You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ranger.apache.org by Joseph Wheeler <jw...@gmail.com> on 2020/09/28 22:55:53 UTC

Knox Ranger plugin fails to authenticate to Kerberos-enabled Ranger

Hello!

I am unable to get Apache Knox to authenticate to Apache Ranger to download
its policies. I am using Apache Knox 1.4.0, Apache Ranger 2.1.0, and the
Ranger 2.1.0 Knox Plugin.

Knox error logs are showing:
WARN client.RangerAdminJersey2RESTClient: Unexpected: Received status[400]
with body [Unauthenticated access not allowed] form url
[/service/plugins/policies/download/knox]

Ranger error logs are showing:
INFO org.apache.ranger.common.RESTErrorUtil - Request failed. loginId=null,
logMessage=Unauthenticated access not allowed
javax.ws.rs.WebApplicationException

Both sides are using trusted SSL certificates (not self-signed) and there's
no issues with SSL trust between the two.

Knox is set up to use a JAAS file with the principal name knox.svc/<server
FQDN>@<DOMAIN FQDN>.

I created a user in Ranger matching the Knox service's principal name.

I'm not finding a way to specify what credentials to use when the plugin on
Knox tries to download policies from Ranger. For all of my other services,
the associated plugin for the service just uses the service's configured
Kerberos principal and connects without issue.

What can I do to fix this?