[ https://issues.apache.org/jira/browse/RANGER-2853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
gaozhan ding updated RANGER-2853: --------------------------------- Description: We use ranger with kerberos. When enable ranger-kms for hdfs encryption, we got an error from ranger admin web ui. On the premise that all configurations have been completed, I can not list keys in ranger admin, errors are as follows: Unauthenticated : Please check the permission in the policy for the user. {panel:title=logs in ranger admin:} XXXX-XX-XX 13:09:39,164 [http-bio-6182-exec-10] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:63) - Request failed. loginId=keyadmin, logMessage=Unauthenticated : Please check the permission in the policy for the user javax.ws.rs.WebApplicationException at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56) at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:325) at org.apache.ranger.rest.XKeyREST.handleError(XKeyREST.java:215) at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:87) at org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>) ...... {panel} I studied the problem and found that this problem have nothing to do with authentication, it is an exception caused by NPE. I try print that exception: {panel:title=NPE} XXXX-XX-XX 07:16:42,615 [http-bio-6182-exec-2] ERROR org.apache.ranger.biz.KmsKeyMgr (KmsKeyMgr.java:176) - test_for_ranger: java.lang.NullPointerException at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:395) at org.apache.hadoop.security.User.<init>(User.java:48) at org.apache.hadoop.security.SecureClientLogin.loginUserFromKeytab(SecureClientLogin.java:66) at org.apache.ranger.biz.KmsKeyMgr.getSubjectForKerberos(KmsKeyMgr.java:574) at org.apache.ranger.biz.KmsKeyMgr.searchKeys(KmsKeyMgr.java:152) at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:85) at org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:736) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:69) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99) at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:671) at org.apache.ranger.rest.XKeyREST$$EnhancerBySpringCGLIB$$5010f39f.searchKeys(<generated>) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185) at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302) at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108) at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409) ...... {panel} The following patch solves this problem !image.png! was: We use ranger with kerberos. When enable ranger-kms for hdfs encryption, we got an error from ranger admin web ui. On the premise that all configurations have been completed, I can not list keys in ranger admin, errors are as follows: Unauthenticated : Please check the permission in the policy for the user. {panel:title=logs in ranger admin:} XXXX-XX-XX 13:09:39,164 [http-bio-6182-exec-10] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:63) - Request failed. loginId=keyadmin, logMessage=Unauthenticated : Please check the permission in the policy for the user javax.ws.rs.WebApplicationException at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56) at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:325) at org.apache.ranger.rest.XKeyREST.handleError(XKeyREST.java:215) at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:87) at org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>) ...... {panel} I studied the problem and found that this problem have nothing to do with authentication, it is an exception caused by NPE. I try print that exception: {panel:title=NPE} XXXX-XX-XX 07:16:42,615 [http-bio-6182-exec-2] ERROR org.apache.ranger.biz.KmsKeyMgr (KmsKeyMgr.java:176) - test_for_ranger: java.lang.NullPointerException at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:395) at org.apache.hadoop.security.User.<init>(User.java:48) at org.apache.hadoop.security.SecureClientLogin.loginUserFromKeytab(SecureClientLogin.java:66) at org.apache.ranger.biz.KmsKeyMgr.getSubjectForKerberos(KmsKeyMgr.java:574) at org.apache.ranger.biz.KmsKeyMgr.searchKeys(KmsKeyMgr.java:152) at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:85) at org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:736) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:69) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99) at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:671) at org.apache.ranger.rest.XKeyREST$$EnhancerBySpringCGLIB$$5010f39f.searchKeys(<generated>) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185) at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302) at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108) at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542) at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419) at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409) ...... {panel} !image.png! > "Unauthenticated : Please check the permission in the policy for the user": > An NPE in ranger admin when enable kms. > ------------------------------------------------------------------------------------------------------------------- > > Key: RANGER-2853 > URL: https://issues.apache.org/jira/browse/RANGER-2853 > Project: Ranger > Issue Type: Bug > Components: admin > Affects Versions: 1.2.0 > Reporter: gaozhan ding > Priority: Major > Attachments: > 0001-RANGER-2853-fix-NPE-error-in-ranger-admin-when-enabl.patch, image.png > > > We use ranger with kerberos. When enable ranger-kms for hdfs encryption, we > got an error from ranger admin web ui. On the premise that all configurations > have been completed, I can not list keys in ranger admin, errors are as > follows: Unauthenticated : Please check the permission in the policy for the > user. > {panel:title=logs in ranger admin:} > XXXX-XX-XX 13:09:39,164 [http-bio-6182-exec-10] INFO > org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:63) - Request > failed. loginId=keyadmin, logMessage=Unauthenticated : Please check the > permission in the policy for the user > javax.ws.rs.WebApplicationException > at > org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56) > at > org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:325) > at org.apache.ranger.rest.XKeyREST.handleError(XKeyREST.java:215) > at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:87) > at > org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>) > ...... > {panel} > I studied the problem and found that this problem have nothing to do with > authentication, it is an exception caused by NPE. I try print that exception: > {panel:title=NPE} > XXXX-XX-XX 07:16:42,615 [http-bio-6182-exec-2] ERROR > org.apache.ranger.biz.KmsKeyMgr (KmsKeyMgr.java:176) - test_for_ranger: > java.lang.NullPointerException > at > org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:395) > at org.apache.hadoop.security.User.<init>(User.java:48) > at > org.apache.hadoop.security.SecureClientLogin.loginUserFromKeytab(SecureClientLogin.java:66) > at org.apache.ranger.biz.KmsKeyMgr.getSubjectForKerberos(KmsKeyMgr.java:574) > at org.apache.ranger.biz.KmsKeyMgr.searchKeys(KmsKeyMgr.java:152) > at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:85) > at > org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>) > at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) > at > org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:736) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) > at > org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:69) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) > at > org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99) > at > org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282) > at > org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) > at > org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:671) > at > org.apache.ranger.rest.XKeyREST$$EnhancerBySpringCGLIB$$5010f39f.searchKeys(<generated>) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) > at > com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185) > at > com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) > at > com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302) > at > com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) > at > com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108) > at > com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) > at > com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) > at > com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542) > at > com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473) > at > com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419) > at > com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409) > ...... > {panel} > > The following patch solves this problem > > > !image.png! -- This message was sent by Atlassian Jira (v8.3.4#803005)