ranger-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sailaja Polavarapu <spolavar...@hortonworks.com>
Subject Re: Cannot log in the Ranger Admin UI
Date Fri, 13 May 2016 15:03:11 GMT
Hi Lune,
Some of the answers as per my understanding:
>>Q1 - Do you have any idea what could be my problem ?
 From the code (security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java)
and my understanding is that ranger admin first tries to authenticate with the configured
authentication method (LDAP/AD/UNIX). If none of these are successful, it falls back to db
authentication. In case of system users like rangerusersync, admin, etc…, we have these
users in ranger db and eventually should succeed. In this case we still see the “Bad Credentials”
error message in the logs.

>>Q2 - Is usersync used when a user try to log in the Ranger Admin UI ?
 No. usersync syncs the users from the configured sync source periodically and updates ranger
admin. As part of of updates to ranger admin, user sync user (rangerusersync) has to go through
the authentication process as well.

>>In Ambari UI, in the User info tab, in the User Configs sub-tab, the "Group User map
Sync" is enabled. What is the usage of this property ?
 For 2.3.2, this flag is used for computing group membership of the user. From 2.3.4 onwards,
this flag is not used in the backend (https://issues.apache.org/jira/browse/RANGER-767).

>> So first thing first, where do I have to enter the password for this user rangerusersync
in the ranger configuration ?
For rangerusersync user, we first check if “ranger.usersync.policymgr.username”, “ranger.usersync.policymgr.password”
and “ranger.usersync.policymgr.alias” are configured. If not we use the default values
for username and password.(ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java).
If you haven’t changed the default password for rangerusesync user, these properties are
not needed.

Thanks,
Sailaja.


From: Lune Silver <lunescar.ranger@gmail.com<mailto:lunescar.ranger@gmail.com>>
Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>"
<user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>>
Date: Friday, May 13, 2016 at 6:39 AM
To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>>
Subject: Re: Cannot log in the Ranger Admin UI

Sorry there is a typo in my last sentence. I wanted to write :

So first thing first, where do I have to enter the password for this user rangerusersync in
the ranger configuration ?

BR.

Lune


On Fri, May 13, 2016 at 3:37 PM, Lune Silver <lunescar.ranger@gmail.com<mailto:lunescar.ranger@gmail.com>>
wrote:
Hello guys.

Sorry, I had only a few elements before.

Now I increase the log level to debug and I see the following error in xa_portal.log :
I saw that there was first an error with the user rangerusersync which was missing in my LDAP.
So I created it and I set up  a password for it.
The password works fine when I try to perform an ldap_search on the LDAP by using the user
rangerusersync.


But in the logs, here is what I can see
###
2016-05-13 15:30:07,582 [http-bio-6182-exec-2] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator
(BindAuthenticator.java:152) - Failed to bind as uid=rangerusersync,cn=users,cn=accounts,dc=<myrealm>:
org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials];
nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
2016-05-13 15:30:07,582 [http-bio-6182-exec-2] DEBUG org.apache.ranger.security.handler.RangerAuthenticationProvider
(RangerAuthenticationProvider.java:238) - LDAP Authentication Failed:
org.springframework.security.authentication.BadCredentialsException: Bad credentials
        at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:95)
        at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:178)
        at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)
        at org.apache.ranger.security.handler.RangerAuthenticationProvider.getLdapAuthentication(RangerAuthenticationProvider.java:231)
        at org.apache.ranger.security.handler.RangerAuthenticationProvider.authenticate(RangerAuthenticationProvider.java:91)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
        at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)
###

So first thing first, when do I have to enter the password for this user rangerusersync in
the ranger configuration ?

BR.

Lune.

On Fri, May 13, 2016 at 12:11 PM, Don Bosco Durai <bosco@apache.org<mailto:bosco@apache.org>>
wrote:
Sailaja, would you know what is going here?

Thanks

Bosco


From: Lune Silver <lunescar.ranger@gmail.com<mailto:lunescar.ranger@gmail.com>>
Reply-To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>>
Date: Thursday, May 12, 2016 at 3:39 AM
To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>>
Subject: Re: Cannot log in the Ranger Admin UI

As a note, I have :
- User Sync enabled
- In Ambari UI, in the User info tab, in the User Configs sub-tab, the "Group User map Sync"
is enabled. What is the usage of this property ?
- In Ambari UI, in the User info tab, in the Group Configs sub-tab, Group Sync is enabled.

BR.

Lune.

On Thu, May 12, 2016 at 12:33 PM, Lune Silver <lunescar.ranger@gmail.com<mailto:lunescar.ranger@gmail.com>>
wrote:
Hello everyone !

I am using HDP 2.3.2 with Ambari 2.2.1.
I installed Ranger Admin and Ranger Usersync with SSL.
They are both green in Ambari UI and there is no error in the logs of both component.

The thing is, when I try to log in the Ranger Admin UI, I always have the following error
:
###
2016-05-12 12:14:57,165 [http-bio-6182-exec-8] INFO  org.apache.ranger.security.listener.SpringEventListener
(SpringEventListener.java:87) - Login Unsuccessful:admin | Ip Address:< IP FROM WHERE I
TRY TO CONNECT>| Bad Credentials
###

I'm using an LDAP for the user/group management.

I performed a test with :
- admin, the admin user normally locally defined in Ranger. I got the Bad Credentials error.
- admin, an admin user that I already have in the LDAP, I got the Bad Credentials error
- amb_ranger_admin, the user created in ranger admin in order to allow ambari to create repositories
(if I understood well), and I got the Bad Credentials error
- a user lambda in the LDAP, I got the Bad Credentials error

In the "Advanced" tab in Ambari, I have the following configuration :
- Authentication method : LDAP
- LDAP Settings
-- ranger.ldap.base.dn : dc=<myrealm>
-- Bind user : {{ranger_ug_ldap_bind_dn}} : uid=<myuser>,cn=users,cn=accounts,dc=
<myrealm>
-- Bind User Password : the password of the bind user (I checked and this password is right)
-- ranger.ldap.group.roleattribute : cn (the attribute to retrieve group, right ?)
-- ranger.ldap.referral : ignore (because I have only one ldap)
-- LDAP URL : {{ranger_ug_ldap_url}} : ldap://<MY LDAP HOST>:389
-- ranger.ldap.user.dnpattern : uid={0},cn=users,cn=accounts,dc=<myrealm>
-- User Search Filter = {{ranger_ug_ldap_user_searchfilter}} : empty (I kept a space character)

Q1 - Do you have any idea what could be my problem ?
Q2 - Is usersync used when a user try to log in the Ranger Admin UI ?

BR.

Lune.



Mime
View raw message