[
https://issues.apache.org/jira/browse/RANGER-3206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dineshkumar Yadav updated RANGER-3206:
--------------------------------------
Description:
During the upgrade Ranger admin may fail applying Java patch to change all
admin password if
hadoop.security.credstore.java-keystore-provider.password-file property is set
in core-site.
This option uses a “side file” that has its location configured in the
hadoop.security.credstore.java-keystore-provider.password-file configuration
property to communicate the password that should be used when interrogating all
of the keystores that are configured in the
hadoop.security.credential.provider.path configuration property.
Repro steps:
1. vi core-site.xml (under ranger conf path /etc/ranger/admin/conf in HDP or
add from CM UI in HDFS service wide config)
<property>
<name>hadoop.security.credstore.java-keystore-provider.password-file</name>
<value>secure/password</value>
</property>
2. run db_setup.py to change the admin password
3. /usr/bin/python db_setup.py -changepassword -pair <userid> <current_pass>
<new_pass>
this will give exception java.io.IOException: Password file does not exist
Solution : Enhanced db_setup.py to read environment value set in
ranger-admin-env*.sh
This fix required below manual steps before upgrade.
1. ssh to ranger admin host
2. cd /etc/ranger/admin/conf/
3. vi ranger-admin-env-credstore.sh
4. add "export HADOOP_CREDSTORE_PASSWORD=none" in the
"ranger-admin-env-credstore.sh" file
5. chown ranger:ranger ranger-admin-env-credstore.sh
6. chmod 755 ranger-admin-env-credstore.sh
was:
During the upgrade Ranger admin may fail applying Java patch to change all
admin password if
hadoop.security.credstore.java-keystore-provider.password-file property is set
in core-site.
This option uses a “side file” that has its location configured in the
hadoop.security.credstore.java-keystore-provider.password-file configuration
property to communicate the password that should be used when interrogating all
of the keystores that are configured in the
hadoop.security.credential.provider.path configuration property.
Solution : Enhanced db_setup.py to read environment value set in
ranger-admin-env*.sh
This fix required below manual steps before upgrade.
1. ssh to ranger admin host
2. cd /etc/ranger/admin/conf/
3. vi ranger-admin-env-credstore.sh
4. add "export HADOOP_CREDSTORE_PASSWORD=none" in the
"ranger-admin-env-credstore.sh" file
5. chown ranger:ranger ranger-admin-env-credstore.sh
6. chmod 755 ranger-admin-env-credstore.sh
> Enhance db_setup.py to allow reading env variables set in ranger-admin-env
> scripts
> ----------------------------------------------------------------------------------
>
> Key: RANGER-3206
> URL: https://issues.apache.org/jira/browse/RANGER-3206
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Reporter: Dineshkumar Yadav
> Assignee: Dineshkumar Yadav
> Priority: Major
>
> During the upgrade Ranger admin may fail applying Java patch to change all
> admin password if
> hadoop.security.credstore.java-keystore-provider.password-file property is
> set in core-site.
> This option uses a “side file” that has its location configured in the
> hadoop.security.credstore.java-keystore-provider.password-file configuration
> property to communicate the password that should be used when interrogating
> all of the keystores that are configured in the
> hadoop.security.credential.provider.path configuration property.
> Repro steps:
> 1. vi core-site.xml (under ranger conf path /etc/ranger/admin/conf in HDP or
> add from CM UI in HDFS service wide config)
> <property>
> <name>hadoop.security.credstore.java-keystore-provider.password-file</name>
> <value>secure/password</value>
> </property>
> 2. run db_setup.py to change the admin password
> 3. /usr/bin/python db_setup.py -changepassword -pair <userid> <current_pass>
> <new_pass>
> this will give exception java.io.IOException: Password file does not exist
> Solution : Enhanced db_setup.py to read environment value set in
> ranger-admin-env*.sh
> This fix required below manual steps before upgrade.
> 1. ssh to ranger admin host
> 2. cd /etc/ranger/admin/conf/
> 3. vi ranger-admin-env-credstore.sh
> 4. add "export HADOOP_CREDSTORE_PASSWORD=none" in the
> "ranger-admin-env-credstore.sh" file
> 5. chown ranger:ranger ranger-admin-env-credstore.sh
> 6. chmod 755 ranger-admin-env-credstore.sh
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
