You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Loïc Chanel <lo...@telecomnancy.net> on 2015/06/09 16:39:12 UTC
Issues with UserSync
Hi All,
As I am using Ranger with Unix authentication to manage the security of
HDFS on my cluster, I could not help but notice that even if I add users to
groups in the Ranger console, Ranger cannot find to which groups they
belong, and therefore do not authorize them to perform actions they should
be able to do.
As I thought this issue came from UserSync, I noticed that in its logs the
following exception is printed every minute :
ERROR PasswordValidator [Thread-22] - Response [FAILED: unable to validate
due to error javax.net.ssl.SSLHandshakeException: Remote host closed
connection during handshake] for user: null
javax.net.ssl.SSLHandshakeException: Remote host closed connection during
handshake
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
at sun.security.ssl.AppInputStream.read(Unknown Source)
at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
at sun.nio.cs.StreamDecoder.read(Unknown Source)
at java.io.InputStreamReader.read(Unknown Source)
at java.io.BufferedReader.fill(Unknown Source)
at java.io.BufferedReader.readLine(Unknown Source)
at java.io.BufferedReader.readLine(Unknown Source)
at
com.xasecure.authentication.PasswordValidator.run(PasswordValidator.java:58)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(Unknown Source)
... 13 more
As usually this is the sign of a problem of missing certificate, I ensured
the certificate corresponding to Unix authentication (<host>:5151) is in
Java trustore and restarted the NameNode and Ranger, but nothing changed.
When looking a little bit more into RangerAdmin and RangerUserSync logs, it
seems that RangerAdmin is the source of the problem, closing the connection
before handshake is fully established, but I have no idea about how to
correct it.
Did someone encountered this error too ? Did I miss something ?
Thanks in advance for your help,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
Re: Issues with UserSync
Posted by Don Bosco Durai <bo...@apache.org>.
Loïc,
Thanks. Please file the JIRA.
Regards
Bosco
From: Loïc Chanel <lo...@telecomnancy.net>
Reply-To: "user@ranger.incubator.apache.org"
<us...@ranger.incubator.apache.org>
Date: Thursday, July 16, 2015 at 6:08 PM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>,
"romain.philibert@worldline.com" <ro...@worldline.com>
Subject: Re: Issues with UserSync
> Hi all !
>
> As I was working on the subject with a colleague of mine, he found out the
> handshake exception in UserSync logs that comes every minutes is actually
> linked to Ambari metrics that just checks that UserSync is alive but does not
> perform a complete handshake before returning.
>
> I will fill a JIRA later about this issue.
>
> Regards,
>
>
> Loïc
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-06-12 14:54 GMT+02:00 Loïc Chanel <lo...@telecomnancy.net>:
>> Dilli,
>>
>> Sorry for answering this late, but yes that is actually exactly what I want
>> to do, and no matter what its configuration is Ranger UserSync keep returning
>> me the same error I talked about in my first eMail.
>>
>> As I know this Handshake exception is often linked to certificate issues, I
>> triple-checked that LDAP certificates are in the certificates trusted by
>> Java, but it seems that the error persists.
>> Do you have an idea about where it might come from ?
>>
>> Thanks,
>>
>>
>> Loïc
>>
>> Loïc CHANEL
>> Engineering student at TELECOM Nancy
>> Trainee at Worldline - Villeurbanne
>>
>> 2015-06-09 21:36 GMT+02:00 Dilli Arumugam <da...@hortonworks.com>:
>>> Assuming your users are in LDAP, what you need to do is:
>>> Make user Ranger UserSync and NameNode ldap group mapping provider point to
>>> the same LDAP.
>>>
>>> Please see the following for some help.
>>> http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/
>>>
>>> Thanks
>>> Dilli
>>>
>>> From: Loïc Chanel <lo...@telecomnancy.net>
>>> Reply-To: "user@ranger.incubator.apache.org"
>>> <us...@ranger.incubator.apache.org>
>>> Date: Tuesday, June 9, 2015 8:29 AM
>>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>>> Subject: Re: Issues with UserSync
>>>
>>> Hi Dilli,
>>>
>>> First of all, thanks for answering so fast.
>>>
>>> Actually, I would like to have some synchronization between RangerAdmin UI
>>> and NameNode users, in order to manage Users and authorizations directly
>>> from RangerAdmin UI.
>>>
>>> Is it possible somehow via Ranger UserSync ?
>>>
>>> Thanks,
>>>
>>>
>>> Loïc
>>>
>>> Loïc CHANEL
>>> Engineering student at TELECOM Nancy
>>> Trainee at Worldline - Villeurbanne
>>>
>>> 2015-06-09 17:18 GMT+02:00 Dilli Arumugam <da...@hortonworks.com>:
>>>> Please note that user/group mapping that you see in RangerAdmin UI is only
>>>> used for policy definition time.
>>>> At policy enforcement time, user group membership is computed by NameNode
>>>> based on group mapping provider defined in NameNode.
>>>>
>>>> You can check what NameNode sees as groups that a user belongs to by
>>>> issuing command
>>>>
>>>> hdfs groups sam
>>>>
>>>> Sam is sample username here.
>>>> You would use your username in its place.
>>>> Thanks
>>>> Dilli
>>>>
>>>> From: Loïc Chanel <lo...@telecomnancy.net>
>>>> Reply-To: "user@ranger.incubator.apache.org"
>>>> <us...@ranger.incubator.apache.org>
>>>> Date: Tuesday, June 9, 2015 7:39 AM
>>>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>>>> Subject: Issues with UserSync
>>>>
>>>> Hi All,
>>>>
>>>> As I am using Ranger with Unix authentication to manage the security of
>>>> HDFS on my cluster, I could not help but notice that even if I add users to
>>>> groups in the Ranger console, Ranger cannot find to which groups they
>>>> belong, and therefore do not authorize them to perform actions they should
>>>> be able to do.
>>>>
>>>> As I thought this issue came from UserSync, I noticed that in its logs the
>>>> following exception is printed every minute :
>>>>
>>>> ERROR PasswordValidator [Thread-22] - Response [FAILED: unable to validate
>>>> due to error javax.net.ssl.SSLHandshakeException: Remote host closed
>>>> connection during handshake] for user: null
>>>> javax.net.ssl.SSLHandshakeException: Remote host closed connection during
>>>> handshake
>>>> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
>>>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown
>>>> Source)
>>>> at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
>>>> at sun.security.ssl.AppInputStream.read(Unknown Source)
>>>> at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
>>>> at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
>>>> at sun.nio.cs.StreamDecoder.read(Unknown Source)
>>>> at java.io.InputStreamReader.read(Unknown Source)
>>>> at java.io.BufferedReader.fill(Unknown Source)
>>>> at java.io.BufferedReader.readLine(Unknown Source)
>>>> at java.io.BufferedReader.readLine(Unknown Source)
>>>> at
>>>>
com.xasecure.authentication.PasswordValidator.run(PasswordValidator.java:58>>>>
)
>>>> at java.lang.Thread.run(Unknown Source)
>>>> Caused by: java.io.EOFException: SSL peer shut down incorrectly
>>>> at sun.security.ssl.InputRecord.read(Unknown Source)
>>>> ... 13 more
>>>>
>>>> As usually this is the sign of a problem of missing certificate, I ensured
>>>> the certificate corresponding to Unix authentication (<host>:5151) is in
>>>> Java trustore and restarted the NameNode and Ranger, but nothing changed.
>>>>
>>>> When looking a little bit more into RangerAdmin and RangerUserSync logs, it
>>>> seems that RangerAdmin is the source of the problem, closing the connection
>>>> before handshake is fully established, but I have no idea about how to
>>>> correct it.
>>>>
>>>> Did someone encountered this error too ? Did I miss something ?
>>>>
>>>> Thanks in advance for your help,
>>>>
>>>>
>>>> Loïc
>>>>
>>>> Loïc CHANEL
>>>> Engineering student at TELECOM Nancy
>>>> Trainee at Worldline - Villeurbanne
>>>
>>
>
Re: Issues with UserSync
Posted by Loïc Chanel <lo...@telecomnancy.net>.
Hi all !
As I was working on the subject with a colleague of mine, he found out the
handshake exception in UserSync logs that comes every minutes is actually
linked to Ambari metrics that just checks that UserSync is alive but does
not perform a complete handshake before returning.
I will fill a JIRA later about this issue.
Regards,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-06-12 14:54 GMT+02:00 Loïc Chanel <lo...@telecomnancy.net>:
> Dilli,
>
> Sorry for answering this late, but yes that is actually exactly what I
> want to do, and no matter what its configuration is Ranger UserSync keep
> returning me the same error I talked about in my first eMail.
>
> As I know this Handshake exception is often linked to certificate issues,
> I triple-checked that LDAP certificates are in the certificates trusted by
> Java, but it seems that the error persists.
> Do you have an idea about where it might come from ?
>
> Thanks,
>
>
> Loïc
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-06-09 21:36 GMT+02:00 Dilli Arumugam <da...@hortonworks.com>:
>
>> Assuming your users are in LDAP, what you need to do is:
>> Make user Ranger UserSync and NameNode ldap group mapping provider point
>> to the same LDAP.
>>
>> Please see the following for some help.
>> http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/
>>
>> Thanks
>> Dilli
>>
>> From: Loïc Chanel <lo...@telecomnancy.net>
>> Reply-To: "user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> Date: Tuesday, June 9, 2015 8:29 AM
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>> Subject: Re: Issues with UserSync
>>
>> Hi Dilli,
>>
>> First of all, thanks for answering so fast.
>>
>> Actually, I would like to have some synchronization between RangerAdmin
>> UI and NameNode users, in order to manage Users and authorizations directly
>> from RangerAdmin UI.
>>
>> Is it possible somehow via Ranger UserSync ?
>>
>> Thanks,
>>
>>
>> Loïc
>>
>> Loïc CHANEL
>> Engineering student at TELECOM Nancy
>> Trainee at Worldline - Villeurbanne
>>
>> 2015-06-09 17:18 GMT+02:00 Dilli Arumugam <da...@hortonworks.com>:
>>
>>> Please note that user/group mapping that you see in RangerAdmin UI is
>>> only used for policy definition time.
>>> At policy enforcement time, user group membership is computed by
>>> NameNode based on group mapping provider defined in NameNode.
>>>
>>> You can check what NameNode sees as groups that a user belongs to by
>>> issuing command
>>>
>>> hdfs groups sam
>>>
>>> Sam is sample username here.
>>> You would use your username in its place.
>>> Thanks
>>> Dilli
>>>
>>> From: Loïc Chanel <lo...@telecomnancy.net>
>>> Reply-To: "user@ranger.incubator.apache.org" <
>>> user@ranger.incubator.apache.org>
>>> Date: Tuesday, June 9, 2015 7:39 AM
>>> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org
>>> >
>>> Subject: Issues with UserSync
>>>
>>> Hi All,
>>>
>>> As I am using Ranger with Unix authentication to manage the security of
>>> HDFS on my cluster, I could not help but notice that even if I add users to
>>> groups in the Ranger console, Ranger cannot find to which groups they
>>> belong, and therefore do not authorize them to perform actions they should
>>> be able to do.
>>>
>>> As I thought this issue came from UserSync, I noticed that in its logs
>>> the following exception is printed every minute :
>>>
>>> ERROR PasswordValidator [Thread-22] - Response [FAILED: unable to
>>> validate due to error javax.net.ssl.SSLHandshakeException: Remote host
>>> closed connection during handshake] for user: null
>>> javax.net.ssl.SSLHandshakeException: Remote host closed connection
>>> during handshake
>>> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
>>> at
>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
>>> at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
>>> at sun.security.ssl.AppInputStream.read(Unknown Source)
>>> at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
>>> at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
>>> at sun.nio.cs.StreamDecoder.read(Unknown Source)
>>> at java.io.InputStreamReader.read(Unknown Source)
>>> at java.io.BufferedReader.fill(Unknown Source)
>>> at java.io.BufferedReader.readLine(Unknown Source)
>>> at java.io.BufferedReader.readLine(Unknown Source)
>>> at
>>> com.xasecure.authentication.PasswordValidator.run(PasswordValidator.java:58)
>>> at java.lang.Thread.run(Unknown Source)
>>> Caused by: java.io.EOFException: SSL peer shut down incorrectly
>>> at sun.security.ssl.InputRecord.read(Unknown Source)
>>> ... 13 more
>>>
>>> As usually this is the sign of a problem of missing certificate, I
>>> ensured the certificate corresponding to Unix authentication (<host>:5151)
>>> is in Java trustore and restarted the NameNode and Ranger, but nothing
>>> changed.
>>>
>>> When looking a little bit more into RangerAdmin and RangerUserSync
>>> logs, it seems that RangerAdmin is the source of the problem, closing the
>>> connection before handshake is fully established, but I have no idea about
>>> how to correct it.
>>>
>>> Did someone encountered this error too ? Did I miss something ?
>>>
>>> Thanks in advance for your help,
>>>
>>>
>>> Loïc
>>>
>>> Loïc CHANEL
>>> Engineering student at TELECOM Nancy
>>> Trainee at Worldline - Villeurbanne
>>>
>>
>>
>
Re: Issues with UserSync
Posted by Loïc Chanel <lo...@telecomnancy.net>.
Dilli,
Sorry for answering this late, but yes that is actually exactly what I want
to do, and no matter what its configuration is Ranger UserSync keep
returning me the same error I talked about in my first eMail.
As I know this Handshake exception is often linked to certificate issues, I
triple-checked that LDAP certificates are in the certificates trusted by
Java, but it seems that the error persists.
Do you have an idea about where it might come from ?
Thanks,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-06-09 21:36 GMT+02:00 Dilli Arumugam <da...@hortonworks.com>:
> Assuming your users are in LDAP, what you need to do is:
> Make user Ranger UserSync and NameNode ldap group mapping provider point
> to the same LDAP.
>
> Please see the following for some help.
> http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/
>
> Thanks
> Dilli
>
> From: Loïc Chanel <lo...@telecomnancy.net>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Tuesday, June 9, 2015 8:29 AM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: Re: Issues with UserSync
>
> Hi Dilli,
>
> First of all, thanks for answering so fast.
>
> Actually, I would like to have some synchronization between RangerAdmin
> UI and NameNode users, in order to manage Users and authorizations directly
> from RangerAdmin UI.
>
> Is it possible somehow via Ranger UserSync ?
>
> Thanks,
>
>
> Loïc
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
> 2015-06-09 17:18 GMT+02:00 Dilli Arumugam <da...@hortonworks.com>:
>
>> Please note that user/group mapping that you see in RangerAdmin UI is
>> only used for policy definition time.
>> At policy enforcement time, user group membership is computed by NameNode
>> based on group mapping provider defined in NameNode.
>>
>> You can check what NameNode sees as groups that a user belongs to by
>> issuing command
>>
>> hdfs groups sam
>>
>> Sam is sample username here.
>> You would use your username in its place.
>> Thanks
>> Dilli
>>
>> From: Loïc Chanel <lo...@telecomnancy.net>
>> Reply-To: "user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> Date: Tuesday, June 9, 2015 7:39 AM
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>> Subject: Issues with UserSync
>>
>> Hi All,
>>
>> As I am using Ranger with Unix authentication to manage the security of
>> HDFS on my cluster, I could not help but notice that even if I add users to
>> groups in the Ranger console, Ranger cannot find to which groups they
>> belong, and therefore do not authorize them to perform actions they should
>> be able to do.
>>
>> As I thought this issue came from UserSync, I noticed that in its logs
>> the following exception is printed every minute :
>>
>> ERROR PasswordValidator [Thread-22] - Response [FAILED: unable to
>> validate due to error javax.net.ssl.SSLHandshakeException: Remote host
>> closed connection during handshake] for user: null
>> javax.net.ssl.SSLHandshakeException: Remote host closed connection during
>> handshake
>> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
>> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown
>> Source)
>> at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
>> at sun.security.ssl.AppInputStream.read(Unknown Source)
>> at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
>> at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
>> at sun.nio.cs.StreamDecoder.read(Unknown Source)
>> at java.io.InputStreamReader.read(Unknown Source)
>> at java.io.BufferedReader.fill(Unknown Source)
>> at java.io.BufferedReader.readLine(Unknown Source)
>> at java.io.BufferedReader.readLine(Unknown Source)
>> at
>> com.xasecure.authentication.PasswordValidator.run(PasswordValidator.java:58)
>> at java.lang.Thread.run(Unknown Source)
>> Caused by: java.io.EOFException: SSL peer shut down incorrectly
>> at sun.security.ssl.InputRecord.read(Unknown Source)
>> ... 13 more
>>
>> As usually this is the sign of a problem of missing certificate, I
>> ensured the certificate corresponding to Unix authentication (<host>:5151)
>> is in Java trustore and restarted the NameNode and Ranger, but nothing
>> changed.
>>
>> When looking a little bit more into RangerAdmin and RangerUserSync
>> logs, it seems that RangerAdmin is the source of the problem, closing the
>> connection before handshake is fully established, but I have no idea about
>> how to correct it.
>>
>> Did someone encountered this error too ? Did I miss something ?
>>
>> Thanks in advance for your help,
>>
>>
>> Loïc
>>
>> Loïc CHANEL
>> Engineering student at TELECOM Nancy
>> Trainee at Worldline - Villeurbanne
>>
>
>
Re: Issues with UserSync
Posted by Dilli Arumugam <da...@hortonworks.com>.
Assuming your users are in LDAP, what you need to do is:
Make user Ranger UserSync and NameNode ldap group mapping provider point to the same LDAP.
Please see the following for some help.
http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/
Thanks
Dilli
From: Loïc Chanel <lo...@telecomnancy.net>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Tuesday, June 9, 2015 8:29 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Re: Issues with UserSync
Hi Dilli,
First of all, thanks for answering so fast.
Actually, I would like to have some synchronization between RangerAdmin UI and NameNode users, in order to manage Users and authorizations directly from RangerAdmin UI.
Is it possible somehow via Ranger UserSync ?
Thanks,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-06-09 17:18 GMT+02:00 Dilli Arumugam <da...@hortonworks.com>>:
Please note that user/group mapping that you see in RangerAdmin UI is only used for policy definition time.
At policy enforcement time, user group membership is computed by NameNode based on group mapping provider defined in NameNode.
You can check what NameNode sees as groups that a user belongs to by issuing command
hdfs groups sam
Sam is sample username here.
You would use your username in its place.
Thanks
Dilli
From: Loïc Chanel <lo...@telecomnancy.net>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Tuesday, June 9, 2015 7:39 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Issues with UserSync
Hi All,
As I am using Ranger with Unix authentication to manage the security of HDFS on my cluster, I could not help but notice that even if I add users to groups in the Ranger console, Ranger cannot find to which groups they belong, and therefore do not authorize them to perform actions they should be able to do.
As I thought this issue came from UserSync, I noticed that in its logs the following exception is printed every minute :
ERROR PasswordValidator [Thread-22] - Response [FAILED: unable to validate due to error javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake] for user: null
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
at sun.security.ssl.AppInputStream.read(Unknown Source)
at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
at sun.nio.cs.StreamDecoder.read(Unknown Source)
at java.io.InputStreamReader.read(Unknown Source)
at java.io.BufferedReader.fill(Unknown Source)
at java.io.BufferedReader.readLine(Unknown Source)
at java.io.BufferedReader.readLine(Unknown Source)
at com.xasecure.authentication.PasswordValidator.run(PasswordValidator.java:58)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(Unknown Source)
... 13 more
As usually this is the sign of a problem of missing certificate, I ensured the certificate corresponding to Unix authentication (<host>:5151) is in Java trustore and restarted the NameNode and Ranger, but nothing changed.
When looking a little bit more into RangerAdmin and RangerUserSync logs, it seems that RangerAdmin is the source of the problem, closing the connection before handshake is fully established, but I have no idea about how to correct it.
Did someone encountered this error too ? Did I miss something ?
Thanks in advance for your help,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
Re: Issues with UserSync
Posted by Loïc Chanel <lo...@telecomnancy.net>.
Hi Dilli,
First of all, thanks for answering so fast.
Actually, I would like to have some synchronization between RangerAdmin UI
and NameNode users, in order to manage Users and authorizations directly
from RangerAdmin UI.
Is it possible somehow via Ranger UserSync ?
Thanks,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne
2015-06-09 17:18 GMT+02:00 Dilli Arumugam <da...@hortonworks.com>:
> Please note that user/group mapping that you see in RangerAdmin UI is
> only used for policy definition time.
> At policy enforcement time, user group membership is computed by NameNode
> based on group mapping provider defined in NameNode.
>
> You can check what NameNode sees as groups that a user belongs to by
> issuing command
>
> hdfs groups sam
>
> Sam is sample username here.
> You would use your username in its place.
> Thanks
> Dilli
>
> From: Loïc Chanel <lo...@telecomnancy.net>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Tuesday, June 9, 2015 7:39 AM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: Issues with UserSync
>
> Hi All,
>
> As I am using Ranger with Unix authentication to manage the security of
> HDFS on my cluster, I could not help but notice that even if I add users to
> groups in the Ranger console, Ranger cannot find to which groups they
> belong, and therefore do not authorize them to perform actions they should
> be able to do.
>
> As I thought this issue came from UserSync, I noticed that in its logs
> the following exception is printed every minute :
>
> ERROR PasswordValidator [Thread-22] - Response [FAILED: unable to validate
> due to error javax.net.ssl.SSLHandshakeException: Remote host closed
> connection during handshake] for user: null
> javax.net.ssl.SSLHandshakeException: Remote host closed connection during
> handshake
> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
> at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
> at sun.security.ssl.AppInputStream.read(Unknown Source)
> at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
> at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
> at sun.nio.cs.StreamDecoder.read(Unknown Source)
> at java.io.InputStreamReader.read(Unknown Source)
> at java.io.BufferedReader.fill(Unknown Source)
> at java.io.BufferedReader.readLine(Unknown Source)
> at java.io.BufferedReader.readLine(Unknown Source)
> at
> com.xasecure.authentication.PasswordValidator.run(PasswordValidator.java:58)
> at java.lang.Thread.run(Unknown Source)
> Caused by: java.io.EOFException: SSL peer shut down incorrectly
> at sun.security.ssl.InputRecord.read(Unknown Source)
> ... 13 more
>
> As usually this is the sign of a problem of missing certificate, I
> ensured the certificate corresponding to Unix authentication (<host>:5151)
> is in Java trustore and restarted the NameNode and Ranger, but nothing
> changed.
>
> When looking a little bit more into RangerAdmin and RangerUserSync logs,
> it seems that RangerAdmin is the source of the problem, closing the
> connection before handshake is fully established, but I have no idea about
> how to correct it.
>
> Did someone encountered this error too ? Did I miss something ?
>
> Thanks in advance for your help,
>
>
> Loïc
>
> Loïc CHANEL
> Engineering student at TELECOM Nancy
> Trainee at Worldline - Villeurbanne
>
Re: Issues with UserSync
Posted by Dilli Arumugam <da...@hortonworks.com>.
Please note that user/group mapping that you see in RangerAdmin UI is only used for policy definition time.
At policy enforcement time, user group membership is computed by NameNode based on group mapping provider defined in NameNode.
You can check what NameNode sees as groups that a user belongs to by issuing command
hdfs groups sam
Sam is sample username here.
You would use your username in its place.
Thanks
Dilli
From: Loïc Chanel <lo...@telecomnancy.net>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Tuesday, June 9, 2015 7:39 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Issues with UserSync
Hi All,
As I am using Ranger with Unix authentication to manage the security of HDFS on my cluster, I could not help but notice that even if I add users to groups in the Ranger console, Ranger cannot find to which groups they belong, and therefore do not authorize them to perform actions they should be able to do.
As I thought this issue came from UserSync, I noticed that in its logs the following exception is printed every minute :
ERROR PasswordValidator [Thread-22] - Response [FAILED: unable to validate due to error javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake] for user: null
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
at sun.security.ssl.AppInputStream.read(Unknown Source)
at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
at sun.nio.cs.StreamDecoder.read(Unknown Source)
at java.io.InputStreamReader.read(Unknown Source)
at java.io.BufferedReader.fill(Unknown Source)
at java.io.BufferedReader.readLine(Unknown Source)
at java.io.BufferedReader.readLine(Unknown Source)
at com.xasecure.authentication.PasswordValidator.run(PasswordValidator.java:58)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(Unknown Source)
... 13 more
As usually this is the sign of a problem of missing certificate, I ensured the certificate corresponding to Unix authentication (<host>:5151) is in Java trustore and restarted the NameNode and Ranger, but nothing changed.
When looking a little bit more into RangerAdmin and RangerUserSync logs, it seems that RangerAdmin is the source of the problem, closing the connection before handshake is fully established, but I have no idea about how to correct it.
Did someone encountered this error too ? Did I miss something ?
Thanks in advance for your help,
Loïc
Loïc CHANEL
Engineering student at TELECOM Nancy
Trainee at Worldline - Villeurbanne