I don't want to create static groups in NiFi that contain my principals, which are updated manually. As a fallback I was considering writing a script that generates NiFi groups based on an ldapsearch and populates it with the relevant principals. ... View more

Re: Configuring Secured NiFi with Secured Ranger f...

by Explorer in Support Questions
‎01-21-2017 10:46 AM
‎01-21-2017 10:46 AM
Yes all working when I changed the attribute value in ranger LDAPS config to use UserPrincipalName, pulling in my users named ..@NIFI.LOCAL. Policy management is working as expected! It's a shame that group permissions doesn't work yet, is there a work ticket I can follow its progress on? ... View more

Re: Configuring Secured NiFi with Secured Ranger f...

by Explorer in Support Questions
‎01-20-2017 02:46 PM
‎01-20-2017 02:46 PM
More progress. I scripted up the creation of the truststore's and keystore's on both NiFi and Ranger so I was able to tear down and re-deploy the cluster consistently. I realised I'd made a few silly mistakes with the DN's you mentioned above. Fixing these gave me a 403 untrusted proxy, which I fixed by creating the /proxy policy for the nifi nodes. I've now achieved: Big step! And the policies are sync'ing with 200 OK's, as well as I can see active nifi user logging into Ranger. Seem's like I'm getting close. One issue left, is that my ldapsync in ranger has populated users & groups, but these users & groups when applied to the all resources policy don't appear to take effect. I have insufficient privileges to do anything in NiFi with a user I've granted access to inside Ranger: For user oliver (oliver@NIFI,LOCAL), NiFi logs show a successful authentication, but unauthorised to access anything: 2017-01-20 14:43:11,282 INFO [NiFi Web Server-98] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for oliver@NIFI.LOCAL 2017-01-20 14:43:11,283 INFO [NiFi Web Server-98] o.a.n.w.a.c.AccessDeniedExceptionMapper oliver@NIFI.LOCAL does not have permission to access the requested resource. Returning Forbidden response. I've setup NiFi using AD (ldaps) and Ranger using ldap (couldn't get ldaps to take). I'm not sure if that has triggered a weird issue here? Thanks again for all your help! ... View more

Re: Configuring Secured NiFi with Secured Ranger f...

by Explorer in Support Questions
‎01-19-2017 09:21 AM
‎01-19-2017 09:21 AM
Yes I didn't need to delete anything from the stores so I reverted that change. I think there was some issues with the key/trust stores which have been fixed, definitely making progress. I now get an explicit 403 from ranger Service Manager > Edit Service: and nifi-user.log shows: 2017-01-19 09:11:01,627 INFO [NiFi Web Server-16] o.a.n.w.a.c.AccessDeniedExceptionMapper CN=ranger-1, OU=Nifi, O=GR, L=London, ST=Unknown, C=Unknown does not have permission to access the requested resource. Returning Forbidden response. Additionally, in Ranger -> Audit -> Plugins I can see that policies are being sync'd to NiFi: As well as login attempts from NiFi to Ranger being registered: However, nothing is being shown in Audit > Access, and I still receive an error message saying that I cannot connect to Audit Store. Ranger xa_portal.log also shows a big REST error every time I venture to that tab: 2017-01-19 09:19:03,676 [http-bio-6182-exec-4] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:336) - Operation error. response=VXResponse={org.apache.ranger.view.VXResponse@497448d5statusCode={1} msgDesc={Error connecting to search engine} messageList={[VXMessage={org.apache.ranger.view.VXMessage@1912a8acname={ERROR_SYSTEM} rbKey={xa.error.system} message={System Error. Please try later.} objectId={null} fieldName={null} }]} } javax.ws.rs.WebApplicationException at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56) at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:335) at org.apache.ranger.solr.SolrAccessAuditsService.searchXAccessAudits(SolrAccessAuditsService.java:130) at org.apache.ranger.biz.AssetMgr.getAccessL Finally, my access control policies defined in ranger for NiFi do not take effect, I have granted an AD domain account root access to NiFi, NiFi allows me to login in but tells me I have no privileges. EDIT 1: Maybe the 'Access' error is a red herring - I haven't installed any services other than ranger, nifi, zookeeper and kerberos in the cluster. So a connection to Solr doesn't make sense? ... View more

Re: Configuring Secured NiFi with Secured Ranger f...

by Explorer in Support Questions
‎01-18-2017 08:43 PM
‎01-18-2017 08:43 PM
I've added those outputs. I'm going to empty my NiFi truststore and reimport the ranger certificate as I'm not sure why I have two certs in that store. Also I'll give it a more useful alias. One question I have about your guide when setting up ranger-nifi-plugin-properties. This configures the ranger plugin sitting on the NiFi host right? The trust and key store that they need access to, are these the rangers trust and key store that need to be copied from the ranger host and distributed out to NiFi when the plugin is active? Maybe I've misunderstood that part.. ... View more

Re: Configuring Secured NiFi with Secured Ranger f...

by Explorer in Support Questions
‎01-18-2017 08:20 PM
‎01-18-2017 08:20 PM
Hi @yolanda I've added a screen shot of ranger_nifi_plugin_properties, and the ERROR's are coming from ranger's xa_portal.log logfile. I followed the steps in 1 & 2 - I'll do a keytool -list -v -keystore on the relevant stores, which should confirm they have been correctly exported. I'll add that as EDIT 2 to the post. Thanks! ... View more

Configuring Secured NiFi with Secured Ranger for A...

by Explorer in Support Questions
‎01-18-2017 07:56 PM
1 Kudo
‎01-18-2017 07:56 PM
1 Kudo
I'm having a torrid time trying to configure ranger with NiFi, with both services setup with SSL already. I've been following this guide: https://community.hortonworks.com/articles/60001/hdf-20-integrating-secured-nifi-with-secured-range.html It was previously working without SSL, so something is wrong with my keystore's and truststores. I'll describe my setup in as much detail as possible, and I'm hoping, between my config, and logs, we can make some progress debugging the issue. Overview: Ambari (HDF-2.1.1.0) is managing a ranger and NIFI install, all on separate instances (ambari-1, nifi-1 and ranger-1). I have not configured a NIFI Certificate Authority. NiFi instance: Truststores: /etc/security/nifi-certs/keystore.jks /etc/security/nifi-certs/truststore.jks /etc/security/ranger-certs/keystore.jks /etc/security/ranger-certs/truststore.jks nifi.properties nifi.security.identity.mapping.pattern.dn= nifi.security.identity.mapping.pattern.kerb= nifi.security.identity.mapping.value.dn= nifi.security.identity.mapping.value.kerb= nifi.security.keyPasswd=easypass nifi.security.keyPasswd.protected=aes/gcm/256 nifi.security.keystore=/etc/security/nifi-certs/keystore.jks nifi.security.keystorePasswd=easypass nifi.security.keystorePasswd.protected=aes/gcm/256 nifi.security.keystoreType=JKS nifi.security.needClientAuth=False nifi.security.ocsp.responder.certificate= nifi.security.ocsp.responder.url= nifi.security.truststore=/etc/security/nifi-certs/truststore.jks nifi.security.truststorePasswd=easypass nifi.security.truststorePasswd.protected=aes/gcm/256 nifi.security.truststoreType=JKS nifi.security.user.authorizer=ranger-provider nifi.security.user.login.identity.provider=kerberos-provider ranger-policymgr-ssl.xml <configuration> <property> <name>owner.for.certificate</name> <value></value> </property> <property> <name>xasecure.policymgr.clientssl.keystore</name> <value>/etc/security/nifi-certs/keystore.jks</value> </property> <property> <name>xasecure.policymgr.clientssl.keystore.credential.file</name> <value>jceks://file/etc/ranger/NiFi_nifi/cred.jceks</value> </property> <property> <name>xasecure.policymgr.clientssl.keystore.password</name> <value>easypass</value> </property> <property> <name>xasecure.policymgr.clientssl.truststore</name> <value>/etc/security/nifi-certs/truststore.jks</value> </property> <property> <name>xasecure.policymgr.clientssl.truststore.credential.file</name> <value>jceks://file/etc/ranger/NiFi_nifi/cred.jceks</value> </property> <property> <name>xasecure.policymgr.clientssl.truststore.password</name> <value>easypass</value> </property> </configuration> No notable ERROR messages appearing in nifi-app.log Ranger instance: Truststores: /etc/security/ranger-certs/keystore.jks /etc/security/ranger-certs/truststore.jks ranger-admin-site.xml <property> <name>ranger.truststore.file</name> <value>/etc/security/ranger-certs/truststore.jks</value> </property> <property> <name>ranger.truststore.password</name> <value>easypass</value> </property> <property> <name>ranger.https.attrib.keystore.file</name> <value>/etc/security/ranger-certs/keystore.jks</value> </property> <property> <name>ranger.service.https.attrib.keystore.keyalias</name> <value>ranger-1</value> </property> <property> <name>ranger.service.https.attrib.keystore.pass</name> <value>easypass</value> </property> Error logs (xa_portal.log) are showing that one of my keystore's password's is incorrect: 2017-01-18 19:40:54,646 [timed-executor-pool-0] ERROR org.apache.ranger.services.nifi.RangerServiceNiFi (RangerServiceNiFi.java:51) - <== RangerServiceNiFi.validateConfig Error: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.ranger.services.nifi.client.NiFiConnectionMgr.createSslContext(NiFiConnectionMgr.java:138) at org.apache.ranger.services.nifi.client.NiFiConnectionMgr.getNiFiClient(NiFiConnectionMgr.java:92) at org.apache.ranger.services.nifi.client.NiFiConnectionMgr.connectionTest(NiFiConnectionMgr.java:106) at org.apache.ranger.services.nifi.RangerServiceNiFi.validateConfig(RangerServiceNiFi.java:49) at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:560) at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:547) at org.apache.ranger.biz.ServiceMgr$TimedCallable.call(ServiceMgr.java:508) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.security.UnrecoverableKeyException: Password verification failed at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778) Though I've not been able to deduce which keystore this is complaining about! and another REST ERROR 2017-01-18 20:03:45,901 [ranger-1.nifi.local-startStop-1] ERROR org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil (EmbeddedServiceDefsUtil.java:138) - EmbeddedServiceDefsUtil.init(): failed javax.ws.rs.WebApplicationException at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56) at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:311) at org.apache.ranger.service.RangerBaseModelService.read(RangerBaseModelService.java:234) at org.apache.ranger.biz.ServiceDBStore.getServiceDef(ServiceDBStore.java:1264) at org.apache.ranger.plugin.store.AbstractServiceStore.updateTagServiceDefForUpdatingAccessTypes(AbstractServiceStore.java:297) at org.apache.ranger.plugin.store.AbstractServiceStore.updateTagServiceDefForAccessTypes(AbstractServiceStore.java:55) at org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil.init(EmbeddedServiceDefsUtil.java:136) at org.apache.ranger.biz.ServiceDBStore$1.doInTransaction(ServiceDBStore.java:287) at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:130) at org.apache.ranger.biz.ServiceDBStore.initStore(ServiceDBStore.java:284) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Me Thank's in advance for any help. EDIT 1: EDIT 2: Step 1 & 2 in the guide: [root@nifi-1 nifi-certs]# keytool -list -keystore truststore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries rootca, 18-Jan-2017, trustedCertEntry, Certificate fingerprint (SHA1): 80:60:76:CF:8B:ED:37:79:73:3A:03:28:B3:9E:A9:AE:E9:03:EF:CD mykey, 18-Jan-2017, trustedCertEntry, Certificate fingerprint (SHA1): 9E:39:B3:8E:B3:37:76:2F:E5:99:CC:D1:13:E6:71:FC:1A:F1:C9:C8 [root@nifi-1 nifi-certs]# Step 3 & 4: [root@ranger-1 security]# cd /etc/security/ranger-certs/ [root@ranger-1 ranger-certs]# keytool -list -keystore truststore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry nifi-1, 18-Jan-2017, trustedCertEntry, Certificate fingerprint (SHA1): 9C:52:46:2D:90:3E:B7:24:D3:3F:0E:E4:21:DD:D6:0B:28:74:70:E4 [root@ranger-1 ranger-certs]# EDIT 3: Revised key and trust stores as @Yolanda M. Davis advised. Errors above have stopped on the ranger node, and started on the NiFi. 2017-01-18 22:09:59,406 WARN [Process Cluster Protocol Request-9] o.a.n.c.p.impl.SocketProtocolListener Failed processing protocol message from nifi-1.nifi.local due to javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_77] at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[na:1.8.0_77] at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023) ~[na:1.8.0_77] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) ~[na:1.8.0_77] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_77] at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928) ~[na:1.8.0_77] at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) ~[na:1.8.0_77] at sun.security.ssl.AppInputStream.read(AppInputStream.java:71) ~[na:1.8.0_77] at org.apache.nifi.cluster.protocol.impl.CopyingInputStream.read(CopyingInputStream.java:39) ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2] at java.io.FilterInputStream.read(FilterInputStream.java:83) ~[na:1.8.0_77] at org.apache.nifi.cluster.protocol.jaxb.JaxbProtocolContext$2.unmarshal(JaxbProtocolContext.java:109) ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2] at org.apache.nifi.cluster.protocol.impl.SocketProtocolListener.dispatchRequest(SocketProtocolListener.java:142) ~[nifi-framework-cluster-protocol-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2] at org.apache.nifi.io.socket.SocketListener$2$1.run(SocketListener.java:136) [nifi-socket-utils-1.1.0.2.1.1.0-2.jar:1.1.0.2.1.1.0-2] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_77] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_77] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_77] 2017-01-18 22:09:59,610 WARN [Heartbeat Monitor Thread-1] o.a.n.c.c.node.NodeClusterCoordinator Failed to determine which node is elected active Cluster Coordinator: ZooKeeper reports the address as nifi-1.nifi.local:9088, but there is no node with this address. Attempted to determine the node's information but failed to retrieve its information due to org.apache.nifi.cluster.protocol.ProtocolException: Failed to request Node Identifer from nifi-1.nifi.local:9088 Also ranger is giving 409 errors when connecting to NiFi: 409 indicates a client issue (from Ranger). It seems I have some misconfiguration on NiFi now. ... View more

Re: Kerberos setup Ambari 2.4 and HDP 2.5 fails (s...

by Explorer in Support Questions
‎01-17-2017 12:31 PM
2 Kudos
‎01-17-2017 12:31 PM
2 Kudos
I suffered the exact same issue of: Caused by: java.net.SocketException: Connection reset Logs giving nothing away, just constant refusal to connect to ldap://ad.mydomain.com:389 despite confirming LDAP was working on the same host using ldapsearch. Anyway, I decided to test with LDAPS (following https://community.hortonworks.com/articles/60186/hdf-20-use-ambari-to-enable-kerberos-for-hdf-clust-1.html), and using exactly the same values for my config it worked. ... View more
Contact Me
Online
Offline
Last Visited
‎03-21-2018 08:44 AM
Public Statistics
Date Registered ‎12-09-2016 07:45 PM
Last Visited ‎03-21-2018 08:44 AM
Total Messages Posted 21
Total Kudos Received 4