You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by rohit sinha <ta...@gmail.com> on 2018/03/24 20:48:30 UTC
Ranger SSL Configuration Issues
*Hello,We have a ranger plugin which works perfectly fine with non-SSL
Ranger but we turn on SSL for Ranger our plugin fails to talk to Ranger
Server because some underlying Ranger classes fail to be initialized. We
see the following error in the logs:2018-03-23 01:34:00,064 - ERROR
[leader-election-election-master.services:o.a.r.p.u.PolicyRefresher@282] -
PolicyRefresher(serviceName=myServicedev): failed to refresh policies. Will
continue to use last known version of policies
(-1)java.lang.IllegalArgumentException: SSLContext must not be null at
com.sun.jersey.client.urlconnection.HTTPSProperties.<init>(HTTPSProperties.java:106)
~[jersey-bundle-1.17.1.jar:1.17.1] at
org.apache.ranger.plugin.util.RangerRESTClient.buildClient(RangerRESTClient.java:200)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.plugin.util.RangerRESTClient.getClient(RangerRESTClient.java:175)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.plugin.util.RangerRESTClient.getResource(RangerRESTClient.java:155)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.admin.client.RangerAdminRESTClient.createWebResource(RangerAdminRESTClient.java:267)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.admin.client.RangerAdminRESTClient.access$200(RangerAdminRESTClient.java:47)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(RangerAdminRESTClient.java:107)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(RangerAdminRESTClient.java:105)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
java.security.AccessController.doPrivileged(Native Method) ~[na:1.8.0_112]
at javax.security.auth.Subject.doAs(Subject.java:360) ~[na:1.8.0_112] at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1849)
~[hadoop-common-2.7.3.2.6.4.0-91.jar:na] at
org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:114)
~[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:258)
[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:202)
[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.plugin.util.PolicyRefresher.startRefresher(PolicyRefresher.java:149)
[ranger-plugins-common-0.7.0.jar:0.7.0] at
org.apache.ranger.plugin.service.RangerBasePlugin.init(RangerBasePlugin.java:142)
[ranger-plugins-common-0.7.0.jar:0.7.0] at
com.company.myService.security.authorization.ranger.binding.RangerAuthorizer.initialize(RangerAuthorizer.java:90)
[1521768838074-0/:na] at
com.company.myService.security.authorization.AuthorizerInstantiator.createAndInitializeAuthorizerInstance(AuthorizerInstantiator.java:172)
[na:na] at
com.company.myService.security.authorization.AuthorizerInstantiator.get(AuthorizerInstantiator.java:141)
[na:na] at
com.company.myService.security.authorization.DelegatingPrivilegeManager.<init>(DelegatingPrivilegeManager.java:41)
[na:na] .... ....at java.lang.Thread.run(Thread.java:745)
[na:1.8.0_112]From the log, we see that the RangerRestClient fails to be
built because SSLContext is null. Looking into the code of these Ranger
classes we suspect this is because the TrustManger list being returned from
here is
null.https://github.com/apache/ranger/blob/4370b6b135ca5288bf25bd6f7a353b9699821099/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java#L308
<https://github.com/apache/ranger/blob/4370b6b135ca5288bf25bd6f7a353b9699821099/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java#L308>To
the best of our understanding all our configurations looks good. We also
checked we are picking up the ranger-myService-policymgr-ssl.xml correctly.
We were able to load it from the classloader and print it. Following is our
configurations:master.services:c.c.c.s.a.r.b.RangerAuthorizer@96] - <?xml
version="1.0"?><!-- Licensed to the Apache Software Foundation (ASF) under
one or more contributor license agreements. See the NOTICE file
distributed with this work for additional information regarding copyright
ownership. The ASF licenses this file to You under the Apache License,
Version 2.0 (the "License"); you may not use this file except in
compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
<http://www.apache.org/licenses/LICENSE-2.0> Unless required by applicable
law or agreed to in writing, software distributed under the License is
distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the specific language
governing permissions and limitations under the
License.--><?xml-stylesheet type="text/xsl"
href="configuration.xsl"?><configuration
xmlns:xi="http://www.w3.org/2001/XInclude
<http://www.w3.org/2001/XInclude>"> <!-- The following properties
are used for 2-way SSL client server validation --> <property>
<name>xasecure.policymgr.clientssl.keystore</name>
<value>/usr/local/ranger-myService-conf/ranger-plugin-keystore.jks</value>
<description> Java Keystore files
</description> </property> <property>
<name>xasecure.policymgr.clientssl.keystore.password</name>
<value>myKeyFilePassword</value>
<description> password for keystore
</description> </property> <property>
<name>xasecure.policymgr.clientssl.truststore</name>
<value>/usr/local/ranger-myService-conf/ranger-plugin-truststore.jks</value>
<description> java truststore file
</description> </property> <property>
<name>xasecure.policymgr.clientssl.truststore.password</name>
<value>changeit</value> <description>
java truststore password
</description> </property> <property>
<name>xasecure.policymgr.clientssl.keystore.credential.file</name>
<value>jceks://file/etc/ranger/admin/rangeradmin.jceks</value>
<description> java keystore
credential file </description> </property>
<property>
<name>xasecure.policymgr.clientssl.truststore.credential.file</name>
<value>jceks://file/etc/ranger/admin/rangeradmin.jceks</value>
<description> java truststore
credential file </description>
</property></configuration>Can you please help us in figuring out
what are we missing or doing incorrectly?Thanks, Rohit Sinha*
Re: Ranger SSL Configuration Issues
Posted by pengjianhua <35...@qq.com>.
Please tell me which version you are using. I tested the 0.7.0, 0.7.1,
1.0.0. There are no problems with these versions. Maybe your
configuration is wrong.
在 2018年03月25日 04:48, rohit sinha 写道:
> *Hello,We have a ranger plugin which works perfectly fine with non-SSL
> Ranger but we turn on SSL for Ranger our plugin fails to talk to Ranger
> Server because some underlying Ranger classes fail to be initialized. We
> see the following error in the logs:2018-03-23 01:34:00,064 - ERROR
> [leader-election-election-master.services:o.a.r.p.u.PolicyRefresher@282] -
> PolicyRefresher(serviceName=myServicedev): failed to refresh policies. Will
> continue to use last known version of policies
> (-1)java.lang.IllegalArgumentException: SSLContext must not be null at
> com.sun.jersey.client.urlconnection.HTTPSProperties.<init>(HTTPSProperties.java:106)
> ~[jersey-bundle-1.17.1.jar:1.17.1] at
> org.apache.ranger.plugin.util.RangerRESTClient.buildClient(RangerRESTClient.java:200)
> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
> org.apache.ranger.plugin.util.RangerRESTClient.getClient(RangerRESTClient.java:175)
> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
> org.apache.ranger.plugin.util.RangerRESTClient.getResource(RangerRESTClient.java:155)
> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
> org.apache.ranger.admin.client.RangerAdminRESTClient.createWebResource(RangerAdminRESTClient.java:267)
> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
> org.apache.ranger.admin.client.RangerAdminRESTClient.access$200(RangerAdminRESTClient.java:47)
> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
> org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(RangerAdminRESTClient.java:107)
> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
> org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(RangerAdminRESTClient.java:105)
> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
> java.security.AccessController.doPrivileged(Native Method) ~[na:1.8.0_112]
> at javax.security.auth.Subject.doAs(Subject.java:360) ~[na:1.8.0_112] at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1849)
> ~[hadoop-common-2.7.3.2.6.4.0-91.jar:na] at
> org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated(RangerAdminRESTClient.java:114)
> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin(PolicyRefresher.java:258)
> [ranger-plugins-common-0.7.0.jar:0.7.0] at
> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(PolicyRefresher.java:202)
> [ranger-plugins-common-0.7.0.jar:0.7.0] at
> org.apache.ranger.plugin.util.PolicyRefresher.startRefresher(PolicyRefresher.java:149)
> [ranger-plugins-common-0.7.0.jar:0.7.0] at
> org.apache.ranger.plugin.service.RangerBasePlugin.init(RangerBasePlugin.java:142)
> [ranger-plugins-common-0.7.0.jar:0.7.0] at
> com.company.myService.security.authorization.ranger.binding.RangerAuthorizer.initialize(RangerAuthorizer.java:90)
> [1521768838074-0/:na] at
> com.company.myService.security.authorization.AuthorizerInstantiator.createAndInitializeAuthorizerInstance(AuthorizerInstantiator.java:172)
> [na:na] at
> com.company.myService.security.authorization.AuthorizerInstantiator.get(AuthorizerInstantiator.java:141)
> [na:na] at
> com.company.myService.security.authorization.DelegatingPrivilegeManager.<init>(DelegatingPrivilegeManager.java:41)
> [na:na] .... ....at java.lang.Thread.run(Thread.java:745)
> [na:1.8.0_112]From the log, we see that the RangerRestClient fails to be
> built because SSLContext is null. Looking into the code of these Ranger
> classes we suspect this is because the TrustManger list being returned from
> here is
> null.https://github.com/apache/ranger/blob/4370b6b135ca5288bf25bd6f7a353b9699821099/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java#L308
> <https://github.com/apache/ranger/blob/4370b6b135ca5288bf25bd6f7a353b9699821099/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java#L308>To
> the best of our understanding all our configurations looks good. We also
> checked we are picking up the ranger-myService-policymgr-ssl.xml correctly.
> We were able to load it from the classloader and print it. Following is our
> configurations:master.services:c.c.c.s.a.r.b.RangerAuthorizer@96] - <?xml
> version="1.0"?><!-- Licensed to the Apache Software Foundation (ASF) under
> one or more contributor license agreements. See the NOTICE file
> distributed with this work for additional information regarding copyright
> ownership. The ASF licenses this file to You under the Apache License,
> Version 2.0 (the "License"); you may not use this file except in
> compliance with the License. You may obtain a copy of the License at
> http://www.apache.org/licenses/LICENSE-2.0
> <http://www.apache.org/licenses/LICENSE-2.0> Unless required by applicable
> law or agreed to in writing, software distributed under the License is
> distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> KIND, either express or implied. See the License for the specific language
> governing permissions and limitations under the
> License.--><?xml-stylesheet type="text/xsl"
> href="configuration.xsl"?><configuration
> xmlns:xi="http://www.w3.org/2001/XInclude
> <http://www.w3.org/2001/XInclude>"> <!-- The following properties
> are used for 2-way SSL client server validation --> <property>
> <name>xasecure.policymgr.clientssl.keystore</name>
> <value>/usr/local/ranger-myService-conf/ranger-plugin-keystore.jks</value>
> <description> Java Keystore files
> </description> </property> <property>
> <name>xasecure.policymgr.clientssl.keystore.password</name>
> <value>myKeyFilePassword</value>
> <description> password for keystore
> </description> </property> <property>
> <name>xasecure.policymgr.clientssl.truststore</name>
> <value>/usr/local/ranger-myService-conf/ranger-plugin-truststore.jks</value>
> <description> java truststore file
> </description> </property> <property>
> <name>xasecure.policymgr.clientssl.truststore.password</name>
> <value>changeit</value> <description>
> java truststore password
> </description> </property> <property>
> <name>xasecure.policymgr.clientssl.keystore.credential.file</name>
> <value>jceks://file/etc/ranger/admin/rangeradmin.jceks</value>
> <description> java keystore
> credential file </description> </property>
> <property>
> <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
> <value>jceks://file/etc/ranger/admin/rangeradmin.jceks</value>
> <description> java truststore
> credential file </description>
> </property></configuration>Can you please help us in figuring out
> what are we missing or doing incorrectly?Thanks, Rohit Sinha*
>
Re: Ranger SSL Configuration Issues
Posted by vishal suvagia <vi...@yahoo.com.INVALID>.
Hi Rohit, The properties xasecure.policymgr.clientssl.truststore and xasecure.policymgr.clientssl.keystore, have the keystore and truststore files as values.
Kindly check if the files are accessible by the myService user which is trying to read the file, you might need to change the owner or provide an appropriate permission to the keystore / truststore so that the certificates are be readable by the service.
Thanks
Vishal Suvagia.
On Tuesday, 27 March, 2018, 1:18:01 AM IST, Zsombor <gz...@gmail.com> wrote:
Hi,
RANGER-1646 is for better error handling, even in 0.7.0, the actual
error was in the logs.
Why couldn't you just upgrade to 0.7.1 or even to 1.0? These plugins
are compatible with the server, there wasn't any breaking change in
the protocol.
Unfortunately, it's pretty hard to tell, what's are the common cause
for SSL failures, there can be a lot. File permission issues, password
mismatch, missing certificates, etc.
If I were you, I would either setup remote debugging, or compile a new
plugin, with RANGER-1646 applied to 0.7 + any debugging, which would
make sense.
Out of curiosity, I see, you are using Ranger in a custom application,
have you found any issue (apart from this SSL problem), which could be
improved ? Or any feature, which is missing for your use cases?
Regards,
Zsombor
On Mon, Mar 26, 2018 at 8:24 PM, rohit sinha <ta...@gmail.com> wrote:
> Also, earlier I was able to find a Jira which relates to our issue:
> https://issues.apache.org/jira/browse/RANGER-1646
>
> The Jira description says:
>
> This happens, because RangerRESTClient.getKeyManagers / getTrustManagers /
>> getSSLContext methods are catching the exceptions, and are returning null,
>> instead of failing fast, so the user could easily act and fix the issues
>
>
> I see that this has been fixed to give a proper error message in 0.7.1
> although since we are on 0.7.0 we are not able to get any helpful message.
> Looking through the logs and Ranger code we believe that the getTrustManagers
> is returning null in our case.
>
> In your experience, what are the common configuration issues which can
> cause getTrustManagers to return null?
>
> Any help will be highly appreciated.
>
> Thanks.
>
>
> Thanks,
> Rohit Sinha
>
>
> On Mon, Mar 26, 2018 at 11:18 AM, rohit sinha <ta...@gmail.com>
> wrote:
>
>> Thanks for your reply.
>> We are using Ranger 0.7.0
>>
>> We don't think there is an issue with Ranger SSL and suspect we are doing
>> incomplete or incorrect configuration. Can you please look at our SSL
>> configuration file shared in the previous email and point out if something
>> looks wrong?
>>
>> Also is there any documentation on how to configure a custom Ranger plugin
>> to talk to SSL enabled Ranger? We were only able to find HortonWorks
>> documentation on how to make existing (hdfs) plugin talk to SSL enabled
>> Ranger.
>>
>> Thanks.
>>
>>
>> Thanks,
>> Rohit Sinha
>>
>>
>> On Sun, Mar 25, 2018 at 11:58 PM, pengjianhua <35...@qq.com> wrote:
>>
>>> Please tell me which version you are using. I tested the 0.7.0, 0.7.1,
>>> 1.0.0. There are no problems with these versions. Maybe your configuration
>>> is wrong.
>>>
>>>
>>> 在 2018年03月25日 04:48, rohit sinha 写道:
>>>
>>>> *Hello,We have a ranger plugin which works perfectly fine with non-SSL
>>>> Ranger but we turn on SSL for Ranger our plugin fails to talk to Ranger
>>>> Server because some underlying Ranger classes fail to be initialized. We
>>>> see the following error in the logs:2018-03-23 01:34:00,064 - ERROR
>>>> [leader-election-election-master.services:o.a.r.p.u.PolicyRefresher@282]
>>>> -
>>>> PolicyRefresher(serviceName=myServicedev): failed to refresh policies.
>>>> Will
>>>> continue to use last known version of policies
>>>> (-1)java.lang.IllegalArgumentException: SSLContext must not be null at
>>>>
>>>> com.sun.jersey.client.urlconnection.HTTPSProperties.<init>(H
>>>> TTPSProperties.java:106)
>>>> ~[jersey-bundle-1.17.1.jar:1.17.1] at
>>>> org.apache.ranger.plugin.util.RangerRESTClient.buildClient(R
>>>> angerRESTClient.java:200)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.plugin.util.RangerRESTClient.getClient(Ran
>>>> gerRESTClient.java:175)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.plugin.util.RangerRESTClient.getResource(R
>>>> angerRESTClient.java:155)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.admin.client.RangerAdminRESTClient.createW
>>>> ebResource(RangerAdminRESTClient.java:267)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.admin.client.RangerAdminRESTClient.access$
>>>> 200(RangerAdminRESTClient.java:47)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(R
>>>> angerAdminRESTClient.java:107)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(R
>>>> angerAdminRESTClient.java:105)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> java.security.AccessController.doPrivileged(Native Method)
>>>> ~[na:1.8.0_112]
>>>> at javax.security.auth.Subject.doAs(Subject.java:360) ~[na:1.8.0_112] at
>>>> org.apache.hadoop.security.UserGroupInformation.doAs(UserGro
>>>> upInformation.java:1849)
>>>> ~[hadoop-common-2.7.3.2.6.4.0-91.jar:na] at
>>>> org.apache.ranger.admin.client.RangerAdminRESTClient.getServ
>>>> icePoliciesIfUpdated(RangerAdminRESTClient.java:114)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfrom
>>>> PolicyAdmin(PolicyRefresher.java:258)
>>>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(Pol
>>>> icyRefresher.java:202)
>>>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.plugin.util.PolicyRefresher.startRefresher
>>>> (PolicyRefresher.java:149)
>>>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.plugin.service.RangerBasePlugin.init(Range
>>>> rBasePlugin.java:142)
>>>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> com.company.myService.security.authorization.ranger.binding.
>>>> RangerAuthorizer.initialize(RangerAuthorizer.java:90)
>>>> [1521768838074-0/:na] at
>>>> com.company.myService.security.authorization.AuthorizerInsta
>>>> ntiator.createAndInitializeAuthorizerInstance(AuthorizerInst
>>>> antiator.java:172)
>>>> [na:na] at
>>>> com.company.myService.security.authorization.AuthorizerInsta
>>>> ntiator.get(AuthorizerInstantiator.java:141)
>>>> [na:na] at
>>>> com.company.myService.security.authorization.DelegatingPrivi
>>>> legeManager.<init>(DelegatingPrivilegeManager.java:41)
>>>> [na:na] .... ....at java.lang.Thread.run(Thread.java:745)
>>>> [na:1.8.0_112]From the log, we see that the RangerRestClient fails to be
>>>> built because SSLContext is null. Looking into the code of these Ranger
>>>> classes we suspect this is because the TrustManger list being returned
>>>> from
>>>> here is
>>>> null.https://github.com/apache/ranger/blob/4370b6b135ca5288b
>>>> f25bd6f7a353b9699821099/agents-common/src/main/java/org/
>>>> apache/ranger/plugin/util/RangerRESTClient.java#L308
>>>> <https://github.com/apache/ranger/blob/4370b6b135ca5288bf25b
>>>> d6f7a353b9699821099/agents-common/src/main/java/org/apache/
>>>> ranger/plugin/util/RangerRESTClient.java#L308>To
>>>> the best of our understanding all our configurations looks good. We also
>>>> checked we are picking up the ranger-myService-policymgr-ssl.xml
>>>> correctly.
>>>> We were able to load it from the classloader and print it. Following is
>>>> our
>>>> configurations:master.services:c.c.c.s.a.r.b.RangerAuthorizer@96] -
>>>> <?xml
>>>> version="1.0"?><!-- Licensed to the Apache Software Foundation (ASF)
>>>> under
>>>> one or more contributor license agreements. See the NOTICE file
>>>> distributed with this work for additional information regarding
>>>> copyright
>>>> ownership. The ASF licenses this file to You under the Apache License,
>>>> Version 2.0 (the "License"); you may not use this file except in
>>>> compliance with the License. You may obtain a copy of the License at
>>>> http://www.apache.org/licenses/LICENSE-2.0
>>>> <http://www.apache.org/licenses/LICENSE-2.0> Unless required by
>>>> applicable
>>>> law or agreed to in writing, software distributed under the License is
>>>> distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>>> KIND, either express or implied. See the License for the specific
>>>> language
>>>> governing permissions and limitations under the
>>>> License.--><?xml-stylesheet type="text/xsl"
>>>>
>>>> href="configuration.xsl"?><configuration
>>>> xmlns:xi="http://www.w3.org/2001/XInclude
>>>> <http://www.w3.org/2001/XInclude>"> <!-- The following properties
>>>> are used for 2-way SSL client server validation --> <property>
>>>> <name>xasecure.policymgr.clientssl.keystore</name>
>>>> <value>/usr/local/ranger-mySer
>>>> vice-conf/ranger-plugin-keystore.jks</value>
>>>> <description> Java Keystore files
>>>> </description> </property> <property>
>>>> <name>xasecure.policymgr.clien
>>>> tssl.keystore.password</name>
>>>> <value>myKeyFilePassword</value>
>>>> <description> password for
>>>> keystore
>>>> </description> </property> <property>
>>>> <name>xasecure.policymgr.clientssl.truststore</name>
>>>> <value>/usr/local/ranger-mySer
>>>> vice-conf/ranger-plugin-truststore.jks</value>
>>>> <description> java truststore file
>>>> </description> </property> <property>
>>>> <name>xasecure.policymgr.clien
>>>> tssl.truststore.password</name>
>>>> <value>changeit</value> <description>
>>>> java truststore password
>>>> </description> </property> <property>
>>>> <name>xasecure.policymgr.clien
>>>> tssl.keystore.credential.file</name>
>>>> <value>jceks://file/etc/ranger
>>>> /admin/rangeradmin.jceks</value>
>>>> <description> java keystore
>>>> credential file </description> </property>
>>>> <property>
>>>> <name>xasecure.policymgr.clien
>>>> tssl.truststore.credential.file</name>
>>>> <value>jceks://file/etc/ranger
>>>> /admin/rangeradmin.jceks</value>
>>>> <description> java truststore
>>>> credential file </description>
>>>> </property></configuration>Can you please help us in figuring out
>>>> what are we missing or doing incorrectly?Thanks, Rohit Sinha*
>>>>
>>>>
>>>
>>>
>>>
>>
Re: Ranger SSL Configuration Issues
Posted by Zsombor <gz...@gmail.com>.
Hi,
RANGER-1646 is for better error handling, even in 0.7.0, the actual
error was in the logs.
Why couldn't you just upgrade to 0.7.1 or even to 1.0? These plugins
are compatible with the server, there wasn't any breaking change in
the protocol.
Unfortunately, it's pretty hard to tell, what's are the common cause
for SSL failures, there can be a lot. File permission issues, password
mismatch, missing certificates, etc.
If I were you, I would either setup remote debugging, or compile a new
plugin, with RANGER-1646 applied to 0.7 + any debugging, which would
make sense.
Out of curiosity, I see, you are using Ranger in a custom application,
have you found any issue (apart from this SSL problem), which could be
improved ? Or any feature, which is missing for your use cases?
Regards,
Zsombor
On Mon, Mar 26, 2018 at 8:24 PM, rohit sinha <ta...@gmail.com> wrote:
> Also, earlier I was able to find a Jira which relates to our issue:
> https://issues.apache.org/jira/browse/RANGER-1646
>
> The Jira description says:
>
> This happens, because RangerRESTClient.getKeyManagers / getTrustManagers /
>> getSSLContext methods are catching the exceptions, and are returning null,
>> instead of failing fast, so the user could easily act and fix the issues
>
>
> I see that this has been fixed to give a proper error message in 0.7.1
> although since we are on 0.7.0 we are not able to get any helpful message.
> Looking through the logs and Ranger code we believe that the getTrustManagers
> is returning null in our case.
>
> In your experience, what are the common configuration issues which can
> cause getTrustManagers to return null?
>
> Any help will be highly appreciated.
>
> Thanks.
>
>
> Thanks,
> Rohit Sinha
>
>
> On Mon, Mar 26, 2018 at 11:18 AM, rohit sinha <ta...@gmail.com>
> wrote:
>
>> Thanks for your reply.
>> We are using Ranger 0.7.0
>>
>> We don't think there is an issue with Ranger SSL and suspect we are doing
>> incomplete or incorrect configuration. Can you please look at our SSL
>> configuration file shared in the previous email and point out if something
>> looks wrong?
>>
>> Also is there any documentation on how to configure a custom Ranger plugin
>> to talk to SSL enabled Ranger? We were only able to find HortonWorks
>> documentation on how to make existing (hdfs) plugin talk to SSL enabled
>> Ranger.
>>
>> Thanks.
>>
>>
>> Thanks,
>> Rohit Sinha
>>
>>
>> On Sun, Mar 25, 2018 at 11:58 PM, pengjianhua <35...@qq.com> wrote:
>>
>>> Please tell me which version you are using. I tested the 0.7.0, 0.7.1,
>>> 1.0.0. There are no problems with these versions. Maybe your configuration
>>> is wrong.
>>>
>>>
>>> 在 2018年03月25日 04:48, rohit sinha 写道:
>>>
>>>> *Hello,We have a ranger plugin which works perfectly fine with non-SSL
>>>> Ranger but we turn on SSL for Ranger our plugin fails to talk to Ranger
>>>> Server because some underlying Ranger classes fail to be initialized. We
>>>> see the following error in the logs:2018-03-23 01:34:00,064 - ERROR
>>>> [leader-election-election-master.services:o.a.r.p.u.PolicyRefresher@282]
>>>> -
>>>> PolicyRefresher(serviceName=myServicedev): failed to refresh policies.
>>>> Will
>>>> continue to use last known version of policies
>>>> (-1)java.lang.IllegalArgumentException: SSLContext must not be null at
>>>>
>>>> com.sun.jersey.client.urlconnection.HTTPSProperties.<init>(H
>>>> TTPSProperties.java:106)
>>>> ~[jersey-bundle-1.17.1.jar:1.17.1] at
>>>> org.apache.ranger.plugin.util.RangerRESTClient.buildClient(R
>>>> angerRESTClient.java:200)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.plugin.util.RangerRESTClient.getClient(Ran
>>>> gerRESTClient.java:175)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.plugin.util.RangerRESTClient.getResource(R
>>>> angerRESTClient.java:155)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.admin.client.RangerAdminRESTClient.createW
>>>> ebResource(RangerAdminRESTClient.java:267)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.admin.client.RangerAdminRESTClient.access$
>>>> 200(RangerAdminRESTClient.java:47)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(R
>>>> angerAdminRESTClient.java:107)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(R
>>>> angerAdminRESTClient.java:105)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> java.security.AccessController.doPrivileged(Native Method)
>>>> ~[na:1.8.0_112]
>>>> at javax.security.auth.Subject.doAs(Subject.java:360) ~[na:1.8.0_112] at
>>>> org.apache.hadoop.security.UserGroupInformation.doAs(UserGro
>>>> upInformation.java:1849)
>>>> ~[hadoop-common-2.7.3.2.6.4.0-91.jar:na] at
>>>> org.apache.ranger.admin.client.RangerAdminRESTClient.getServ
>>>> icePoliciesIfUpdated(RangerAdminRESTClient.java:114)
>>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfrom
>>>> PolicyAdmin(PolicyRefresher.java:258)
>>>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(Pol
>>>> icyRefresher.java:202)
>>>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.plugin.util.PolicyRefresher.startRefresher
>>>> (PolicyRefresher.java:149)
>>>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> org.apache.ranger.plugin.service.RangerBasePlugin.init(Range
>>>> rBasePlugin.java:142)
>>>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>>>> com.company.myService.security.authorization.ranger.binding.
>>>> RangerAuthorizer.initialize(RangerAuthorizer.java:90)
>>>> [1521768838074-0/:na] at
>>>> com.company.myService.security.authorization.AuthorizerInsta
>>>> ntiator.createAndInitializeAuthorizerInstance(AuthorizerInst
>>>> antiator.java:172)
>>>> [na:na] at
>>>> com.company.myService.security.authorization.AuthorizerInsta
>>>> ntiator.get(AuthorizerInstantiator.java:141)
>>>> [na:na] at
>>>> com.company.myService.security.authorization.DelegatingPrivi
>>>> legeManager.<init>(DelegatingPrivilegeManager.java:41)
>>>> [na:na] .... ....at java.lang.Thread.run(Thread.java:745)
>>>> [na:1.8.0_112]From the log, we see that the RangerRestClient fails to be
>>>> built because SSLContext is null. Looking into the code of these Ranger
>>>> classes we suspect this is because the TrustManger list being returned
>>>> from
>>>> here is
>>>> null.https://github.com/apache/ranger/blob/4370b6b135ca5288b
>>>> f25bd6f7a353b9699821099/agents-common/src/main/java/org/
>>>> apache/ranger/plugin/util/RangerRESTClient.java#L308
>>>> <https://github.com/apache/ranger/blob/4370b6b135ca5288bf25b
>>>> d6f7a353b9699821099/agents-common/src/main/java/org/apache/
>>>> ranger/plugin/util/RangerRESTClient.java#L308>To
>>>> the best of our understanding all our configurations looks good. We also
>>>> checked we are picking up the ranger-myService-policymgr-ssl.xml
>>>> correctly.
>>>> We were able to load it from the classloader and print it. Following is
>>>> our
>>>> configurations:master.services:c.c.c.s.a.r.b.RangerAuthorizer@96] -
>>>> <?xml
>>>> version="1.0"?><!-- Licensed to the Apache Software Foundation (ASF)
>>>> under
>>>> one or more contributor license agreements. See the NOTICE file
>>>> distributed with this work for additional information regarding
>>>> copyright
>>>> ownership. The ASF licenses this file to You under the Apache License,
>>>> Version 2.0 (the "License"); you may not use this file except in
>>>> compliance with the License. You may obtain a copy of the License at
>>>> http://www.apache.org/licenses/LICENSE-2.0
>>>> <http://www.apache.org/licenses/LICENSE-2.0> Unless required by
>>>> applicable
>>>> law or agreed to in writing, software distributed under the License is
>>>> distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>>> KIND, either express or implied. See the License for the specific
>>>> language
>>>> governing permissions and limitations under the
>>>> License.--><?xml-stylesheet type="text/xsl"
>>>>
>>>> href="configuration.xsl"?><configuration
>>>> xmlns:xi="http://www.w3.org/2001/XInclude
>>>> <http://www.w3.org/2001/XInclude>"> <!-- The following properties
>>>> are used for 2-way SSL client server validation --> <property>
>>>> <name>xasecure.policymgr.clientssl.keystore</name>
>>>> <value>/usr/local/ranger-mySer
>>>> vice-conf/ranger-plugin-keystore.jks</value>
>>>> <description> Java Keystore files
>>>> </description> </property> <property>
>>>> <name>xasecure.policymgr.clien
>>>> tssl.keystore.password</name>
>>>> <value>myKeyFilePassword</value>
>>>> <description> password for
>>>> keystore
>>>> </description> </property> <property>
>>>> <name>xasecure.policymgr.clientssl.truststore</name>
>>>> <value>/usr/local/ranger-mySer
>>>> vice-conf/ranger-plugin-truststore.jks</value>
>>>> <description> java truststore file
>>>> </description> </property> <property>
>>>> <name>xasecure.policymgr.clien
>>>> tssl.truststore.password</name>
>>>> <value>changeit</value> <description>
>>>> java truststore password
>>>> </description> </property> <property>
>>>> <name>xasecure.policymgr.clien
>>>> tssl.keystore.credential.file</name>
>>>> <value>jceks://file/etc/ranger
>>>> /admin/rangeradmin.jceks</value>
>>>> <description> java keystore
>>>> credential file </description> </property>
>>>> <property>
>>>> <name>xasecure.policymgr.clien
>>>> tssl.truststore.credential.file</name>
>>>> <value>jceks://file/etc/ranger
>>>> /admin/rangeradmin.jceks</value>
>>>> <description> java truststore
>>>> credential file </description>
>>>> </property></configuration>Can you please help us in figuring out
>>>> what are we missing or doing incorrectly?Thanks, Rohit Sinha*
>>>>
>>>>
>>>
>>>
>>>
>>
Re: Ranger SSL Configuration Issues
Posted by rohit sinha <ta...@gmail.com>.
Also, earlier I was able to find a Jira which relates to our issue:
https://issues.apache.org/jira/browse/RANGER-1646
The Jira description says:
This happens, because RangerRESTClient.getKeyManagers / getTrustManagers /
> getSSLContext methods are catching the exceptions, and are returning null,
> instead of failing fast, so the user could easily act and fix the issues
I see that this has been fixed to give a proper error message in 0.7.1
although since we are on 0.7.0 we are not able to get any helpful message.
Looking through the logs and Ranger code we believe that the getTrustManagers
is returning null in our case.
In your experience, what are the common configuration issues which can
cause getTrustManagers to return null?
Any help will be highly appreciated.
Thanks.
Thanks,
Rohit Sinha
On Mon, Mar 26, 2018 at 11:18 AM, rohit sinha <ta...@gmail.com>
wrote:
> Thanks for your reply.
> We are using Ranger 0.7.0
>
> We don't think there is an issue with Ranger SSL and suspect we are doing
> incomplete or incorrect configuration. Can you please look at our SSL
> configuration file shared in the previous email and point out if something
> looks wrong?
>
> Also is there any documentation on how to configure a custom Ranger plugin
> to talk to SSL enabled Ranger? We were only able to find HortonWorks
> documentation on how to make existing (hdfs) plugin talk to SSL enabled
> Ranger.
>
> Thanks.
>
>
> Thanks,
> Rohit Sinha
>
>
> On Sun, Mar 25, 2018 at 11:58 PM, pengjianhua <35...@qq.com> wrote:
>
>> Please tell me which version you are using. I tested the 0.7.0, 0.7.1,
>> 1.0.0. There are no problems with these versions. Maybe your configuration
>> is wrong.
>>
>>
>> 在 2018年03月25日 04:48, rohit sinha 写道:
>>
>>> *Hello,We have a ranger plugin which works perfectly fine with non-SSL
>>> Ranger but we turn on SSL for Ranger our plugin fails to talk to Ranger
>>> Server because some underlying Ranger classes fail to be initialized. We
>>> see the following error in the logs:2018-03-23 01:34:00,064 - ERROR
>>> [leader-election-election-master.services:o.a.r.p.u.PolicyRefresher@282]
>>> -
>>> PolicyRefresher(serviceName=myServicedev): failed to refresh policies.
>>> Will
>>> continue to use last known version of policies
>>> (-1)java.lang.IllegalArgumentException: SSLContext must not be null at
>>>
>>> com.sun.jersey.client.urlconnection.HTTPSProperties.<init>(H
>>> TTPSProperties.java:106)
>>> ~[jersey-bundle-1.17.1.jar:1.17.1] at
>>> org.apache.ranger.plugin.util.RangerRESTClient.buildClient(R
>>> angerRESTClient.java:200)
>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>> org.apache.ranger.plugin.util.RangerRESTClient.getClient(Ran
>>> gerRESTClient.java:175)
>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>> org.apache.ranger.plugin.util.RangerRESTClient.getResource(R
>>> angerRESTClient.java:155)
>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>> org.apache.ranger.admin.client.RangerAdminRESTClient.createW
>>> ebResource(RangerAdminRESTClient.java:267)
>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>> org.apache.ranger.admin.client.RangerAdminRESTClient.access$
>>> 200(RangerAdminRESTClient.java:47)
>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>> org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(R
>>> angerAdminRESTClient.java:107)
>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>> org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(R
>>> angerAdminRESTClient.java:105)
>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>> java.security.AccessController.doPrivileged(Native Method)
>>> ~[na:1.8.0_112]
>>> at javax.security.auth.Subject.doAs(Subject.java:360) ~[na:1.8.0_112] at
>>> org.apache.hadoop.security.UserGroupInformation.doAs(UserGro
>>> upInformation.java:1849)
>>> ~[hadoop-common-2.7.3.2.6.4.0-91.jar:na] at
>>> org.apache.ranger.admin.client.RangerAdminRESTClient.getServ
>>> icePoliciesIfUpdated(RangerAdminRESTClient.java:114)
>>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>>> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfrom
>>> PolicyAdmin(PolicyRefresher.java:258)
>>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>>> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(Pol
>>> icyRefresher.java:202)
>>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>>> org.apache.ranger.plugin.util.PolicyRefresher.startRefresher
>>> (PolicyRefresher.java:149)
>>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>>> org.apache.ranger.plugin.service.RangerBasePlugin.init(Range
>>> rBasePlugin.java:142)
>>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>>> com.company.myService.security.authorization.ranger.binding.
>>> RangerAuthorizer.initialize(RangerAuthorizer.java:90)
>>> [1521768838074-0/:na] at
>>> com.company.myService.security.authorization.AuthorizerInsta
>>> ntiator.createAndInitializeAuthorizerInstance(AuthorizerInst
>>> antiator.java:172)
>>> [na:na] at
>>> com.company.myService.security.authorization.AuthorizerInsta
>>> ntiator.get(AuthorizerInstantiator.java:141)
>>> [na:na] at
>>> com.company.myService.security.authorization.DelegatingPrivi
>>> legeManager.<init>(DelegatingPrivilegeManager.java:41)
>>> [na:na] .... ....at java.lang.Thread.run(Thread.java:745)
>>> [na:1.8.0_112]From the log, we see that the RangerRestClient fails to be
>>> built because SSLContext is null. Looking into the code of these Ranger
>>> classes we suspect this is because the TrustManger list being returned
>>> from
>>> here is
>>> null.https://github.com/apache/ranger/blob/4370b6b135ca5288b
>>> f25bd6f7a353b9699821099/agents-common/src/main/java/org/
>>> apache/ranger/plugin/util/RangerRESTClient.java#L308
>>> <https://github.com/apache/ranger/blob/4370b6b135ca5288bf25b
>>> d6f7a353b9699821099/agents-common/src/main/java/org/apache/
>>> ranger/plugin/util/RangerRESTClient.java#L308>To
>>> the best of our understanding all our configurations looks good. We also
>>> checked we are picking up the ranger-myService-policymgr-ssl.xml
>>> correctly.
>>> We were able to load it from the classloader and print it. Following is
>>> our
>>> configurations:master.services:c.c.c.s.a.r.b.RangerAuthorizer@96] -
>>> <?xml
>>> version="1.0"?><!-- Licensed to the Apache Software Foundation (ASF)
>>> under
>>> one or more contributor license agreements. See the NOTICE file
>>> distributed with this work for additional information regarding
>>> copyright
>>> ownership. The ASF licenses this file to You under the Apache License,
>>> Version 2.0 (the "License"); you may not use this file except in
>>> compliance with the License. You may obtain a copy of the License at
>>> http://www.apache.org/licenses/LICENSE-2.0
>>> <http://www.apache.org/licenses/LICENSE-2.0> Unless required by
>>> applicable
>>> law or agreed to in writing, software distributed under the License is
>>> distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>> KIND, either express or implied. See the License for the specific
>>> language
>>> governing permissions and limitations under the
>>> License.--><?xml-stylesheet type="text/xsl"
>>>
>>> href="configuration.xsl"?><configuration
>>> xmlns:xi="http://www.w3.org/2001/XInclude
>>> <http://www.w3.org/2001/XInclude>"> <!-- The following properties
>>> are used for 2-way SSL client server validation --> <property>
>>> <name>xasecure.policymgr.clientssl.keystore</name>
>>> <value>/usr/local/ranger-mySer
>>> vice-conf/ranger-plugin-keystore.jks</value>
>>> <description> Java Keystore files
>>> </description> </property> <property>
>>> <name>xasecure.policymgr.clien
>>> tssl.keystore.password</name>
>>> <value>myKeyFilePassword</value>
>>> <description> password for
>>> keystore
>>> </description> </property> <property>
>>> <name>xasecure.policymgr.clientssl.truststore</name>
>>> <value>/usr/local/ranger-mySer
>>> vice-conf/ranger-plugin-truststore.jks</value>
>>> <description> java truststore file
>>> </description> </property> <property>
>>> <name>xasecure.policymgr.clien
>>> tssl.truststore.password</name>
>>> <value>changeit</value> <description>
>>> java truststore password
>>> </description> </property> <property>
>>> <name>xasecure.policymgr.clien
>>> tssl.keystore.credential.file</name>
>>> <value>jceks://file/etc/ranger
>>> /admin/rangeradmin.jceks</value>
>>> <description> java keystore
>>> credential file </description> </property>
>>> <property>
>>> <name>xasecure.policymgr.clien
>>> tssl.truststore.credential.file</name>
>>> <value>jceks://file/etc/ranger
>>> /admin/rangeradmin.jceks</value>
>>> <description> java truststore
>>> credential file </description>
>>> </property></configuration>Can you please help us in figuring out
>>> what are we missing or doing incorrectly?Thanks, Rohit Sinha*
>>>
>>>
>>
>>
>>
>
Re: Ranger SSL Configuration Issues
Posted by rohit sinha <ta...@gmail.com>.
Thanks for your reply.
We are using Ranger 0.7.0
We don't think there is an issue with Ranger SSL and suspect we are doing
incomplete or incorrect configuration. Can you please look at our SSL
configuration file shared in the previous email and point out if something
looks wrong?
Also is there any documentation on how to configure a custom Ranger plugin
to talk to SSL enabled Ranger? We were only able to find HortonWorks
documentation on how to make existing (hdfs) plugin talk to SSL enabled
Ranger.
Thanks.
Thanks,
Rohit Sinha
On Sun, Mar 25, 2018 at 11:58 PM, pengjianhua <35...@qq.com> wrote:
> Please tell me which version you are using. I tested the 0.7.0, 0.7.1,
> 1.0.0. There are no problems with these versions. Maybe your configuration
> is wrong.
>
>
> 在 2018年03月25日 04:48, rohit sinha 写道:
>
>> *Hello,We have a ranger plugin which works perfectly fine with non-SSL
>> Ranger but we turn on SSL for Ranger our plugin fails to talk to Ranger
>> Server because some underlying Ranger classes fail to be initialized. We
>> see the following error in the logs:2018-03-23 01:34:00,064 - ERROR
>> [leader-election-election-master.services:o.a.r.p.u.PolicyRefresher@282]
>> -
>> PolicyRefresher(serviceName=myServicedev): failed to refresh policies.
>> Will
>> continue to use last known version of policies
>> (-1)java.lang.IllegalArgumentException: SSLContext must not be null at
>>
>> com.sun.jersey.client.urlconnection.HTTPSProperties.<init>(
>> HTTPSProperties.java:106)
>> ~[jersey-bundle-1.17.1.jar:1.17.1] at
>> org.apache.ranger.plugin.util.RangerRESTClient.buildClient(R
>> angerRESTClient.java:200)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.plugin.util.RangerRESTClient.getClient(Ran
>> gerRESTClient.java:175)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.plugin.util.RangerRESTClient.getResource(R
>> angerRESTClient.java:155)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.admin.client.RangerAdminRESTClient.createW
>> ebResource(RangerAdminRESTClient.java:267)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.admin.client.RangerAdminRESTClient.access$
>> 200(RangerAdminRESTClient.java:47)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(
>> RangerAdminRESTClient.java:107)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(
>> RangerAdminRESTClient.java:105)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> java.security.AccessController.doPrivileged(Native Method)
>> ~[na:1.8.0_112]
>> at javax.security.auth.Subject.doAs(Subject.java:360) ~[na:1.8.0_112] at
>> org.apache.hadoop.security.UserGroupInformation.doAs(UserGro
>> upInformation.java:1849)
>> ~[hadoop-common-2.7.3.2.6.4.0-91.jar:na] at
>> org.apache.ranger.admin.client.RangerAdminRESTClient.getServ
>> icePoliciesIfUpdated(RangerAdminRESTClient.java:114)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfrom
>> PolicyAdmin(PolicyRefresher.java:258)
>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(Pol
>> icyRefresher.java:202)
>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.plugin.util.PolicyRefresher.startRefresher
>> (PolicyRefresher.java:149)
>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.plugin.service.RangerBasePlugin.init(Range
>> rBasePlugin.java:142)
>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>> com.company.myService.security.authorization.ranger.binding.
>> RangerAuthorizer.initialize(RangerAuthorizer.java:90)
>> [1521768838074-0/:na] at
>> com.company.myService.security.authorization.AuthorizerInsta
>> ntiator.createAndInitializeAuthorizerInstance(AuthorizerInst
>> antiator.java:172)
>> [na:na] at
>> com.company.myService.security.authorization.AuthorizerInsta
>> ntiator.get(AuthorizerInstantiator.java:141)
>> [na:na] at
>> com.company.myService.security.authorization.DelegatingPrivi
>> legeManager.<init>(DelegatingPrivilegeManager.java:41)
>> [na:na] .... ....at java.lang.Thread.run(Thread.java:745)
>> [na:1.8.0_112]From the log, we see that the RangerRestClient fails to be
>> built because SSLContext is null. Looking into the code of these Ranger
>> classes we suspect this is because the TrustManger list being returned
>> from
>> here is
>> null.https://github.com/apache/ranger/blob/4370b6b135ca5288b
>> f25bd6f7a353b9699821099/agents-common/src/main/java/
>> org/apache/ranger/plugin/util/RangerRESTClient.java#L308
>> <https://github.com/apache/ranger/blob/4370b6b135ca5288bf25b
>> d6f7a353b9699821099/agents-common/src/main/java/org/
>> apache/ranger/plugin/util/RangerRESTClient.java#L308>To
>> the best of our understanding all our configurations looks good. We also
>> checked we are picking up the ranger-myService-policymgr-ssl.xml
>> correctly.
>> We were able to load it from the classloader and print it. Following is
>> our
>> configurations:master.services:c.c.c.s.a.r.b.RangerAuthorizer@96] - <?xml
>> version="1.0"?><!-- Licensed to the Apache Software Foundation (ASF)
>> under
>> one or more contributor license agreements. See the NOTICE file
>> distributed with this work for additional information regarding copyright
>> ownership. The ASF licenses this file to You under the Apache License,
>> Version 2.0 (the "License"); you may not use this file except in
>> compliance with the License. You may obtain a copy of the License at
>> http://www.apache.org/licenses/LICENSE-2.0
>> <http://www.apache.org/licenses/LICENSE-2.0> Unless required by
>> applicable
>> law or agreed to in writing, software distributed under the License is
>> distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>> KIND, either express or implied. See the License for the specific
>> language
>> governing permissions and limitations under the
>> License.--><?xml-stylesheet type="text/xsl"
>>
>> href="configuration.xsl"?><configuration
>> xmlns:xi="http://www.w3.org/2001/XInclude
>> <http://www.w3.org/2001/XInclude>"> <!-- The following properties
>> are used for 2-way SSL client server validation --> <property>
>> <name>xasecure.policymgr.clientssl.keystore</name>
>> <value>/usr/local/ranger-mySer
>> vice-conf/ranger-plugin-keystore.jks</value>
>> <description> Java Keystore files
>> </description> </property> <property>
>> <name>xasecure.policymgr.clien
>> tssl.keystore.password</name>
>> <value>myKeyFilePassword</value>
>> <description> password for keystore
>> </description> </property> <property>
>> <name>xasecure.policymgr.clientssl.truststore</name>
>> <value>/usr/local/ranger-mySer
>> vice-conf/ranger-plugin-truststore.jks</value>
>> <description> java truststore file
>> </description> </property> <property>
>> <name>xasecure.policymgr.clientssl.truststore.password</
>> name>
>> <value>changeit</value> <description>
>> java truststore password
>> </description> </property> <property>
>> <name>xasecure.policymgr.clien
>> tssl.keystore.credential.file</name>
>> <value>jceks://file/etc/ranger/admin/rangeradmin.jceks</
>> value>
>> <description> java keystore
>> credential file </description> </property>
>> <property>
>> <name>xasecure.policymgr.clientssl.truststore.credential.
>> file</name>
>> <value>jceks://file/etc/ranger/admin/rangeradmin.jceks</
>> value>
>> <description> java truststore
>> credential file </description>
>> </property></configuration>Can you please help us in figuring out
>> what are we missing or doing incorrectly?Thanks, Rohit Sinha*
>>
>>
>
>
>