ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anirudh (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (RANGER-536) Test connection fails with SSL error when setting up knox repository
Date Fri, 02 Jun 2017 16:10:04 GMT

    [ https://issues.apache.org/jira/browse/RANGER-536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16033945#comment-16033945
] 

Anirudh edited comment on RANGER-536 at 6/2/17 4:10 PM:
--------------------------------------------------------

Hi,
I followed the steps mentioned in RANGER-355. I'm using the CN printed from the certificate
in the place of <host> in the following https://<host>:8443/gateway/admin/api/v1/topologies/

However, I'm not sure what values to enter for username and password while creating service.
When I click Test-Connection, I'm getting this error

"Connection Failed.
Unable to retrieve any topologies/services using given parameters. You can still save the
repository and start creating policies, but you would not be able to use autocomplete for
resource names. Check ranger_admin.log for more info."

and the ranger_admin.log contains
"ERROR org.apache.ranger.plugin.util.PasswordUtils (PasswordUtils.java:156) - Unable to decrypt
password due to error
javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting
with padded cipher
        at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:922)
        at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:833)
        at com.sun.crypto.provider.PBES1Core.doFinal(PBES1Core.java:416)
        at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316)
        at javax.crypto.Cipher.doFinal(Cipher.java:2165)
        at org.apache.ranger.plugin.util.PasswordUtils.decryptPassword(PasswordUtils.java:141)
        at org.apache.ranger.services.knox.client.KnoxClient.getTopologyList(KnoxClient.java:79)
        at org.apache.ranger.services.knox.client.KnoxClient$2.call(KnoxClient.java:406)
        at org.apache.ranger.services.knox.client.KnoxClient$2.call(KnoxClient.java:402)
        at org.apache.ranger.services.knox.client.KnoxClient.timedTask(KnoxClient.java:431)
        at org.apache.ranger.services.knox.client.KnoxClient.getKnoxResources(KnoxClient.java:410)
        at org.apache.ranger.services.knox.client.KnoxClient.connectionTest(KnoxClient.java:315)
        at org.apache.ranger.services.knox.client.KnoxResourceMgr.validateConfig(KnoxResourceMgr.java:42)
        at org.apache.ranger.services.knox.RangerServiceKnox.validateConfig(RangerServiceKnox.java:56)
        at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:560)
        at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:547)
        at org.apache.ranger.biz.ServiceMgr$TimedCallable.call(ServiceMgr.java:508)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
>>> INFO  apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:81) - Password
decryption failed; trying knox connection with received password string
>>> ERROR apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:131) - Got
invalid REST response from: https://<host>:8443/gateway/admin/api/v1/topologies/, responseStatus:
401"

Could you please help me?


was (Author: ajonnadula@cray.com):
Hi,
I followed the steps mentioned in RANGER-355. I'm using the CN printed from the certificate
in the place of <host> in the following https://<host>:8443/gateway/admin/api/v1/topologies/

However, I'm not sure what values to enter for username and password while creating service.
When I click Test-Connection, I'm getting this error

"Connection Failed.
Unable to retrieve any topologies/services using given parameters. You can still save the
repository and start creating policies, but you would not be able to use autocomplete for
resource names. Check ranger_admin.log for more info."

and the ranger_admin.log contains
"ERROR org.apache.ranger.plugin.util.PasswordUtils (PasswordUtils.java:156) - Unable to decrypt
password due to error
javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting
with padded cipher
        at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:922)
        at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:833)
        at com.sun.crypto.provider.PBES1Core.doFinal(PBES1Core.java:416)
        at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316)
        at javax.crypto.Cipher.doFinal(Cipher.java:2165)
        at org.apache.ranger.plugin.util.PasswordUtils.decryptPassword(PasswordUtils.java:141)
        at org.apache.ranger.services.knox.client.KnoxClient.getTopologyList(KnoxClient.java:79)
        at org.apache.ranger.services.knox.client.KnoxClient$2.call(KnoxClient.java:406)
        at org.apache.ranger.services.knox.client.KnoxClient$2.call(KnoxClient.java:402)
        at org.apache.ranger.services.knox.client.KnoxClient.timedTask(KnoxClient.java:431)
        at org.apache.ranger.services.knox.client.KnoxClient.getKnoxResources(KnoxClient.java:410)
        at org.apache.ranger.services.knox.client.KnoxClient.connectionTest(KnoxClient.java:315)
        at org.apache.ranger.services.knox.client.KnoxResourceMgr.validateConfig(KnoxResourceMgr.java:42)
        at org.apache.ranger.services.knox.RangerServiceKnox.validateConfig(RangerServiceKnox.java:56)
        at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:560)
        at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:547)
        at org.apache.ranger.biz.ServiceMgr$TimedCallable.call(ServiceMgr.java:508)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
>>> INFO  apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:81) - Password
decryption failed; trying knox connection with received password string
>>> ERROR apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:131) - Got
invalid REST response from: https://zeno-login1.us.cray.com:8443/gateway/admin/api/v1/topologies/,
responseStatus: 401"

Could you please help me?

> Test connection fails with SSL error when setting up knox repository
> --------------------------------------------------------------------
>
>                 Key: RANGER-536
>                 URL: https://issues.apache.org/jira/browse/RANGER-536
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin
>    Affects Versions: 0.4.0
>         Environment: Debian 6, HDP 2.2
>            Reporter: phanikumar
>            Priority: Minor
>             Fix For: 0.5.4
>
>
> I have setup Knox with a self-signed cert.  When creating a Knox repository in the Ranger
admin web UI the "Test Connection" button produces this error:
> ======
> Connection Failed.
> Exception on REST call to KnoxUrl : https://myhost.mydomain.com:8443/gateway/admin/api/v1/topologies.
You can still save the repository and start creating policies, but you would not be able to
use autocomplete for resource names. Check xa_portal.log for more info.
> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name
matching myhost.mydomain.com found. 
> java.security.cert.CertificateException: No name matching <host> found. 
> No name matching myhost.mydomain.com found. 
> ======
> Ranger policies for Knox can still be created and they work 
> Additional error messages from xa_portal.log:
> 2015-03-31 15:45:27,849 [http-bio-6080-exec-2] ERROR com.xasecure.biz.AssetMgr (AssetMgr.java:1566)
- Unable to get knox resources.
> com.xasecure.hadoop.client.exceptions.HadoopException: Exception on REST call to KnoxUrl
: https://myhost.mydomain.com:8443/gateway/admin/api/v1/topologies.
> 	at com.xasecure.knox.client.KnoxClient.getServiceList(KnoxClient.java:223)
> 	at com.xasecure.biz.AssetMgr$7.call(AssetMgr.java:1547)
> 	at com.xasecure.biz.AssetMgr$7.call(AssetMgr.java:1544)
> 	at com.xasecure.common.TimedEventUtil.timedTask(TimedEventUtil.java:51)
> 	at com.xasecure.biz.AssetMgr.getKnoxResources(AssetMgr.java:1562)
> 	at com.xasecure.biz.AssetMgr.getKnoxResources(AssetMgr.java:1524)
> 	at com.xasecure.rest.AssetREST.pullKnoxResources(AssetREST.java:381)
> 	at com.xasecure.rest.AssetREST$$FastClassByCGLIB$$90363ab.invoke(<generated>)
> 	at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:191)
> 	at org.springframework.aop.framework.Cglib2AopProxy$CglibMethodInvocation.invokeJoinpoint(Cglib2AopProxy.java:689)
> 	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
> 	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
> 	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> 	at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:622)
> 	at com.xasecure.rest.AssetREST$$EnhancerByCGLIB$$6b3c72e7.pullKnoxResources(<generated>)
> 	at sun.reflect.GeneratedMethodAccessor87.invoke(Unknown Source)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:606)
> 	at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:168)
> 	at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:70)
> 	at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:279)
> 	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:136)
> 	at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:86)
> 	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:136)
> 	at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:74)
> 	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1357)
> 	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1289)
> 	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1239)
> 	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1229)
> 	at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:420)
> 	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:497)
> 	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:684)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> 	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
> 	at com.xasecure.security.web.filter.XASecurityContextFormationFilter.doFilter(XASecurityContextFormationFilter.java:134)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
> 	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> 	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> 	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> 	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> 	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
> 	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
> 	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> 	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
> 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> 	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
> 	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
> 	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> 	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> 	at java.lang.Thread.run(Thread.java:745)
> Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No name matching myhost.mydomain.com found
> 	at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:131)
> 	at com.sun.jersey.api.client.filter.HTTPBasicAuthFilter.handle(HTTPBasicAuthFilter.java:81)
> 	at com.sun.jersey.api.client.Client.handle(Client.java:616)
> 	at com.sun.jersey.api.client.WebResource.handle(WebResource.java:559)
> 	at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:72)
> 	at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:454)
> 	at com.xasecure.knox.client.KnoxClient.getServiceList(KnoxClient.java:173)
> 	... 82 more
> Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No name matching myhost.mydomain.com found
> 	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> 	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
> 	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
> 	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
> 	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
> 	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
> 	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
> 	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
> 	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
> 	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
> 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
> 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
> 	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
> 	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> 	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300)
> 	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468)
> 	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
> 	at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:218)
> 	at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:129)
> 	... 88 more
> Caused by: java.security.cert.CertificateException: No name matching myhost.mydomain.com
found
> 	at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:208)
> 	at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
> 	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:347)
> 	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:203)
> 	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
> 	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
> 	... 102 more



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message