ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Berger (Jira)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-2604) Can't connect to Presto Pugin when TLS is enabled on Presto
Date Sun, 06 Oct 2019 08:18:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-2604?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Berger updated RANGER-2604:
---------------------------------
    Description: 
We are running Presto with TLS enabled [https://prestosql.github.io/docs.prestosql.io/current/security/tls.html#server-java-keystore]

 

When connecting to Presto via a JDBC client it works fine by enabling SSL and passing the
trust store details like below

jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/Users/david.berger/git/tactical-edl-hr/presto/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123

 

But using the same connection string when setting up the Presto Repo in Ranger it doesn't
work because Ranger assumes you're running Kerberos now, which isn't right.

 

*See the Ranger REST call we use to create the repo below:*

curl -iv -u ${RANGER_ADMIN_USER}:${RANGER_ADMIN_PWD} -H "Content-Type: application/json" -d
'{"configs":

{"username": "LDAPADM", "password": "<PASSWORD>", "jdbc.driverClassName": "io.prestosql.jdbc.PrestoDriver",
"jdbc.url": "jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/plugins_tls/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123"}

, "description": "PrestoTestRepo", "isEnabled": true, "name": "PrestoTestRepo", "type": "presto",
"version": 1 }' -X POST ${URL}/service/public/v2/api/service

 

*The error in the Ranger log preventing us from logging in:*

2019-10-06 07:47:44,562 [timed-executor-pool-0] WARN org.apache.hadoop.security.SecureClientLogin
(SecureClientLogin.java:126) - Can't find keyTab Path : null
2019-10-06 07:47:44,562 [timed-executor-pool-0] WARN org.apache.hadoop.security.SecureClientLogin
(SecureClientLogin.java:130) - Can't find principal : null
2019-10-06 07:47:44,567 [timed-executor-pool-0] INFO org.apache.ranger.plugin.client.BaseClient
(BaseClient.java:126) - Init Login: security not enabled, using username

 

  was:
We are running Presto with TLS enabled [https://prestosql.github.io/docs.prestosql.io/current/security/tls.html#server-java-keystore]

 

When connecting to Presto via a JDBC client it works fine by enabling SSL and passing the
trust store details like below

jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/Users/david.berger/git/tactical-edl-hr/presto/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123

 

But using the same connection string when setting up the Presto Repo in Ranger it doesn't
work because Ranger assumes you're running Kerberos now, which isn't right.

 

*See the Ranger REST call we use to create the repo below:*

curl -iv -u ${RANGER_ADMIN_USER}:${RANGER_ADMIN_PWD} -H "Content-Type: application/json" -d
'\{"configs": {"username": "LDAPADM", "password": "<PASSWORD>", "jdbc.driverClassName":
"io.prestosql.jdbc.PrestoDriver", "jdbc.url": "jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/plugins_tls/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123"},
"description": "PrestoTestRepo", "isEnabled": true, "name": "PrestoTestRepo", "type": "presto",
"version": 1 }' -X POST ${URL}/service/public/v2/api/service

 

*The error in the Ranger log preventing us from logging in:*

019-10-06 07:47:44,562 [timed-executor-pool-0] WARN  org.apache.hadoop.security.SecureClientLogin
(SecureClientLogin.java:126) - *Can't find keyTab Path : null*019-10-06 07:47:44,562 [timed-executor-pool-0]
WARN  org.apache.hadoop.security.SecureClientLogin (SecureClientLogin.java:126) - *Can't
find keyTab Path : null*2019-10-06 07:47:44,562 [timed-executor-pool-0] WARN  org.apache.hadoop.security.SecureClientLogin
(SecureClientLogin.java:130) - Can't find principal : null2019-10-06 07:47:44,567 [timed-executor-pool-0]
INFO  org.apache.ranger.plugin.client.BaseClient (BaseClient.java:126) - Init Login: security
not enabled, using username2019-10-06 07:47:46,716 [timed-executor-pool-0] ERROR apache.ranger.services.presto.client.PrestoClient$2
(PrestoClient.java:213) - <== PrestoClient getCatalogList() :Unable to get the Database
Listorg.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [SHOW CATALOGS].
at org.apache.ranger.services.presto.client.PrestoClient.getCatalogs(PrestoClient.java:190)
at org.apache.ranger.services.presto.client.PrestoClient.access$100(PrestoClient.java:45)
at org.apache.ranger.services.presto.client.PrestoClient$2.run(PrestoClient.java:211) at org.apache.ranger.services.presto.client.PrestoClient$2.run(PrestoClient.java:206)
at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.ranger.services.presto.client.PrestoClient.getCatalogList(PrestoClient.java:206)
at org.apache.ranger.services.presto.client.PrestoClient.connectionTest(PrestoClient.java:497)
at org.apache.ranger.services.presto.client.PrestoResourceManager.connectionTest(PrestoResourceManager.java:48)
at org.apache.ranger.services.presto.RangerServicePresto.validateConfig(RangerServicePresto.java:48)
at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:660) at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:647)
at org.apache.ranger.biz.ServiceMgr$TimedCallable.call(ServiceMgr.java:608) at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)Caused by: java.sql.SQLException: Authentication failed:
Access Denied: Invalid credentials at io.prestosql.jdbc.PrestoStatement.internalExecute(PrestoStatement.java:271)
at io.prestosql.jdbc.PrestoStatement.execute(PrestoStatement.java:227) at io.prestosql.jdbc.PrestoStatement.executeQuery(PrestoStatement.java:76)
at org.apache.ranger.services.presto.client.PrestoClient.getCatalogs(PrestoClient.java:173)
... 16 moreCaused by: io.prestosql.jdbc.$internal.client.ClientException: Authentication failed:
Access Denied: Invalid credentials at io.prestosql.jdbc.$internal.client.StatementClientV1.requestFailedException(StatementClientV1.java:459)
at io.prestosql.jdbc.$internal.client.StatementClientV1.<init>(StatementClientV1.java:135)
at io.prestosql.jdbc.$internal.client.StatementClientFactory.newStatementClient(StatementClientFactory.java:24)
at io.prestosql.jdbc.QueryExecutor.startQuery(QueryExecutor.java:46) at io.prestosql.jdbc.PrestoConnection.startQuery(PrestoConnection.java:700)
at io.prestosql.jdbc.PrestoStatement.internalExecute(PrestoStatement.java:239) ... 19 more2019-10-06
07:47:46,719 [timed-executor-pool-0] ERROR apache.ranger.services.presto.client.PrestoResourceManager
(PrestoResourceManager.java:50) - <== PrestoResourceManager.connectionTest Error: org.apache.ranger.plugin.client.HadoopException:
Unable to execute SQL [SHOW CATALOGS].2019-10-06 07:47:46,719 [timed-executor-pool-0] ERROR
org.apache.ranger.services.presto.RangerServicePresto (RangerServicePresto.java:50) - <==
RangerServicePresto.validateConfig Error:org.apache.ranger.plugin.client.HadoopException:
Unable to execute SQL [SHOW CATALOGS].2019-10-06 07:47:46,719 [timed-executor-pool-0] ERROR
org.apache.ranger.biz.ServiceMgr$TimedCallable (ServiceMgr.java:610) - TimedCallable.call:
Error:org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [SHOW CATALOGS].2019-10-06
07:47:46,720 [http-bio-6080-exec-11] ERROR org.apache.ranger.biz.ServiceMgr (ServiceMgr.java:198)
- ==> ServiceMgr.validateConfig Error:org.apache.ranger.plugin.client.HadoopException:
org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [SHOW CATALOGS].


> Can't connect to Presto Pugin when TLS is enabled on Presto
> -----------------------------------------------------------
>
>                 Key: RANGER-2604
>                 URL: https://issues.apache.org/jira/browse/RANGER-2604
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 2.0.0
>            Reporter: David Berger
>            Priority: Major
>
> We are running Presto with TLS enabled [https://prestosql.github.io/docs.prestosql.io/current/security/tls.html#server-java-keystore]
>  
> When connecting to Presto via a JDBC client it works fine by enabling SSL and passing
the trust store details like below
> jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/Users/david.berger/git/tactical-edl-hr/presto/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123
>  
> But using the same connection string when setting up the Presto Repo in Ranger it doesn't
work because Ranger assumes you're running Kerberos now, which isn't right.
>  
> *See the Ranger REST call we use to create the repo below:*
> curl -iv -u ${RANGER_ADMIN_USER}:${RANGER_ADMIN_PWD} -H "Content-Type: application/json"
-d '{"configs":
> {"username": "LDAPADM", "password": "<PASSWORD>", "jdbc.driverClassName": "io.prestosql.jdbc.PrestoDriver",
"jdbc.url": "jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/plugins_tls/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123"}
> , "description": "PrestoTestRepo", "isEnabled": true, "name": "PrestoTestRepo", "type":
"presto", "version": 1 }' -X POST ${URL}/service/public/v2/api/service
>  
> *The error in the Ranger log preventing us from logging in:*
> 2019-10-06 07:47:44,562 [timed-executor-pool-0] WARN org.apache.hadoop.security.SecureClientLogin
(SecureClientLogin.java:126) - Can't find keyTab Path : null
> 2019-10-06 07:47:44,562 [timed-executor-pool-0] WARN org.apache.hadoop.security.SecureClientLogin
(SecureClientLogin.java:130) - Can't find principal : null
> 2019-10-06 07:47:44,567 [timed-executor-pool-0] INFO org.apache.ranger.plugin.client.BaseClient
(BaseClient.java:126) - Init Login: security not enabled, using username
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message