[jira] [Commented] (RANGER-2751) SSL enabled Apache Ranger (2.1.0) not working with SSL enabled Presto (Prestosql 310) - Policy synch up not happening

[Pradeep Agrawal (Jira)]

    [ 
https://issues.apache.org/jira/browse/RANGER-2751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17053397#comment-17053397
 ] 

Pradeep Agrawal commented on RANGER-2751:
-----------------------------------------

You can try either of the two approach here :

1) import the ranger admin cert into jdk cacert of the presto plugin machine.

or

2) Try to create a trust store and import the ranger admin certificate in that 
trust store at the plugin end. you might have to use below two properties and 
make sure its reflected in ranger-*ssl*.site.xml when you enable the presto 
plugin

SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
SSL_TRUSTSTORE_PASSWORD=none

 

 

> SSL enabled Apache Ranger (2.1.0) not working with SSL enabled Presto 
> (Prestosql 310) - Policy synch up not happening 
> ----------------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-2751
>                 URL: https://issues.apache.org/jira/browse/RANGER-2751
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 2.1.0
>            Reporter: sajai
>            Priority: Major
>             Fix For: 2.1.0
>
>
> *Facing the below error when trying to integrate Apache Ranger with Prestosql 
> (310 version).*
> *Both Ranger and Presto is working independently, but the Presto policies 
> from Ranger are not downloading/refreshing. Couldn't find the policies 
> downloaded in Ranger web ui in Audits/Plugin tab. Also if we remove SSL from 
> Ranger side it starts working fine. Issue is only when SSL is enabled in 
> Ranger, then Presto inot working with Ranger,*
> 2020-03-04T07:50:59.600-0600 ERROR Thread-91 
> org.apache.ranger.plugin.util.PolicyRefresher 
> PolicyRefresher(serviceName=presto-catalogs-dev): failed to refresh policies. 
> Will continue to use last known version of policies (-1)
> java.lang.IllegalArgumentException: TrustManager is not specified
> *ranger-2.1.0-SNAPSHOT-admin/install.properties:-*
> db_root_user=root
> db_root_password=Sqlpwd@123
> db_host=localhost
> db_name=ranger
> db_user=rangeradmin
> db_password=Rangerpwd@123
> rangerAdmin_password=Rangerpwd@123
> rangerTagsync_password=Rangerpwd@123
> rangerUsersync_password=Rangerpwd@123
> keyadmin_password=Rangerpwd@123
> policymgr_external_url=https://hostname_ranger:6182
> policymgr_http_enabled=false
> policymgr_https_keystore_file=/opt/iss_cert/clientcert.jks
> policymgr_https_keystore_keyalias=kkkk
> policymgr_https_keystore_password=31b17532aeb4fb5ba3af2bae850567
> unix_user=ranger
> unix_user_pwd=Rangerpwd@123
> unix_group=ranger
> #LDAP|ACTIVE_DIRECTORY|UNIX|NONE
> authentication_method=LDAP
> xa_ldap_url=ldaps://hostname_ldapserver:636
> xa_ldap_userDNpattern=uid=\{0},OU=xxx,DC=xx,DC=cccc,DC=COM
> xa_ldap_groupSearchBase=DC=xxx,DC=ccc,DC=COM
> xa_ldap_groupSearchFilter=(member=cn=\{0},OU=xxx,DC=xx,DC=cccc,DC=COM)
> xa_ldap_groupRoleAttribute=cn
> xa_ldap_base_dn=DC=xx,DC=cccc,DC=COM
> xa_ldap_bind_dn=CN=XXX,OU=XX,DC=xx,DC=cccc,DC=COM
> xa_ldap_bind_password=uBLRxxxxxxxxzVJK
> xa_ldap_referral=follow
> xa_ldap_userSearchFilter=(uid=\{0})
> *With the above values,able to start ranger with SSL and LDAP enabled and 
> also able to login succesfully with both unix admin credentials and also with 
> ldap credentials.*
>  
> *ranger-2.1.0-SNAPSHOT-presto-plugin/install.properties:-*
> POLICY_MGR_URL=https:/hostname_ranger:6182
> REPOSITORY_NAME=presto-catalogs-dev
> *# You do not need use SSL between agent and security admin tool, please 
> leave these sample value as it is.*
> SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks
> SSL_KEYSTORE_PASSWORD=none
> SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
> SSL_TRUSTSTORE_PASSWORD=none
> *keep blank if component user is default*
> CUSTOM_USER=
> *keep blank if component group is default*
> CUSTOM_GROUP=
>  
> *presto-server-310/etc/config.properties:-*
> coordinator=true
> node-scheduler.include-coordinator=true
> http-server.http.enabled=false
> node.internal-address-source=FQDN
> node.internal-address=hostname_presto
> internal-communication.https.required=true
> internal-communication.https.keystore.path=/opt/iss_cert/clientcert.jks
> internal-communication.https.keystore.key=31b17532aeb4fb5ba3af2bae850567
> discovery-server.enabled=true
> discovery.uri=https://hostname_presto:8443
> http-server.authentication.type=PASSWORD,CERTIFICATE
> http-server.https.enabled=true
> http-server.https.port=8443
> http-server.https.keystore.path=/opt/iss_cert/clientcert.jks
> http-server.https.keystore.key=31b17532aeb4fb5ba3af2bae850567



--
This message was sent by Atlassian Jira
(v8.3.4#803005)