Member since
10-21-2016
11
Posts
2
Kudos Received
2
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 2132 | 12-21-2016 02:47 PM | |
| 7317 | 10-26-2016 07:08 PM |
01-30-2017
06:25 PM
@apappu That was the hint I needed. It appears I had a keystore set for my HDFS ranger truststore. So no matter what I did, I would be unable to fix it. Once I corrected that issue, I see my namenode pulling the policy. Glad it was something stupid. Nick
... View more
01-30-2017
04:43 PM
1 Kudo
Hello, After rolling out SSL to the Ranger Admin Page, I noticed my policy changes weren't syncing with the name nodes. I found I needed to setup the plugin for SSL. I followed these procedures (https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/ch04s19s02s04s01.html) and had nothing. After looking at the namenode logs I see the error message saying: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149)
I am not quite sure where else to look. Nick
... View more
Labels:
- Labels:
-
Apache Hadoop
-
Apache Ranger
12-21-2016
02:47 PM
@Ryan Cicak After staring at this with a hortonworks engineer (who was onsite for an unrelated reason), we figured out the problem. The whole time Ranger KMS was doing its job, but I had enabled compression on my mapper outputs with these changes: mapreduce.map.output.compress true mapreduce.output.fileoutputformat.compress true When I pulled the outputs of my sqoop job they looked like binary, but in reality they were just compressed. After deflating them everything is working correctly. Nick
... View more
12-08-2016
02:11 PM
1 Kudo
Hello, I have been trying to pull some data from our SQL Server into hdfs via sqoop. The destination point is an encrypted zone (/secure/). The files are written and when I pull the files with hdfs dfs -get /secure/[folder imported] I am getting gibberish when I open the files. My first though was I couldn't decrypt the file, but when I look at the audit logs in Ranger, I am seeing the access type decrypteek for my user on the read and the write. Below is the sqoop query. Any insights would be great. sqoop import \ -D sqoop.test.import.rootDir=hdfs://popul/secure/ \ --target-dir hdfs://popul/secure/intest/ \ --connect "jdbc:sqlserver://[serverip]:1433;database=[database]" \ --username [sqoopuser] \ --password [password] \ --table S_Elg \ --fields-terminated-by "|" \
--columns "col1, col2, col3" \ --split-by ElgKey \
-- --schema ACC P.S. when I run this query in a non encrypted zone, everything works as expected. Nick
... View more
Labels:
10-26-2016
07:08 PM
Well I completely screwed this up. After that previous step it was working except my AD bind user had been locked out by my AD policy. So I completely started over by removing ranger and reinstalling it. After that I looked at Ancil's guide for setting up the trust store and when I restarted ranger it synced all of the users. Thanks everyone for pointing me toward the solution. Nick
... View more
10-25-2016
06:36 PM
OK, I did screw that up a bit, by following Ancil's answer here: https://community.hortonworks.com/questions/1018/how-to-configure-ranger-usync-for-ldap-ssl.html I have imported my CA and my AD servers' certificates into the java trust store and changed ranger to look at that trust store. At this point it feels so close to being correct. Here is the updated error message. It looks like a certificate issue, but I am not sure: 25 Oct 2016 15:36:43 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with -- ldapUrl: ldaps://popul-abead01.ad.populytics.com:636, ldapBindDn: CN=Hadoop Bind,OU=Service Accounts,OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com, userSearchBase: [OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com], userSearchScope: 2, userObjectClass: user, userSearchFilter: , extendedUserSearchFilter: (objectclass=user), userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName, memberof, ismemberof], userGroupNameAttributeSet: [memberof, ismemberof], pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: false, groupSearchBase: [OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com], groupSearchScope: 2, groupObjectClass: group, groupSearchFilter: member=cn=(0),OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com, extendedGroupSearchFilter: (&(objectclass=group)(member=cn=(0),OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com)(|(member={0})(member={1}))), extendedAllGroupsSearchFilter: (&(objectclass=group)(member=cn=(0),OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com)), groupMemberAttributeName: member, groupNameAttribute: cn, groupSearchAttributes: [member, cn], groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false, userSearchEnabled: false, ldapReferral: ignore
25 Oct 2016 15:36:43 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
25 Oct 2016 15:36:43 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started
25 Oct 2016 15:36:43 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Performing user search first
25 Oct 2016 15:36:44 ERROR LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.getUsers() failed with exception: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 775, v2580]; remaining name 'OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com'
25 Oct 2016 15:36:44 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.getUsers() user count: 0
25 Oct 2016 15:36:44 INFO UserGroupSync [UnixUserSyncThread] - End: initial load of user/group from source==>sink
25 Oct 2016 15:36:44 INFO UserGroupSync [UnixUserSyncThread] - Done initializing user/group source and sink Thanks, Nick
... View more
10-25-2016
03:29 PM
@PradeeP AgrawaL I just double checked my property and it is there. I restarted the service and now have the log below: 25 Oct 2016 11:19:32 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with -- ldapUrl: ldaps://popul-abead01.ad.populytics.com:636, ldapBindDn: CN=Hadoop Bind,OU=Service Accounts,OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com, userSearchBase: [OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com], userSearchScope: 2, userObjectClass: user, userSearchFilter: , extendedUserSearchFilter: (objectclass=user), userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName, memberof, ismemberof], userGroupNameAttributeSet: [memberof, ismemberof], pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: false, groupSearchBase: [OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com], groupSearchScope: 2, groupObjectClass: group, groupSearchFilter: member=cn=(0),OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com, extendedGroupSearchFilter: (&(objectclass=group)(member=cn=(0),OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com)(|(member={0})(member={1}))), extendedAllGroupsSearchFilter: (&(objectclass=group)(member=cn=(0),OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com)), groupMemberAttributeName: member, groupNameAttribute: cn, groupSearchAttributes: [member, cn], groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false, userSearchEnabled: false, ldapReferral: ignore
25 Oct 2016 11:19:32 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
25 Oct 2016 11:19:32 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started
25 Oct 2016 11:19:32 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Performing user search first
25 Oct 2016 11:19:32 ERROR CustomSSLSocketFactory [UnixUserSyncThread] - Unable to obtain keystore from file [/usr/hdp/current/ranger-usersync/conf/mytruststore.jks]
25 Oct 2016 11:19:32 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details:
javax.naming.CommunicationException: popul-abead01.ad.populytics.com:636 [Root exception is java.lang.NullPointerException]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:216)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1614)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:147)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.getUsers(LdapUserGroupBuilder.java:377)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:302)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at org.apache.ranger.ldapusersync.process.CustomSSLSocketFactory.createSocket(CustomSSLSocketFactory.java:138)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:328)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)
... 17 more So that looks correct there. To your point, my AD does require a certificate. I have installed our CA certificate as a trust root certificate, but as I am thinking about this, do I also need to add my CA or AD cert into the ranger truststore? Nick
... View more
10-25-2016
02:10 PM
Thanks for the quick reply. You both were right, there is another exception right below it: 21 Oct 2016 00:09:05 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with -- ldapUrl: ldaps://popul-abead01.ad.populytics.com:636, ldapBindDn: CN=Hadoop Bind,OU=Service Accounts,OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com, userSearchBase: [OU=Healthcare Analytics,DC=ad,DC=populytics,DC=com], userSearchScope: 2, userObjectClass: user, userSearchFilter: , extendedUserSearchFilter: (objectclass=user), userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName], userGroupNameAttributeSet: null, pagedResultsEnab
21 Oct 2016 00:09:05 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
21 Oct 2016 00:09:05 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started
21 Oct 2016 00:09:05 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Performing user search first
21 Oct 2016 00:09:05 ERROR CustomSSLSocketFactory [UnixUserSyncThread] - Unable to obtain keystore from file [/usr/hdp/current/ranger-usersync/conf/my$
javax.naming.CommunicationException: popul-abead01.ad.populytics.com:636 [Root exception is java.lang.NullPointerException]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:216)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1614)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:147)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.getUsers(LdapUserGroupBuilder.java:377)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:302)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at org.apache.ranger.ldapusersync.process.CustomSSLSocketFactory.createSocket(CustomSSLSocketFactory.java:138)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:328)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)
... 17 more The source of the user sync is Active Directory. Let me know if I can provide any other details. Thanks, Nick
... View more
10-25-2016
12:56 PM
Hello, While setting up Ranger on our Kerberized cluster (HDP 2.5.0.0, Ranger 0.6.0), I am seeing the user sync is not working. When looking at the logs I am seeing the following error message: 21 Oct 2016 00:09:05 INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
21 Oct 2016 00:09:05 INFO PolicyMgrUserGroupBuilder [UnixUserSyncThread] - Using principal = rangerusersync/popul-vmmn01.inetuhosted.net@AD.POPULYTICS.COM and keytab = /etc/security/keytabs/rangerusersync.service.keytab
21 Oct 2016 00:09:05 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.username.regex
21 Oct 2016 00:09:05 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.groupname.regex
21 Oct 2016 00:09:05 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder created
21 Oct 2016 00:09:05 INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
21 Oct 2016 00:09:05 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started
21 Oct 2016 00:09:05 WARN FSInputChecker [UnixUserSyncThread] - Problem opening checksum file: file:/usr/hdp/current/ranger-usersync/conf/ugsync.jceks. Ignoring exception:
java.io.FileNotFoundException: /usr/hdp/current/ranger-usersync/conf/.ugsync.jceks.crc (Permission denied)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)
at org.apache.hadoop.fs.RawLocalFileSystem$LocalFSFileInputStream.<init>(RawLocalFileSystem.java:111)
at org.apache.hadoop.fs.RawLocalFileSystem.open(RawLocalFileSystem.java:215)
at org.apache.hadoop.fs.ChecksumFileSystem$ChecksumFSInputChecker.<init>(ChecksumFileSystem.java:152)
at org.apache.hadoop.fs.ChecksumFileSystem.open(ChecksumFileSystem.java:348)
at org.apache.hadoop.fs.FileSystem.open(FileSystem.java:782)
at org.apache.hadoop.security.alias.JavaKeyStoreProvider.getInputStreamForFile(JavaKeyStoreProvider.java:70)
at org.apache.hadoop.security.alias.AbstractJavaKeyStoreProvider.<init>(AbstractJavaKeyStoreProvider.java:107)
at org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:49)
at org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:41)
at org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:100)
at org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:58)
at org.apache.ranger.credentialapi.CredentialReader.getDecryptedString(CredentialReader.java:59)
at org.apache.ranger.unixusersync.config.UserGroupSyncConfig.getLdapBindPassword(UserGroupSyncConfig.java:541)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.setConfig(LdapUserGroupBuilder.java:174)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.init(LdapUserGroupBuilder.java:135)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:55)
at java.lang.Thread.run(Thread.java:745) I am sure I missing some step in the install process, but I am not sure quite what it is. Any help would be greatly appreciated. Thanks, Nick
... View more
Labels:
- Labels:
-
Apache Ranger