About CaptainJa

CaptainJa · ‎08-10-2021

With some help from a colleague, we figured out that all I needed to do was go into Administration > Users & Roles > LDAP/PAM Groups. There, I clicked on the "Add LDAP/PAM Group Mapping" and added the group I expected to be synced from Active Directory, along with a role assignment. This was enough to make sure that the user after being authenticated, was able to login in with the right role privileges.

CaptainJa · ‎08-10-2021

Hello, I am facing a challenge with authentication and authorizing Active Directory users on Cloudera CDP 7.1.6. I followed the steps here to make the necessary configurations (https://docs.cloudera.com/cdp-private-cloud-base/7.1.6/security-kerberos-authentication/topics/cm-security-external-authentication-ad.html). The challenge is that I am able to login with AD users but there is no group to role mapping, which results in a blank page for the user. I checked this other page (https://docs.cloudera.com/cdp-private-cloud-base/7.1.6/managing-clusters/topics/cm-security-authorization-user-roles.html) which handles mapping external authentication to roles. However, it skips Active Directory instructions and mentions only that of external programs and SAML scripts. Does anyone have an idea of how to map groups from an Active Directory source to Cloudera Roles? or is there some other documentation I should refer to? Thanks in advance for the support.

CaptainJa · ‎05-25-2021

@ururu I have a similar use case but the configurations mentioned above are not giving the desired results. Did you add or modify some of the configurations? E.g., I saw it being mentioned elsewhere that the hadoop.root.logger value needs to be changed as well to include SYSLOG as a value. Did you do this too? Also, in case the external SIEM server expects a particular format, e.g., the RFC 5424 syslog format or a specific SIEM server format like Universal LEEF, what would be the best way to define this property?

CaptainJa · ‎03-02-2021

Hello @smdas, Thanks for the follow up. I did follow the recommended link and implemented most of the suggestions there on my Ambari Infra Solr setup. While that helped with Solr indexing, it did not resolve the issue at hand. On a closer look, I identified that the lagging only affected hadoop-acl enforcer type actions. (see attached picture - which shows no hadoop-acl type actions even though a lot has been performed over the day) I went through the Namenode logs and made some adjustments to the log4j configurations for hdfs audit logging. Unfortunately, this has still not resolved the problem. The actions eventually show but sometimes, after a whole day or even two days. (see attached picture - where the latest hadoop-acl type actions are from last Friday) It seems as if hadoop-acl type actions are being queued or buffered somehow and only indexed to Solr after a limit has been reached. However, I haven't found any configuration setting which would mitigate this if that is the case. All ideas are really welcome. Thanks

CaptainJa · ‎02-03-2021

Thanks a lot for the pointer @smdas. I have already seen a number of warnings in the Infra Solr logs but I am not sure if they are directly related to the issue at hand since they are mostly start-up warnings - see below 2021-02-02 17:18:03,938 [main] WARN [ ] org.eclipse.jetty.security.ConstraintSecurityHandler (ConstraintSecurityHandler.java:807) - ServletContext@o.e.j.w.WebAppContext@30b8a058{/solr,file:/usr/lib/ambari-infra-solr/server/solr-webapp/webapp/,STARTING}{/usr/lib/ambari-infra-solr/server/solr-webapp/webapp} has uncovered http methods for path: / 2021-02-02 17:18:04,402 [main] WARN [ ] org.apache.solr.core.CoreContainer (CoreContainer.java:401) - Couldn't add files from /xxxx/xx/ambari_infra_solr/data/lib to classpath: /xxxx/xx/ambari_infra_solr/data/lib 2021-02-02 17:18:06,749 [coreLoadExecutor-6-thread-2-processing-n:XXXXXXXXXX-XXX-XXX-XXX:8886_solr] WARN [c:ranger_audits s:shard1 r:core_node12 x:ranger_audits_shard1_replica1] org.apache.solr.core.Config (Config.java:169) - Beginning with Solr 5.5, <mergeFactor> is deprecated, configure it on the relevant <mergePolicyFactory> instead. 2021-02-02 17:18:06,755 [coreLoadExecutor-6-thread-5-processing-n:XXXXXXXXXX-XXX-XXX-XXX:8886_solr] WARN [c:ranger_audits s:shard4 r:core_node14 x:ranger_audits_shard4_replica1] org.apache.solr.core.Config (Config.java:169) - Beginning with Solr 5.5, <mergeFactor> is deprecated, configure it on the relevant <mergePolicyFactory> instead. 2021-02-02 17:18:06,758 [coreLoadExecutor-6-thread-8-processing-n:XXXXXXXXXX-XXX-XXX-XXX:8886_solr] WARN [c:ranger_audits s:shard8 r:core_node9 x:ranger_audits_shard8_replica2] org.apache.solr.core.Config (Config.java:169) - Beginning with Solr 5.5, <mergeFactor> is deprecated, configure it on the relevant <mergePolicyFactory> instead. 2021-02-02 17:18:06,758 [coreLoadExecutor-6-thread-7-processing-n:XXXXXXXXXX-XXX-XXX-XXX:8886_solr] WARN [c:ranger_audits s:shard7 r:core_node7 x:ranger_audits_shard7_replica1] org.apache.solr.core.Config (Config.java:169) - Beginning with Solr 5.5, <mergeFactor> is deprecated, configure it on the relevant <mergePolicyFactory> instead. 2021-02-02 17:18:06,759 [coreLoadExecutor-6-thread-6-processing-n:XXXXXXXXXX-XXX-XXX-XXX:8886_solr] WARN [c:ranger_audits s:shard5 r:core_node6 x:ranger_audits_shard5_replica2] org.apache.solr.core.Config (Config.java:169) - Beginning with Solr 5.5, <mergeFactor> is deprecated, configure it on the relevant <mergePolicyFactory> instead. 2021-02-02 17:18:06,759 [coreLoadExecutor-6-thread-3-processing-n:XXXXXXXXXX-XXX-XXX-XXX:8886_solr] WARN [c:ranger_audits s:shard10 r:core_node5 x:ranger_audits_shard10_replica1] org.apache.solr.core.Config (Config.java:169) - Beginning with Solr 5.5, <mergeFactor> is deprecated, configure it on the relevant <mergePolicyFactory> instead. 2021-02-02 17:18:06,759 [coreLoadExecutor-6-thread-4-processing-n:XXXXXXXXXX-XXX-XXX-XXX:8886_solr] WARN [c:ranger_audits s:shard2 r:core_node2 x:ranger_audits_shard2_replica2] org.apache.solr.core.Config (Config.java:169) - Beginning with Solr 5.5, <mergeFactor> is deprecated, configure it on the relevant <mergePolicyFactory> instead. 2021-02-02 17:18:07,617 [coreLoadExecutor-6-thread-4-processing-n:XXXXXXXXXX-XXX-XXX-XXX:8886_solr] WARN [c:ranger_audits s:shard2 r:core_node2 x:ranger_audits_shard2_replica2] org.apache.solr.core.SolrResourceLoader (SolrResourceLoader.java:574) - Solr loaded a deprecated plugin/analysis class [solr.admin.AdminHandlers]. Please consult documentation how to replace it accordingly. 2021-02-02 17:18:07,624 [coreLoadExecutor-6-thread-3-processing-n:XXXXXXXXXX-XXX-XXX-XXX:8886_solr] WARN [c:ranger_audits s:shard10 r:core_node5 x:ranger_audits_shard10_replica1] org.apache.solr.core.SolrResourceLoader (SolrResourceLoader.java:574) - Solr loaded a deprecated plugin/analysis class [solr.admin.AdminHandlers]. Please consult documentation how to replace it accordingly. 2021-02-02 17:18:08,112 [coreLoadExecutor-6-thread-6-processing-n:XXXXXXXXXX-XXX-XXX-XXX:8886_solr] WARN [c:ranger_audits s:shard5 r:core_node6 x:ranger_audits_shard5_replica2] org.apache.solr.handler.admin.AdminHandlers (AdminHandlers.java:103) - <requestHandler name="/admin/" class="solr.admin.AdminHandlers" /> is deprecated . It is not required anymore 2021-02-02 17:18:08,113 [coreLoadExecutor-6-thread-5-processing-n:XXXXXXXXXX-XXX-XXX-XXX:8886_solr] WARN [c:ranger_audits s:shard4 r:core_node14 x:ranger_audits_shard4_replica1] org.apache.solr.handler.admin.AdminHandlers (AdminHandlers.java:103) - <requestHandler name="/admin/" class="solr.admin.AdminHandlers" /> is deprecated . It is not required anymore 2021-02-02 17:18:08,113 [coreLoadExecutor-6-thread-4-processing-n:XXXXXXXXXX-XXX-XXX-XXX:8886_solr] WARN [c:ranger_audits s:shard2 r:core_node2 x:ranger_audits_shard2_replica2] org.apache.solr.handler.admin.AdminHandlers (AdminHandlers.java:103) - <requestHandler name="/admin/" I will, nonetheless, check out the tuning parameters in the link. Thanks again.

CaptainJa · ‎02-02-2021

Hello Everyone, I am having an issue where some times the ranger audit page in the Ranger UI admin delays in showing audit entries for recent deployments. Sometimes, it does not show for close to 3 hours. Other times, it shows immediately. - see attached picture. The recent information also does not show even on refreshing the update time. Is there any configuration setting to regulate how Ranger UI updates the Audit page? Thanks

CaptainJa · ‎12-04-2020

Hello @Madhur Thanks a lot for the reply. I can confirm that the operating system is rhel7. The base url used was a configuration setting passed down but we have used it for other clusters without issues. I will nonetheless check with the client to make sure it is correct. Concerning the link to the bug report, the upgrade was done for Ambari 2.6.2.2 while the mentioned bug was fixed in version 2.6.0.0. Also, the scenarios presented in the bug are a bit different in our case. Thanks a lot for the help

CaptainJa · ‎12-02-2020

After an Ambari server upgrade from 2.5.0.3 to 2.6.2.2, I noticed that operations started from Ambari Web UI were hanging without any progress in the status bar. Looking through the logs, showed an error regarding operating system matching. 28 Nov 2020 16:48:52,372 WARN [ambari-action-scheduler] ActionScheduler:316 - Exception received java.lang.RuntimeException: org.apache.ambari.server.controller.spi.SystemException: Operating System matching redhat7 could not be found at org.apache.ambari.server.actionmanager.ExecutionCommandWrapper.getExecutionCommand(ExecutionCommandWrapper.java:253) at org.apache.ambari.server.actionmanager.ActionScheduler.processInProgressStage(ActionScheduler.java:704) at org.apache.ambari.server.actionmanager.ActionScheduler.doWork(ActionScheduler.java:417) at org.apache.ambari.server.actionmanager.ActionScheduler.run(ActionScheduler.java:310) at java.lang.Thread.run(Thread.java:748) Caused by: org.apache.ambari.server.controller.spi.SystemException: Operating System matching redhat7 could not be found at org.apache.ambari.server.state.stack.upgrade.RepositoryVersionHelper.getOSEntityForHost(RepositoryVersionHelper.java:422) A colleague's searching revealed that this problem might be related to HDP local repository setup. So I checked the configuration of HDP local repository and realized an issue with its configuration. We inherited this cluster and have no information on how the HDP 2.6 repository was setup before we began the Ambari Server upgrade. As can be seen in the picture, the repo versions page was empty and unresponsive. Entries could also not be added. Using the information given here - https://docs.cloudera.com/HDPDocuments/Ambari-2.6.1.0/bk_ambari-installation/content/using_a_local_redHat_satellite_spacewalk_repo.html we have tried to use the Ambari rest API to create operating systems entries for HDP but keep getting the 500 server error on each try. #curl to get the resources curl -ik -u admin -H "X-Requested-By:ambari" -X GET https://localhost:8080/api/v1/stacks/HDP/versions/2.6/repository_versions?fields=operating_systems/repositories/Repositories/base_url #response { "items" : [ { "href" : "http://localhost:8080/api/v1/stacks/HDP/versions/2.6/repository_versions/1", "RepositoryVersions" : { "id" : 1, "stack_name" : "HDP", "stack_version" : "2.6" }, "operating_systems" : [ ] } ] } #repo.json { "operating_systems" : [ { "OperatingSystems" : { "ambari_managed_repositories": false, "os_type" : "redhat7", "repository_version_id" : 1, "stack_name" : "HDP", "stack_version" : "2.6" }, "repositories" : [ { "Repositories" : { "base_url" : "ftp://localhost/HDP/centos6/2.x/updates", "os_type" : "redhat7", "repo_id" : "HDP-2.6", "repository_version_id" : 1, "stack_name" : "HDP", "stack_version" : "2.6", "unique" : false } }, { "Repositories" : { "base_url" : "ftp://localhost/HDP-UTILS-1.1.0.21/repos/centos6", "os_type" : "redhat7", "repo_id" : "HDP-UTILS-1.1.0.21", "repository_version_id" : 1, "stack_name" : "HDP", "stack_version" : "2.6", "unique" : false } } ] } ] } #curl to make updates curl -ik -u admin -H "X-Requested-By:ambari" -H "Content-Type: application/json" -d @repo.json -X PUT 'https://localhost:8080/api/v1/stacks/HDP/versions/2.6/repository_versions/1' #response Enter host password for user 'admin': HTTP/1.1 500 Server Error Strict-Transport-Security: max-age=3156000 X-Frame-Options: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Pragma: no-cache Set-Cookie: AMBARISESSIONID=1w53kyo4ucxx21erviezjlc1z8, Path=/;Secure:HttpOnly User: admin Content-Type: test/plain;charset=ISO-8859-1 Content-Length: 48 { "status": 500, "message": "Server Error" } Please help to resolve the issue Thank you

CaptainJa · ‎02-11-2020

Hello @StevenOD, Thanks for the reply. We have considered this but at the moment, the client requirements limits our usage to 5.16.x

CaptainJa · ‎02-11-2020

Hello, After running a security tool on our cluster, a report found the tomcat version as outdated and vulnerable to certain threats. We have tried to find ways to upgrade Tomcat on our cluster but are not having any success with it. I realize this is similar to a post https://community.cloudera.com/t5/Support-Questions/Apache-tomcat-compatibility/m-p/159988 which concerns HDP but there are no responses on that post either. Does anyone have some experience with this? If so, I would be grateful for some pointers. Thanks. Regards, CaptainJay

Online	Offline
Last Visited	‎07-19-2022 06:01 AM

Member Since	‎11-18-2019 02:28 AM
Last Visited	‎07-19-2022 06:01 AM
Posts	12

Cloudera Community

Re: Active Directory Group to Role Mapping CDP 7.1...

Re: Active Directory Group to Role Mapping CDP 7.1...

Active Directory Group to Role Mapping CDP 7.1.6

Re: Configuring Apache Ranger to send Syslog to a ...

Re: Ranger Audit Lagging

Re: Ranger Audit Lagging

Ranger Audit Lagging

Re: HDP Local Repository update error - API Error ...

HDP Local Repository update error - API Error 500

Re: Cloudera 5.16.2: Tomcat upgrade

Cloudera 5.16.2: Tomcat upgrade