Ajay created RANGER-4022:
----------------------------
Summary: Facing Ranger AD sync issue
Key: RANGER-4022
URL: https://issues.apache.org/jira/browse/RANGER-4022
Project: Ranger
Issue Type: Task
Components: usersync
Reporter: Ajay
Hi Team,
I am working on creating Open_source KAFKA/RANGER/AMBARI cluster , however
everything has been setup but facing error while RANGER_AD sync. So Ranger
admin and Ranger usersync are getting started via Ambari however with below
errors it is getting failed. I am at a point where i am not able to find where
the issue is at , any help will be appreciate able.
Below is the error snap.
Note:- this is a sample user taken from Ldap
{code:java}
13 Dec 2022 18:19:42 INFO UnixAuthenticationService [main] - Starting User
Sync Service!
13 Dec 2022 18:19:43 INFO AbstractMapper [UnixUserSyncThread] - Initializing
for ranger.usersync.mapping.username.regex
13 Dec 2022 18:19:43 INFO AbstractMapper [UnixUserSyncThread] - Initializing
for ranger.usersync.mapping.groupname.regex
13 Dec 2022 18:19:43 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
LdapDeltaUserGroupBuilder created
13 Dec 2022 18:19:43 INFO UserGroupSyncConfig [UnixUserSyncThread] - Sleep
Time Between Cycle can not be lower than [3600000] millisec. resetting to min
value.
13 Dec 2022 18:19:43 INFO UserGroupSync [UnixUserSyncThread] - initializing
sink: org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder
13 Dec 2022 18:19:44 DEBUG Tracer [UnixUserSyncThread] - sampler.classes = ;
loaded no samplers
13 Dec 2022 18:19:44 DEBUG Tracer [UnixUserSyncThread] - span.receiver.classes
= ; loaded no span receivers
13 Dec 2022 18:19:45 INFO AbstractMapper [UnixUserSyncThread] - Initializing
for ranger.usersync.mapping.username.regex
13 Dec 2022 18:19:45 INFO AbstractMapper [UnixUserSyncThread] - Initializing
for ranger.usersync.mapping.groupname.regex
13 Dec 2022 18:19:45 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
LdapDeltaUserGroupBuilder created
13 Dec 2022 18:19:45 INFO UserGroupSync [UnixUserSyncThread] - initializing
source: org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder
13 Dec 2022 18:19:45 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
LdapDeltaUserGroupBuilder initialization started
13 Dec 2022 18:19:46 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
LdapDeltaUserGroupBuilder initialization completed with -- ldapUrl:
ldap://ldap-aws-us-east.mstarext.com:389, ldapBindDn:
CN=aws_hadoop_prd_ad_user,OU=Service Accounts,OU=Hadoop,OU=CORESVC_Core
Services,OU=Servers and Services,DC=mstarext,DC=com, ldapBindPassword: ***** ,
ldapAuthenticationMechanism: simple, searchBase: DC=mstarext,DC=com,
userSearchBase: [dc=mstarext,dc=com], userSearchScope: 2, userObjectClass:
user, userSearchFilter: (&(objectClass=person)(objectClass=user)),
extendedUserSearchFilter: null, userNameAttribute: sAMAccountName,
userSearchAttributes: [uSNChanged, sAMAccountName, modifytimestamp],
userGroupNameAttributeSet: null, pagedResultsEnabled: true, pagedResultsSize:
500, groupSearchEnabled: true, groupSearchBase: [DC=mstarext,DC=com],
groupSearchScope: 2, groupObjectClass: group, groupSearchFilter:
(objectClass=group), extendedGroupSearchFilter:
(&null(|(member={0})(member={1}))), extendedAllGroupsSearchFilter: null,
groupMemberAttributeName: member, groupNameAttribute: sAMAccountName,
groupSearchAttributes: [uSNChanged, sAMAccountName, member, modifytimestamp],
groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false,
userSearchEnabled: false, ldapReferral: follow
13 Dec 2022 18:19:46 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial
load of user/group from source==>sink
13 Dec 2022 18:19:46 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
LdapDeltaUserGroupBuilder updateSink started
13 Dec 2022 18:19:46 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
Performing user search first
13 Dec 2022 18:19:46 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
extendedUserSearchFilter =
(&(objectclass=user)(|(uSNChanged>=0)(modifyTimestamp>=19700101120000Z))(&(objectClass=person)(objectClass=user)))
13 Dec 2022 18:19:46 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
uSNChangedVal = 77639505and currentDeltaSyncTime = 77639505
13 Dec 2022 18:19:46 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
INFO: addPMAccount(MSPRDDCAWSE02$)
13 Dec 2022 18:19:46 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
==> LdapPolicyMgrUserGroupBuilder.getMUser()
13 Dec 2022 18:19:46 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
==> LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
13 Dec 2022 18:19:46 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
==> LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()
13 Dec 2022 18:19:47 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
USER GROUP
MAPPING{"loginId":"MSPRDDCAWSE02$","firstName":"MSPRDDCAWSE02$","lastName":"MSPRDDCAWSE02$","userRoleList":[null]}
13 Dec 2022 18:19:47 INFO UnixAuthenticationService [main] - Enabling Unix
Auth Service!
13 Dec 2022 18:19:48 INFO UnixAuthenticationService [main] - Disabling
Protocol: [TLSv1.3]
13 Dec 2022 18:19:48 INFO UnixAuthenticationService [main] - Enabling
Protocol: [TLSv1.2]
13 Dec 2022 18:19:48 INFO UnixAuthenticationService [main] - Enabling
Protocol: [TLSv1.1]
13 Dec 2022 18:19:48 INFO UnixAuthenticationService [main] - Enabling
Protocol: [TLSv1]
13 Dec 2022 18:19:48 INFO UnixAuthenticationService [main] - Enabling
Protocol: [SSLv2Hello]
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
<== LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
<== LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
RESPONSE[<!doctype html><html lang="en"><head><title>HTTP Status 403 –
Forbidden</title><style type="text/css">H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
{color : black;}A.name {color : black;}HR {color :
#525D76;}</style></head><body><h1>HTTP Status 403 – Forbidden</h1><hr
class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> GSSException:
No valid credentials provided (Mechanism level: Failed to find any Kerberos
credentails)</p><p><b>Description</b> The server understood the request but
refuses to authorize it.</p><hr class="line" /><h3>Apache
Tomcat/7.0.94</h3></body></html>]
13 Dec 2022 18:19:58 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
Failed to add User :
com.google.gson.JsonSyntaxException: java.lang.IllegalStateException: Expected
BEGIN_OBJECT but was STRING at line 1 column 1
at
com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$Adapter.read(ReflectiveTypeAdapterFactory.java:176)
at com.google.gson.Gson.fromJson(Gson.java:803)
at com.google.gson.Gson.fromJson(Gson.java:768)
at com.google.gson.Gson.fromJson(Gson.java:717)
at com.google.gson.Gson.fromJson(Gson.java:689)
at
org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.getMUser(LdapPolicyMgrUserGroupBuilder.java:844)
at
org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.access$600(LdapPolicyMgrUserGroupBuilder.java:71)
at
org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder$7.run(LdapPolicyMgrUserGroupBuilder.java:808)
at
org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder$7.run(LdapPolicyMgrUserGroupBuilder.java:804)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at
org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.addMUser(LdapPolicyMgrUserGroupBuilder.java:804)
at
org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.addOrUpdateUser(LdapPolicyMgrUserGroupBuilder.java:292)
at
org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder.getUsers(LdapDeltaUserGroupBuilder.java:525)
at
org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder.updateSink(LdapDeltaUserGroupBuilder.java:335)
at
org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was
STRING at line 1 column 1
at com.google.gson.stream.JsonReader.beginObject(JsonReader.java:374)
at
com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$Adapter.read(ReflectiveTypeAdapterFactory.java:165)
... 16 more
13 Dec 2022 18:19:58 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
Failed to add portal user
13 Dec 2022 18:19:58 ERROR LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
sink.addOrUpdateUser failed with exception: Failed to add portal user, for
user: MSPRDDCAWSE02$
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
==> LdapPolicyMgrUserGroupBuilder.addUserGroupInfo MSPRDDCAWSE02$ and groups
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
INFO: addPMXAUser(MSPRDDCAWSE02$)
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
==> LdapPolicyMgrUserGroupBuilder.getUsergroupInfo(UserGroupInfo ret)
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
USER GROUP
MAPPING{"xuserInfo":{"name":"MSPRDDCAWSE02$","description":"MSPRDDCAWSE02$ -
add from Unix box","groupNameList":[],"userRoleList":[]},"xgroupInfo":[]}
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
==> LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
==> LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
USER GROUP
MAPPING{"xuserInfo":{"name":"MSPRDDCAWSE02$","description":"MSPRDDCAWSE02$ -
add from Unix box","groupNameList":[],"userRoleList":[]},"xgroupInfo":[]}
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
<== LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
<== LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
RESPONSE: [<!doctype html><html lang="en"><head><title>HTTP Status 403 –
Forbidden</title><style type="text/css">H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
{color : black;}A.name {color : black;}HR {color :
#525D76;}</style></head><body><h1>HTTP Status 403 – Forbidden</h1><hr
class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> GSSException:
No valid credentials provided (Mechanism level: Failed to find any Kerberos
credentails)</p><p><b>Description</b> The server understood the request but
refuses to authorize it.</p><hr class="line" /><h3>Apache
Tomcat/7.0.94</h3></body></html>]
13 Dec 2022 18:19:58 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
Failed to add User Group Info :
com.google.gson.JsonSyntaxException: java.lang.IllegalStateException: Expected
BEGIN_OBJECT but was STRING at line 1 column 1
at
com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$Adapter.read(ReflectiveTypeAdapterFactory.java:176)
at com.google.gson.Gson.fromJson(Gson.java:803)
at com.google.gson.Gson.fromJson(Gson.java:768)
at com.google.gson.Gson.fromJson(Gson.java:717)
at com.google.gson.Gson.fromJson(Gson.java:689)
at
org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.getUsergroupInfo(LdapPolicyMgrUserGroupBuilder.java:424)
at
org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.access$200(LdapPolicyMgrUserGroupBuilder.java:71)
at
org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder$2.run(LdapPolicyMgrUserGroupBuilder.java:337)
at
org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder$2.run(LdapPolicyMgrUserGroupBuilder.java:333)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at
org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.addUserGroupInfo(LdapPolicyMgrUserGroupBuilder.java:333)
at
org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.addOrUpdateUser(LdapPolicyMgrUserGroupBuilder.java:178)
at
org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder.getUsers(LdapDeltaUserGroupBuilder.java:557)
at
org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder.updateSink(LdapDeltaUserGroupBuilder.java:335)
at
org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was
STRING at line 1 column 1
at com.google.gson.stream.JsonReader.beginObject(JsonReader.java:374)
at
com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$Adapter.read(ReflectiveTypeAdapterFactory.java:165)
... 16 more
13 Dec 2022 18:19:58 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] -
Failed to add addorUpdate user group info
13 Dec 2022 18:19:58 ERROR LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
sink.addOrUpdateUserGroups failed with exception: Failed to add addorUpdate
user group info, for user: MSPRDDCAWSE02$ and groups: []
13 Dec 2022 18:19:58 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
Updating user count: 1, userName: MSPRDDCAWSE02$
13 Dec 2022 18:19:58 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
uSNChangedVal = 78055074and currentDeltaSyncTime = 78055074
{code}
**
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
