[
https://issues.apache.org/jira/browse/RANGER-2853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
gaozhan ding updated RANGER-2853:
---------------------------------
Description:
We use ranger with kerberos. When enable ranger-kms for hdfs encryption, we got
an error from ranger admin web ui. On the premise that all configurations have
been completed, I can not list keys in ranger admin, errors are as follows:
Unauthenticated : Please check the permission in the policy for the user.
{panel:title=logs in ranger admin:}
XXXX-XX-XX 13:09:39,164 [http-bio-6182-exec-10] INFO
org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:63) - Request
failed. loginId=keyadmin, logMessage=Unauthenticated : Please check the
permission in the policy for the user
javax.ws.rs.WebApplicationException
at
org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56)
at
org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:325)
at org.apache.ranger.rest.XKeyREST.handleError(XKeyREST.java:215)
at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:87)
at
org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>)
......
{panel}
I studied the problem and found that this problem have nothing to do with
authentication, it is an exception caused by NPE. I try print that exception:
{panel:title=NPE}
XXXX-XX-XX 07:16:42,615 [http-bio-6182-exec-2] ERROR
org.apache.ranger.biz.KmsKeyMgr (KmsKeyMgr.java:176) - test_for_ranger:
java.lang.NullPointerException
at
org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:395)
at org.apache.hadoop.security.User.<init>(User.java:48)
at
org.apache.hadoop.security.SecureClientLogin.loginUserFromKeytab(SecureClientLogin.java:66)
at org.apache.ranger.biz.KmsKeyMgr.getSubjectForKerberos(KmsKeyMgr.java:574)
at org.apache.ranger.biz.KmsKeyMgr.searchKeys(KmsKeyMgr.java:152)
at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:85)
at
org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:736)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at
org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:69)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at
org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
at
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:671)
at
org.apache.ranger.rest.XKeyREST$$EnhancerBySpringCGLIB$$5010f39f.searchKeys(<generated>)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
at
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
at
com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at
com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at
com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542)
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473)
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409)
......
{panel}
Here is the reason for the NPE exception:
{code:java}
private Subject getSubjectForKerberos(String provider) throws Exception{
String userName = getKMSUserName(provider);
String password = getKMSPassword(provider);
String nameRules = PropertiesUtil.getProperty(NAME_RULES);
//here KerberosName.rules was set to DEFAULT or nameRules
if (StringUtils.isEmpty(nameRules)) {
KerberosName.setRules("DEFAULT");
}else{
KerberosName.setRules(nameRules);
}
Subject sub = new Subject();
String rangerPrincipal =
SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL),
PropertiesUtil.getProperty(HOST_NAME));
if (checkKerberos()) {
if(SecureClientLogin.isKerberosCredentialExists(rangerPrincipal,
PropertiesUtil.getProperty(ADMIN_USER_KEYTAB))){
//in function loginUserFromKeytab(),KerberosName.rules will be set
once again, which depend on the value of nameRules. This means that if
nameRules is null, KerberosName.rules will set to null, which lead to NPE error.
sub = SecureClientLogin.loginUserFromKeytab(rangerPrincipal,
PropertiesUtil.getProperty(ADMIN_USER_KEYTAB), nameRules);
}else{
sub = SecureClientLogin.loginUserWithPassword(userName, password);
}
} else {
sub = SecureClientLogin.login(userName);
}
return sub;
}
{code}
The following patch solves this problem.
!image.png!
was:
We use ranger with kerberos. When enable ranger-kms for hdfs encryption, we got
an error from ranger admin web ui. On the premise that all configurations have
been completed, I can not list keys in ranger admin, errors are as follows:
Unauthenticated : Please check the permission in the policy for the user.
{panel:title=logs in ranger admin:}
XXXX-XX-XX 13:09:39,164 [http-bio-6182-exec-10] INFO
org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:63) - Request
failed. loginId=keyadmin, logMessage=Unauthenticated : Please check the
permission in the policy for the user
javax.ws.rs.WebApplicationException
at
org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56)
at
org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:325)
at org.apache.ranger.rest.XKeyREST.handleError(XKeyREST.java:215)
at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:87)
at
org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>)
......
{panel}
I studied the problem and found that this problem have nothing to do with
authentication, it is an exception caused by NPE. I try print that exception:
{panel:title=NPE}
XXXX-XX-XX 07:16:42,615 [http-bio-6182-exec-2] ERROR
org.apache.ranger.biz.KmsKeyMgr (KmsKeyMgr.java:176) - test_for_ranger:
java.lang.NullPointerException
at
org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:395)
at org.apache.hadoop.security.User.<init>(User.java:48)
at
org.apache.hadoop.security.SecureClientLogin.loginUserFromKeytab(SecureClientLogin.java:66)
at org.apache.ranger.biz.KmsKeyMgr.getSubjectForKerberos(KmsKeyMgr.java:574)
at org.apache.ranger.biz.KmsKeyMgr.searchKeys(KmsKeyMgr.java:152)
at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:85)
at
org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:736)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at
org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:69)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at
org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
at
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:671)
at
org.apache.ranger.rest.XKeyREST$$EnhancerBySpringCGLIB$$5010f39f.searchKeys(<generated>)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
at
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
at
com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at
com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at
com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542)
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473)
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409)
......
{panel}
The following patch solves this problem.
!image.png!
> "Unauthenticated : Please check the permission in the policy for the user":
> An NPE in ranger admin when enable kms.
> -------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-2853
> URL: https://issues.apache.org/jira/browse/RANGER-2853
> Project: Ranger
> Issue Type: Bug
> Components: admin
> Affects Versions: 1.2.0
> Reporter: gaozhan ding
> Priority: Major
> Attachments:
> 0001-RANGER-2853-fix-NPE-error-in-ranger-admin-when-enabl.patch, image.png
>
>
> We use ranger with kerberos. When enable ranger-kms for hdfs encryption, we
> got an error from ranger admin web ui. On the premise that all configurations
> have been completed, I can not list keys in ranger admin, errors are as
> follows: Unauthenticated : Please check the permission in the policy for the
> user.
> {panel:title=logs in ranger admin:}
> XXXX-XX-XX 13:09:39,164 [http-bio-6182-exec-10] INFO
> org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:63) - Request
> failed. loginId=keyadmin, logMessage=Unauthenticated : Please check the
> permission in the policy for the user
> javax.ws.rs.WebApplicationException
> at
> org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56)
> at
> org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:325)
> at org.apache.ranger.rest.XKeyREST.handleError(XKeyREST.java:215)
> at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:87)
> at
> org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>)
> ......
> {panel}
> I studied the problem and found that this problem have nothing to do with
> authentication, it is an exception caused by NPE. I try print that exception:
> {panel:title=NPE}
> XXXX-XX-XX 07:16:42,615 [http-bio-6182-exec-2] ERROR
> org.apache.ranger.biz.KmsKeyMgr (KmsKeyMgr.java:176) - test_for_ranger:
> java.lang.NullPointerException
> at
> org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:395)
> at org.apache.hadoop.security.User.<init>(User.java:48)
> at
> org.apache.hadoop.security.SecureClientLogin.loginUserFromKeytab(SecureClientLogin.java:66)
> at org.apache.ranger.biz.KmsKeyMgr.getSubjectForKerberos(KmsKeyMgr.java:574)
> at org.apache.ranger.biz.KmsKeyMgr.searchKeys(KmsKeyMgr.java:152)
> at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:85)
> at
> org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>)
> at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
> at
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:736)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
> at
> org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:69)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
> at
> org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
> at
> org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:671)
> at
> org.apache.ranger.rest.XKeyREST$$EnhancerBySpringCGLIB$$5010f39f.searchKeys(<generated>)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
> at
> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
> at
> com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
> at
> com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
> at
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> at
> com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
> at
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> at
> com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409)
> ......
> {panel}
>
> Here is the reason for the NPE exception:
> {code:java}
> private Subject getSubjectForKerberos(String provider) throws Exception{
> String userName = getKMSUserName(provider);
> String password = getKMSPassword(provider);
> String nameRules = PropertiesUtil.getProperty(NAME_RULES);
> //here KerberosName.rules was set to DEFAULT or nameRules
> if (StringUtils.isEmpty(nameRules)) {
> KerberosName.setRules("DEFAULT");
> }else{
> KerberosName.setRules(nameRules);
> }
> Subject sub = new Subject();
> String rangerPrincipal =
> SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL),
> PropertiesUtil.getProperty(HOST_NAME));
> if (checkKerberos()) {
> if(SecureClientLogin.isKerberosCredentialExists(rangerPrincipal,
> PropertiesUtil.getProperty(ADMIN_USER_KEYTAB))){
> //in function loginUserFromKeytab(),KerberosName.rules will be set
> once again, which depend on the value of nameRules. This means that if
> nameRules is null, KerberosName.rules will set to null, which lead to NPE
> error.
> sub = SecureClientLogin.loginUserFromKeytab(rangerPrincipal,
> PropertiesUtil.getProperty(ADMIN_USER_KEYTAB), nameRules);
> }else{
> sub = SecureClientLogin.loginUserWithPassword(userName, password);
> }
> } else {
> sub = SecureClientLogin.login(userName);
> }
> return sub;
> }
> {code}
> The following patch solves this problem.
>
>
> !image.png!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
