You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Massoud Mazar (JIRA)" <ji...@apache.org> on 2019/05/16 04:25:00 UTC

[jira] [Commented] (RANGER-1629) Test Connection fails when creating Knox Service from Ranger Admin UI

    [ https://issues.apache.org/jira/browse/RANGER-1629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16840974#comment-16840974 ] 

Massoud Mazar commented on RANGER-1629:
---------------------------------------

I'm experiencing the same issue with Ranger 1.2.0 on Hortonworks HDP 3.1. When this cluster was setup, it did not have neither Ranger nor Know. Ranger was added later and was working fine. Then Knox was added after.

"Test Connection" succeeds when password is re-entered, but when password is already saved, it fails. Error message is the same:
{code:java}
2019-05-16 04:17:29,240 [timed-executor-pool-0] ERROR org.apache.ranger.plugin.util.PasswordUtils (PasswordUtils.java:147) - Unable to decrypt password due to error
javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:934)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:845)
at com.sun.crypto.provider.PBES1Core.doFinal(PBES1Core.java:416)
at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316)
at javax.crypto.Cipher.doFinal(Cipher.java:2165)
at org.apache.ranger.plugin.util.PasswordUtils.decrypt(PasswordUtils.java:132)
at org.apache.ranger.plugin.util.PasswordUtils.decryptPassword(PasswordUtils.java:120)
at org.apache.ranger.services.knox.client.KnoxClient.getTopologyList(KnoxClient.java:79)
at org.apache.ranger.services.knox.client.KnoxClient$2.call(KnoxClient.java:406)
at org.apache.ranger.services.knox.client.KnoxClient$2.call(KnoxClient.java:402)
at org.apache.ranger.services.knox.client.KnoxClient.timedTask(KnoxClient.java:431)
at org.apache.ranger.services.knox.client.KnoxClient.getKnoxResources(KnoxClient.java:410)
at org.apache.ranger.services.knox.client.KnoxClient.connectionTest(KnoxClient.java:315)
at org.apache.ranger.services.knox.client.KnoxResourceMgr.validateConfig(KnoxResourceMgr.java:42)
at org.apache.ranger.services.knox.RangerServiceKnox.validateConfig(RangerServiceKnox.java:56)
at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:575)
at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:562)
at org.apache.ranger.biz.ServiceMgr$TimedCallable.call(ServiceMgr.java:523)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

2019-05-16 04:17:29,240 [timed-executor-pool-0] INFO  apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:81) - Password decryption failed; trying knox connection with received password string

2019-05-16 04:17:29,312 [timed-executor-pool-0] ERROR apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:131) - Got invalid REST response from: https://redacted_fqdn:8443/gateway/admin/api/v1/topologies, responseStatus: 401
{code}
It appears as if when a password is freshly typed, it is not encrypted and test succeeds, but when it is saved it is encrypted with an encryption which is different than what decryption code uses.

> Test Connection fails when creating Knox Service from Ranger Admin UI
> ---------------------------------------------------------------------
>
>                 Key: RANGER-1629
>                 URL: https://issues.apache.org/jira/browse/RANGER-1629
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin
>    Affects Versions: 0.7.0
>            Reporter: Anirudh
>            Priority: Blocker
>
> Knox setup with self-signed certificate. When creating service on Ranger Admin UI for Knox, Test Connection gives error. 
> I followed the steps mentioned in RANGER-355. I'm using the CN printed from the certificate in the place of <host> in the following https://<host>:8443/gateway/admin/api/v1/topologies/
> However, I'm not sure what values to enter for username and password while creating service. When I click Test-Connection, I'm getting this error
> "Connection Failed.
> Unable to retrieve any topologies/services using given parameters. You can still save the repository and start creating policies, but you would not be able to use autocomplete for resource names. Check ranger_admin.log for more info."
> and the ranger_admin.log contains
> "ERROR org.apache.ranger.plugin.util.PasswordUtils (PasswordUtils.java:156) - Unable to decrypt password due to error
> javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher
> at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:922)
> at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:833)
> at com.sun.crypto.provider.PBES1Core.doFinal(PBES1Core.java:416)
> at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316)
> at javax.crypto.Cipher.doFinal(Cipher.java:2165)
> at org.apache.ranger.plugin.util.PasswordUtils.decryptPassword(PasswordUtils.java:141)
> at org.apache.ranger.services.knox.client.KnoxClient.getTopologyList(KnoxClient.java:79)
> at org.apache.ranger.services.knox.client.KnoxClient$2.call(KnoxClient.java:406)
> at org.apache.ranger.services.knox.client.KnoxClient$2.call(KnoxClient.java:402)
> at org.apache.ranger.services.knox.client.KnoxClient.timedTask(KnoxClient.java:431)
> at org.apache.ranger.services.knox.client.KnoxClient.getKnoxResources(KnoxClient.java:410)
> at org.apache.ranger.services.knox.client.KnoxClient.connectionTest(KnoxClient.java:315)
> at org.apache.ranger.services.knox.client.KnoxResourceMgr.validateConfig(KnoxResourceMgr.java:42)
> at org.apache.ranger.services.knox.RangerServiceKnox.validateConfig(RangerServiceKnox.java:56)
> at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:560)
> at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:547)
> at org.apache.ranger.biz.ServiceMgr$TimedCallable.call(ServiceMgr.java:508)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> >>> INFO apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:81) - Password decryption failed; trying knox connection with received password string
> >>> ERROR apache.ranger.services.knox.client.KnoxClient (KnoxClient.java:131) - Got invalid REST response from: https://<host>:8443/gateway/admin/api/v1/topologies/, responseStatus: 401"



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)