ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sailaja Polavarapu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-840) ranger-admin and ranger-usersync does not honour the SSL truststore property
Date Tue, 16 Feb 2016 21:02:18 GMT

    [ https://issues.apache.org/jira/browse/RANGER-840?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15149285#comment-15149285
] 

Sailaja Polavarapu commented on RANGER-840:
-------------------------------------------

Added the combined patch.

> ranger-admin and ranger-usersync does not honour the SSL truststore property
> ----------------------------------------------------------------------------
>
>                 Key: RANGER-840
>                 URL: https://issues.apache.org/jira/browse/RANGER-840
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger, usersync
>    Affects Versions: 0.5.0, 0.5.1
>         Environment: Ranger trying to use AD (running with SSL) for usersync and admin
UI access
>            Reporter: Sailaja Polavarapu
>            Assignee: Sailaja Polavarapu
>             Fix For: 0.6.0
>
>         Attachments: 0001-Ranger-840-Honoring-custom-truststore-configuration-.patch,
0001-Ranger-840-Regenrating-the-patch-with-merging-both-t.patch
>
>
> While configuring the Ranger usersync with AD over SSL , there is an option to specify
the truststore i.e. "ranger.usersync.truststore.file". Even if this property (and its related
password field) is set, the ranger-usersync daemon would not honor it and the usersync will
not work.
> Similar problem can be seen with ranger-admin daemon.
> ERROR:
> ================================
> In case of the error, the stack trace would be something like this:
> 27 Jan 2016 23:51:16 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize
UserGroup source/sink. Will retry after 3600000 milliseconds. Error details:
> javax.naming.CommunicationException: simple bind failed: ad01.lab.hortonworks.net:636
[Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target]
>         at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
>         at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
>         at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
>         at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
>         at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
>         at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
>         at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
>         at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>         at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
>         at javax.naming.InitialContext.init(InitialContext.java:244)
>         at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
>         at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:190)
>         at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:304)
>         at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
>         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>         at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>         at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
>         at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
>         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
>         at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
>         at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>         at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>         at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
>         at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
>         at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>         at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>         at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426)
>         at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399)
>         at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
>         at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
>         ... 14 more
> Steps to RE-CREATE:
> ==========================================
> 1. Have an Active Directory working over SSL. Copy the SSL certificate (say, ad.cert)
of AD on ranger node.
> 2. Import the AD certificate into truststore (remember the password set here)
> $JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file /etc/pki/tls/certs/ad.cert
-keystore /usr/hdp/current/ranger-usersync/userSyncCACerts
> 3. Install & configure Ranger. In the usersync and admin authentication, select 'Active
Directory' and give all the required parameters.
> 4. Also, locate the "ranger.usersync.truststore.file" property in the config and give
the keystore path & password from step#2.
> 5. Restart Ranger daemons.
> 6. Check the usersync log for the above stack trace.
> WORKAROUND:
> ==================================
> To make ranger-usersync work with SSL truststore, one need to manually specify the truststore
path in the /usr/hdp/current/ranger-usersync/ranger-usersync-services.sh script using the
"-Djavax.net.ssl.trustStore=" flag.
> Then restart the usersync daemon "manually".
> # diff ranger-usersync-services.sh.orig ranger-usersync-services.sh
> 67c67
> < 	nohup java -Dproc_rangerusersync -Dlog4j.configuration=file:/etc/ranger/usersync/conf/log4j.xml
${JAVA_OPTS} -Dlogdir="${logdir}" -cp "${cp}" org.apache.ranger.authentication.UnixAuthenticationService
-enableUnixAuth > ${logdir}/auth.log 2>&1 &
> ---
> > 	nohup java -Dproc_rangerusersync* -Djavax.net.ssl.trustStore=/usr/hdp/current/ranger-usersync/userSyncCACerts
*-Dlog4j.configuration=file:/etc/ranger/usersync/conf/log4j.xml ${JAVA_OPTS} -Dlogdir="${logdir}"
-cp "${cp}" org.apache.ranger.authentication.UnixAuthenticationService -enableUnixAuth >
${logdir}/auth.log 2>&1 &
> On the other hand, the ranger-admin daemon will not give any error in the log file but
it won't allow AD user either. To get the same error stack, one need to enable debug log level
for ranger-admin.
> For ranger-admin, the file to edit would be : /usr/hdp/current/ranger-admin/ews/ranger-admin-services.sh.
> # diff ranger-admin-services.sh.orig ranger-admin-services.sh
> 56c56
> < 	java -Dproc_rangeradmin ${JAVA_OPTS} -Dlogdir=${XAPOLICYMGR_EWS_DIR}/logs/ -Dcatalina.base=${XAPOLICYMGR_EWS_DIR}
-cp "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:$CLASSPATH"
org.apache.ranger.server.tomcat.EmbeddedServer > logs/catalina.out 2>&1 &
> ---
> > 	java -Dproc_rangeradmin ${JAVA_OPTS} -Djavax.net.ssl.trustStore=/usr/hdp/current/ranger-usersync/userSyncCACerts
-Dlogdir=${XAPOLICYMGR_EWS_DIR}/logs/ -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} -cp "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:$CLASSPATH"
org.apache.ranger.server.tomcat.EmbeddedServer > logs/catalina.out 2>&1 &



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message