ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pradeep Agrawal (Jira)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-2751) SSL enabled Apache Ranger (2.1.0) not working with SSL enabled Presto (Prestosql 310) - Policy synch up not happening
Date Fri, 06 Mar 2020 13:00:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17053397#comment-17053397
] 

Pradeep Agrawal commented on RANGER-2751:
-----------------------------------------

You can try either of the two approach here :

1) import the ranger admin cert into jdk cacert of the presto plugin machine.

or

2) Try to create a trust store and import the ranger admin certificate in that trust store
at the plugin end. you might have to use below two properties and make sure its reflected
in ranger-*ssl*.site.xml when you enable the presto plugin

SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
SSL_TRUSTSTORE_PASSWORD=none

 

 

> SSL enabled Apache Ranger (2.1.0) not working with SSL enabled Presto (Prestosql 310)
- Policy synch up not happening 
> ----------------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-2751
>                 URL: https://issues.apache.org/jira/browse/RANGER-2751
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 2.1.0
>            Reporter: sajai
>            Priority: Major
>             Fix For: 2.1.0
>
>
> *Facing the below error when trying to integrate Apache Ranger with Prestosql (310 version).*
> *Both Ranger and Presto is working independently, but the Presto policies from Ranger
are not downloading/refreshing. Couldn't find the policies downloaded in Ranger web ui in
Audits/Plugin tab. Also if we remove SSL from Ranger side it starts working fine. Issue is
only when SSL is enabled in Ranger, then Presto inot working with Ranger,*
> 2020-03-04T07:50:59.600-0600 ERROR Thread-91 org.apache.ranger.plugin.util.PolicyRefresher
PolicyRefresher(serviceName=presto-catalogs-dev): failed to refresh policies. Will continue
to use last known version of policies (-1)
> java.lang.IllegalArgumentException: TrustManager is not specified
> *ranger-2.1.0-SNAPSHOT-admin/install.properties:-*
> db_root_user=root
> db_root_password=Sqlpwd@123
> db_host=localhost
> db_name=ranger
> db_user=rangeradmin
> db_password=Rangerpwd@123
> rangerAdmin_password=Rangerpwd@123
> rangerTagsync_password=Rangerpwd@123
> rangerUsersync_password=Rangerpwd@123
> keyadmin_password=Rangerpwd@123
> policymgr_external_url=https://hostname_ranger:6182
> policymgr_http_enabled=false
> policymgr_https_keystore_file=/opt/iss_cert/clientcert.jks
> policymgr_https_keystore_keyalias=kkkk
> policymgr_https_keystore_password=31b17532aeb4fb5ba3af2bae850567
> unix_user=ranger
> unix_user_pwd=Rangerpwd@123
> unix_group=ranger
> #LDAP|ACTIVE_DIRECTORY|UNIX|NONE
> authentication_method=LDAP
> xa_ldap_url=ldaps://hostname_ldapserver:636
> xa_ldap_userDNpattern=uid=\{0},OU=xxx,DC=xx,DC=cccc,DC=COM
> xa_ldap_groupSearchBase=DC=xxx,DC=ccc,DC=COM
> xa_ldap_groupSearchFilter=(member=cn=\{0},OU=xxx,DC=xx,DC=cccc,DC=COM)
> xa_ldap_groupRoleAttribute=cn
> xa_ldap_base_dn=DC=xx,DC=cccc,DC=COM
> xa_ldap_bind_dn=CN=XXX,OU=XX,DC=xx,DC=cccc,DC=COM
> xa_ldap_bind_password=uBLRxxxxxxxxzVJK
> xa_ldap_referral=follow
> xa_ldap_userSearchFilter=(uid=\{0})
> *With the above values,able to start ranger with SSL and LDAP enabled and also able to
login succesfully with both unix admin credentials and also with ldap credentials.*
>  
> *ranger-2.1.0-SNAPSHOT-presto-plugin/install.properties:-*
> POLICY_MGR_URL=https:/hostname_ranger:6182
> REPOSITORY_NAME=presto-catalogs-dev
> *# You do not need use SSL between agent and security admin tool, please leave these
sample value as it is.*
> SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks
> SSL_KEYSTORE_PASSWORD=none
> SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
> SSL_TRUSTSTORE_PASSWORD=none
> *keep blank if component user is default*
> CUSTOM_USER=
> *keep blank if component group is default*
> CUSTOM_GROUP=
>  
> *presto-server-310/etc/config.properties:-*
> coordinator=true
> node-scheduler.include-coordinator=true
> http-server.http.enabled=false
> node.internal-address-source=FQDN
> node.internal-address=hostname_presto
> internal-communication.https.required=true
> internal-communication.https.keystore.path=/opt/iss_cert/clientcert.jks
> internal-communication.https.keystore.key=31b17532aeb4fb5ba3af2bae850567
> discovery-server.enabled=true
> discovery.uri=https://hostname_presto:8443
> http-server.authentication.type=PASSWORD,CERTIFICATE
> http-server.https.enabled=true
> http-server.https.port=8443
> http-server.https.keystore.path=/opt/iss_cert/clientcert.jks
> http-server.https.keystore.key=31b17532aeb4fb5ba3af2bae850567



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message