Re: Ranger 2.1 - Usersync 401s after successful initial load

Sailaja Polavarapu Tue, 01 Dec 2020 17:30:26 -0800

Hi Geri,
 I haven't seen this issue in my local setup. From the above logs, I see
that "valid cookie is saved" after first sync, but in the next sync
cycle usersync is using credential login which is strange. In Usersync, for
every request to ranger admin, first try with the saved cookie (which is
the rangeradminsessionid). If it fails, then try with credentials. Can you
provide ranger admin logs to see - 1. why the session is invalid, 2. why
the rangerusersync creds login is failing.


Thanks,
Sailaja.

On Sat, Nov 28, 2020 at 5:45 PM Gergely Lendvai <gergely.lendva...@gmail.com>
wrote:

> Hi!
>
> I am trying to solve this for a while, but with no luck so far. I managed
> to set up the usersync plugin with ldap (and without kerberos) and after
> starting it the initial users are showing up on Ranger, but all the
> upcoming hourly syncs are failing with the following error, which is a bit
> misleading since it is just a warning:
>
> -------------------------------------------------------------------------------------------------------------------------------
> WARN LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Credentials
> response from ranger is 401.
>
> -------------------------------------------------------------------------------------------------------------------------------
>
> I enabled debug logs to get a clearer picture, but what is odd that at the
> beginning my credentials are still valid and a new ranger cookie will be
> created for the initial sync, but for the next hour something happens. Here
> are the first couple of lines from the initial sync:
>
> -------------------------------------------------------------------------------------------------------------------------------
> INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of
> user/group from source==>sink
> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
> LdapDeltaUserGroupBuilder updateSink started
> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user
> search first
> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
> extendedUserSearchFilter =
> (&(objectclass=person)(|(uSNChanged>=0)(modifyTimestamp>=19700101000000Z)))
> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal =
> 5564and currentDeltaSyncTime = 5564
> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - INFO:
> addPMAccount(awsadmind-906714de98)
> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
> LdapPolicyMgrUserGroupBuilder.getMUser()
> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
> LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
> LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()
> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - USER GROUP
> MAPPING{"loginId":"awsadmind-906714de98","firstName":"awsadmind-906714de98","lastName":"awsadmind-906714de98","userRoleList":[null],"otherA
> ttributes":"{}"}
> INFO LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - valid cookie
> saved
>
> -------------------------------------------------------------------------------------------------------------------------------
>
> And these are the logs for an upcoming hour:
>
> -------------------------------------------------------------------------------------------------------------------------------
> INFO UserGroupSync [UnixUserSyncThread] - Begin: update user/group from
> source==>sink
> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
> LdapDeltaUserGroupBuilder updateSink started
> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user
> search first
> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] -
> extendedUserSearchFilter =
> (&(objectclass=person)(|(uSNChanged>=5631)(modifyTimestamp>=19700101000005Z)))
> INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal =
> 5564and currentDeltaSyncTime = 5564
> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - INFO:
> addPMAccount(awsadmind-906714de98)
> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
> LdapPolicyMgrUserGroupBuilder.getMUser()
> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
> LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==>
> LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()
> DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - USER GROUP
> MAPPING{"loginId":"awsadmind-906714de98","firstName":"awsadmind-906714de98","lastName":"awsadmind-906714de98","userRoleList":[null],"otherA
> ttributes":"{}"}
> WARN LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Credentials
> response from ranger is 401.
>
> -------------------------------------------------------------------------------------------------------------------------------
>
> Could you help figure this out? I am happy to share more details if
> necessary.
>
> Thanks,
> Geri
>

Re: Ranger 2.1 - Usersync 401s after successful initial load

Reply via email to