From dev-return-17439-archive-asf-public=cust-asf.ponee.io@ranger.apache.org  Mon Mar 26 20:18:27 2018
Return-Path: <dev-return-17439-archive-asf-public=cust-asf.ponee.io@ranger.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx-eu-01.ponee.io (Postfix) with SMTP id 3CFF9180649
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 26 Mar 2018 20:18:27 +0200 (CEST)
Received: (qmail 55147 invoked by uid 500); 26 Mar 2018 18:18:26 -0000
Mailing-List: contact dev-help@ranger.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@ranger.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@ranger.apache.org>
List-Post: <mailto:dev@ranger.apache.org>
List-Id: <dev.ranger.apache.org>
Reply-To: dev@ranger.apache.org
Delivered-To: mailing list dev@ranger.apache.org
Received: (qmail 55126 invoked by uid 99); 26 Mar 2018 18:18:25 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Mar 2018 18:18:25 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 3390DC00E0
	for <dev@ranger.apache.org>; Mon, 26 Mar 2018 18:18:25 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 3.311
X-Spam-Level: ***
X-Spam-Status: No, score=3.311 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	FREEMAIL_ENVFROM_END_DIGIT=0.25, HTML_MESSAGE=2,
	HTML_OBFUSCATE_10_20=1.162, KAM_SHORT=0.001,
	RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001]
	autolearn=disabled
Authentication-Results: spamd4-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id 51v1rZ5Gjv1z for <dev@ranger.apache.org>;
	Mon, 26 Mar 2018 18:18:22 +0000 (UTC)
Received: from mail-io0-f178.google.com (mail-io0-f178.google.com [209.85.223.178])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id D9B675F201
	for <dev@ranger.apache.org>; Mon, 26 Mar 2018 18:18:21 +0000 (UTC)
Received: by mail-io0-f178.google.com with SMTP id q80so13486310ioi.13
        for <dev@ranger.apache.org>; Mon, 26 Mar 2018 11:18:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=Z+0Aoj/Y2k1dcoQCUmdhM9YrOpTFbDBkbJCTz6N8Drk=;
        b=pGFBRlEDztaAFZA31560s3D5mu61PHx26Iovbt2DWpaDXkh34+1eZb6hR/J5qEs/V/
         QGaB4ltBbk+MyenNhNDG0nLCFiSCyefojPpNCqR922SPL1sT/Pbu6D2jsxApOo7E9ESu
         7JFMPleKE6s2TDSZ3f6p01DyVUJuexFPb4VaB97wTYhh3QcdqC7pcsBrZ6NKNsIVOqZn
         pQRbjRzn1YMDYWsymM4BqEGpV5jt8LzsTD5oMIWQYByxSa2p3cs/C6yOBk6MFQZLQ9iU
         z+RB0mDhS2mKAehgfFQJLyXldCeouuwp+o7FFe7KTHwdDCM7SLtnv6RrZHYweW1XfVeM
         MGkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=Z+0Aoj/Y2k1dcoQCUmdhM9YrOpTFbDBkbJCTz6N8Drk=;
        b=L5G1RRmY7sH6aAiZ4QKR7V8Pi1ff0Th3Lt2+bbjIGuTHYlBBduhl/f3GisrQ9gx9ws
         1HDJaE5WyeYXx8uaDPhA7EZ1Yxr9G8jzQCH9rM/0QMlopztoEwwy5mXThozayEldoL1h
         UNLB/apx0uVdnSYcrrYRjHW+PI5Gr5HWdRrTpGGoSIRWQxDJk29IPP0ZowH4pQe1iLZ1
         jZ0A0/hRGW+oa2U9eo59tSd5YcJGNT3/TOs469DrFVKL+8ZRJpBIi1DeRSrBZrij47vc
         fdvMfVIeg0FLvRYATgdQtTyPhbWfn5xV11Da4PzbTVyXRssLqNKsPCxLW3XnB6/azzfD
         chmA==
X-Gm-Message-State: AElRT7FTA7S4FC+PDZeaPzdyVJq38HfASrCbSLK6fcfK3dx7DigETwiX
	gkellELmh7MuwidYU6z1Cs3xspzQhpy7T3WnMS2szQ==
X-Google-Smtp-Source: AG47ELupHUt6RCT2k2w88er4jlblOHoxPfcFFpag57fAF1w/bXz2NozHrDt2pT37H6tndOP7WAX4TcO97BGisx1/9nc=
X-Received: by 10.107.70.18 with SMTP id t18mr25481956ioa.220.1522088300290;
 Mon, 26 Mar 2018 11:18:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.111.143 with HTTP; Mon, 26 Mar 2018 11:18:19 -0700 (PDT)
In-Reply-To: <5ab89a0a.1c69fb81.d18b8.caceSMTPIN_ADDED_BROKEN@mx.google.com>
References: <CAKds3WBdQZLuFayzGMawzDm-TUrykYbjZj-m0932mq+wTo=i3w@mail.gmail.com>
 <5ab89a0a.1c69fb81.d18b8.caceSMTPIN_ADDED_BROKEN@mx.google.com>
From: rohit sinha <talktorohit54@gmail.com>
Date: Mon, 26 Mar 2018 11:18:19 -0700
Message-ID: <CAKds3WCTMNGZQGxKwpPPSS94Ad=MPXLPB3s_XK8jQE8+Ho1PWA@mail.gmail.com>
Subject: Re: Ranger SSL Configuration Issues
To: dev@ranger.apache.org
Content-Type: multipart/alternative; boundary="089e0826847474a5bb056854cc28"

--089e0826847474a5bb056854cc28
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Thanks for your reply.
We are using Ranger 0.7.0

We don't think there is an issue with Ranger SSL and suspect we are doing
incomplete or incorrect configuration. Can you please look at our SSL
configuration file shared in the previous email and point out if something
looks wrong?

Also is there any documentation on how to configure a custom Ranger plugin
to talk to SSL enabled Ranger? We were only able to find HortonWorks
documentation on how to make existing (hdfs) plugin talk to SSL enabled
Ranger.

Thanks.


Thanks,
Rohit Sinha


On Sun, Mar 25, 2018 at 11:58 PM, pengjianhua <35573597@qq.com> wrote:

> Please tell me which version you are using. I tested the 0.7.0, 0.7.1,
> 1.0.0. There are no problems with these versions. Maybe your configuratio=
n
> is wrong.
>
>
> =E5=9C=A8 2018=E5=B9=B403=E6=9C=8825=E6=97=A5 04:48, rohit sinha =E5=86=
=99=E9=81=93:
>
>> *Hello,We have a ranger plugin which works perfectly fine with non-SSL
>> Ranger but we turn on SSL for Ranger our plugin fails to talk to Ranger
>> Server because some underlying Ranger classes fail to be initialized. We
>> see the following error in the logs:2018-03-23 01:34:00,064 - ERROR
>> [leader-election-election-master.services:o.a.r.p.u.PolicyRefresher@282]
>> -
>> PolicyRefresher(serviceName=3DmyServicedev): failed to refresh policies.
>> Will
>> continue to use last known version of policies
>> (-1)java.lang.IllegalArgumentException: SSLContext must not be null at
>>
>> com.sun.jersey.client.urlconnection.HTTPSProperties.<init>(
>> HTTPSProperties.java:106)
>> ~[jersey-bundle-1.17.1.jar:1.17.1] at
>> org.apache.ranger.plugin.util.RangerRESTClient.buildClient(R
>> angerRESTClient.java:200)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.plugin.util.RangerRESTClient.getClient(Ran
>> gerRESTClient.java:175)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.plugin.util.RangerRESTClient.getResource(R
>> angerRESTClient.java:155)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.admin.client.RangerAdminRESTClient.createW
>> ebResource(RangerAdminRESTClient.java:267)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.admin.client.RangerAdminRESTClient.access$
>> 200(RangerAdminRESTClient.java:47)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(
>> RangerAdminRESTClient.java:107)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.admin.client.RangerAdminRESTClient$3.run(
>> RangerAdminRESTClient.java:105)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> java.security.AccessController.doPrivileged(Native Method)
>> ~[na:1.8.0_112]
>> at javax.security.auth.Subject.doAs(Subject.java:360) ~[na:1.8.0_112] at
>> org.apache.hadoop.security.UserGroupInformation.doAs(UserGro
>> upInformation.java:1849)
>> ~[hadoop-common-2.7.3.2.6.4.0-91.jar:na] at
>> org.apache.ranger.admin.client.RangerAdminRESTClient.getServ
>> icePoliciesIfUpdated(RangerAdminRESTClient.java:114)
>> ~[ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfrom
>> PolicyAdmin(PolicyRefresher.java:258)
>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy(Pol
>> icyRefresher.java:202)
>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.plugin.util.PolicyRefresher.startRefresher
>> (PolicyRefresher.java:149)
>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>> org.apache.ranger.plugin.service.RangerBasePlugin.init(Range
>> rBasePlugin.java:142)
>> [ranger-plugins-common-0.7.0.jar:0.7.0] at
>> com.company.myService.security.authorization.ranger.binding.
>> RangerAuthorizer.initialize(RangerAuthorizer.java:90)
>> [1521768838074-0/:na] at
>> com.company.myService.security.authorization.AuthorizerInsta
>> ntiator.createAndInitializeAuthorizerInstance(AuthorizerInst
>> antiator.java:172)
>> [na:na] at
>> com.company.myService.security.authorization.AuthorizerInsta
>> ntiator.get(AuthorizerInstantiator.java:141)
>> [na:na] at
>> com.company.myService.security.authorization.DelegatingPrivi
>> legeManager.<init>(DelegatingPrivilegeManager.java:41)
>> [na:na] .... ....at java.lang.Thread.run(Thread.java:745)
>> [na:1.8.0_112]From the log, we see that the RangerRestClient fails to be
>> built because SSLContext is null. Looking into the code of these Ranger
>> classes we suspect this is because the TrustManger list being returned
>> from
>> here is
>> null.https://github.com/apache/ranger/blob/4370b6b135ca5288b
>> f25bd6f7a353b9699821099/agents-common/src/main/java/
>> org/apache/ranger/plugin/util/RangerRESTClient.java#L308
>> <https://github.com/apache/ranger/blob/4370b6b135ca5288bf25b
>> d6f7a353b9699821099/agents-common/src/main/java/org/
>> apache/ranger/plugin/util/RangerRESTClient.java#L308>To
>> the best of our understanding all our configurations looks good. We also
>> checked we are picking up the ranger-myService-policymgr-ssl.xml
>> correctly.
>> We were able to load it from the classloader and print it. Following is
>> our
>> configurations:master.services:c.c.c.s.a.r.b.RangerAuthorizer@96] - <?xm=
l
>> version=3D"1.0"?><!--  Licensed to the Apache Software Foundation (ASF)
>> under
>> one or more  contributor license agreements.  See the NOTICE file
>> distributed with  this work for additional information regarding copyrig=
ht
>> ownership.  The ASF licenses this file to You under the Apache License,
>> Version 2.0  (the "License"); you may not use this file except in
>> compliance with  the License.  You may obtain a copy of the License at
>>       http://www.apache.org/licenses/LICENSE-2.0
>> <http://www.apache.org/licenses/LICENSE-2.0>  Unless required by
>> applicable
>> law or agreed to in writing, software  distributed under the License is
>> distributed on an "AS IS" BASIS,  WITHOUT WARRANTIES OR CONDITIONS OF AN=
Y
>> KIND, either express or implied.  See the License for the specific
>> language
>> governing permissions and  limitations under the
>> License.--><?xml-stylesheet type=3D"text/xsl"
>>
>> href=3D"configuration.xsl"?><configuration
>> xmlns:xi=3D"http://www.w3.org/2001/XInclude
>> <http://www.w3.org/2001/XInclude>">        <!-- The following properties
>> are used for 2-way SSL client server validation -->        <property>
>>                 <name>xasecure.policymgr.clientssl.keystore</name>
>>                 <value>/usr/local/ranger-mySer
>> vice-conf/ranger-plugin-keystore.jks</value>
>>                 <description>                        Java Keystore files
>>                 </description>        </property>        <property>
>>                 <name>xasecure.policymgr.clien
>> tssl.keystore.password</name>
>>                 <value>myKeyFilePassword</value>
>>                 <description>                        password for keysto=
re
>>                 </description>        </property>        <property>
>>                 <name>xasecure.policymgr.clientssl.truststore</name>
>>                 <value>/usr/local/ranger-mySer
>> vice-conf/ranger-plugin-truststore.jks</value>
>>                 <description>                        java truststore fil=
e
>>                 </description>        </property>        <property>
>>                 <name>xasecure.policymgr.clientssl.truststore.password</
>> name>
>>                 <value>changeit</value>                <description>
>>                         java truststore password
>>                 </description>        </property>    <property>
>>                 <name>xasecure.policymgr.clien
>> tssl.keystore.credential.file</name>
>>                 <value>jceks://file/etc/ranger/admin/rangeradmin.jceks</
>> value>
>>                 <description>                        java keystore
>> credential file                </description>        </property>
>>         <property>
>>                 <name>xasecure.policymgr.clientssl.truststore.credential=
.
>> file</name>
>>                 <value>jceks://file/etc/ranger/admin/rangeradmin.jceks</
>> value>
>>                 <description>                        java truststore
>> credential file                </description>
>>         </property></configuration>Can you please help us in figuring ou=
t
>> what are we missing or doing incorrectly?Thanks, Rohit Sinha*
>>
>>
>
>
>

--089e0826847474a5bb056854cc28--