Amithsha, seems you are using self signed certificate. Here are the steps to
use self-signed certificates. Note the paths for Knox and Ranger conf folders
might be different for you.
cd /var/lib/knox/data/security/keystores/
Keytool –exportcert –alias gateway-identity –keystone gateway.jks –file
~/knox.crt
Return on password prompt
cd ~
. /etc/ranger/admin/conf/java_home.sh
cp $JAVA_HOME/jre/lib/security/cacerts cacerts.withknox
keytool –import –trustcacerts –file knox.crt –alias knox –keystore
cacerts.withknox
cp cacerts.withknox /etc/ranger/admin/conf
cd /etc/ranger/admin/conf
vi ranger-admin-env-knox_cert.sh
#!/bin/bash
certs_with_knox=/etc/ranger/admin/conf/cacerts.withknox
export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=${certs_with_knox}”
chmod x+a ranger-admin-env-knox_cert.sh
service ranger-admin stop
service ranger-admin start
ps –ef | grep proc_rangeradmin (verify that javax.net.ssl.trustStore property
was applied)
Configure Knox repo in Ranger UI using URL -
https://{ranger-ui-server}:8443/gateway/admin/api/v1/topologies/
Thanks
Bosco
> On Dec 20, 2014, at 1:13 AM, Amith sha <amithsh...@gmail.com> wrote:
>
> Hi Bosco,
>
> Now almost i am clear with Ranger except Knox and have
> configured Knox url as
> https://MY_KNOX_IP:8443/gateway/admin/api/v1/topologies
> <https://my_knox_ip:8443/gateway/admin/api/v1/topologies> i got this Error
>
> 2014-12-20 12:52:10,327 [http-bio-6080-exec-29] ERROR
> com.xasecure.knox.client.KnoxClient (KnoxClient.java:139) - Exception on REST
> call to KnoxUrl : https://xxxxxxxxxx:8443/gateway/admin/api/v1/topologies
> <https://xxxxxxxxxx:8443/gateway/admin/api/v1/topologies>.
> com.sun.jersey.api.client.ClientHandlerException:
> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
> No subject alternative names present
> at
> com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:131)
> at
> com.sun.jersey.api.client.filter.HTTPBasicAuthFilter.handle(HTTPBasicAuthFilter.java:81)
> at com.sun.jersey.api.client.Client.handle(Client.java:616)
> at com.sun.jersey.api.client.WebResource.handle(WebResource.java:559)
> at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:72)
> at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:454)
> at com.xasecure.knox.client.KnoxClient.getTopologyList(KnoxClient.java:86)
> at com.xasecure.knox.client.KnoxClient$2.call(KnoxClient.java:360)
> at com.xasecure.knox.client.KnoxClient$2.call(KnoxClient.java:357)
> at com.xasecure.knox.client.KnoxClient.timedTask(KnoxClient.java:384)
> at
> com.xasecure.knox.client.KnoxClient.getKnoxResources(KnoxClient.java:365)
> at com.xasecure.knox.client.KnoxClient.testConnection(KnoxClient.java:278)
> at com.xasecure.biz.AssetMgr.testConfig(AssetMgr.java:1657)
> at com.xasecure.rest.AssetREST.testConfig(AssetREST.java:163)
> at
> com.xasecure.rest.AssetREST$$FastClassByCGLIB$$90363ab.invoke(<generated>)
> at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:191)
> at
> org.springframework.aop.framework.Cglib2AopProxy$CglibMethodInvocation.invokeJoinpoint(Cglib2AopProxy.java:689)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> at
> org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:622)
> at
> com.xasecure.rest.AssetREST$$EnhancerByCGLIB$$a483aa9.testConfig(<generated>)
> at sun.reflect.GeneratedMethodAccessor80.invoke(Unknown Source)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at
> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:168)
> at
> com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:70)
> at
> com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:279)
> at
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:136)
> at
> com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:86)
> at
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:136)
> at
> com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:74)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1357)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1289)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1239)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1229)
> at
> com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:420)
> at
> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:497)
> at
> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:684)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
> at
> com.xasecure.security.web.filter.XASecurityContextFormationFilter.doFilter(XASecurityContextFormationFilter.java:134)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
> at
> org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:744)
> Caused by: javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: No subject alternative names present
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
> at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300)
> at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468)
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
> at
> com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:218)
> at
> com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:129)
> ... 89 more
> Caused by: java.security.cert.CertificateException: No subject alternative
> names present
> at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)
> at sun.security.util.HostnameChecker.match(HostnameChecker.java:91)
>
>
> ****************I am able to access the url after confirming the
> certifications in Mozilla Firefox and chrome **********************
>
> Can u suggest,
>
> Thank you with regards
> Amithsha
>
> On Sat, Dec 20, 2014 at 5:42 AM, Don Bosco Durai <bo...@apache.org
> <mailto:bo...@apache.org>> wrote:
> Amithsa
>
>> Still,I have a doubt on creating DB that while enabling the hadoop,hive etc
>> scripts we need to provide information like db name and user authentications
>> where if i am providing separate servers i.e., Ranger server, Hadoop, Hive
>> etc.At that point i need to provide a db informations for each server
>> (jdbc:localhost) or a common db (jdbc:RANGER SERVER IP).
>
> I am not sure what you mean by create DB while enabling the plugins. The
> database detail we provide during enabling the component is only used to
> connect the DB. The DB and tables are only created during the Ranger Admin
> setup.
> From the design perspective, each plugin writes directly to the DB or to HDFS
> (if setup) with the audit logs. This helps removing the Ranger Admin server
> as the bottle neck for doing audit logging. The Ranger Admin host information
> is needed in the plugin, so that the plugin can pull the policies from the
> Ranger Admin.
>
>
> Regarding your Knox question, you have to set the URL as per your deployment.
> E.g. https://knox_host:8443/gateway/admin/api/v1/topologies
> <https://knox_host:8443/gateway/admin/api/v1/topologies> (Replace the
> knox_host with your fully qualified host name)
>
> Thanks
>
> Bosco
>
>
>> On Dec 19, 2014, at 1:33 AM, Amith sha <amithsh...@gmail.com
>> <mailto:amithsh...@gmail.com>> wrote:
>>
>> Hi All.
>>
>> Thanks Bosco,Selva and Muthu for your suggestion and feedback towards Ranger
>> by which i am able to build and work successfully even with Hadoop,Hive
>> lower Versions .Still,I have a doubt on creating DB that while enabling the
>> hadoop,hive etc scripts we need to provide information like db name and user
>> authentications where if i am providing separate servers i.e., Ranger
>> server, Hadoop, Hive etc.At that point i need to provide a db informations
>> for each server (jdbc:localhost) or a common db (jdbc:RANGER SERVER IP).
>> And i am requesting you to provide the Knox Repo creating example. Because
>> where i dont know what to provide in Knox url
>>
>> Thanks all
>> With regards
>> Amithsha
>>
>>
>> On Fri, Dec 19, 2014 at 11:22 AM, Don Bosco Durai <bo...@apache.org
>> <mailto:bo...@apache.org>> wrote:
>> Hi Muthupandi
>>
>> Glad to know it worked for you. Please continue to provide your feedback and
>> also if you have any suggestions to add new features.
>>
>> Thanks
>>
>> Bosco
>>
>>> On Dec 18, 2014, at 3:13 AM, Muthu Pandi <muthu1...@gmail.com
>>> <mailto:muthu1...@gmail.com>> wrote:
>>>
>>> Yes you are right i had done mistake by not configuring hive repository
>>> correctly, after configuring hive repository and its name it use the ranger
>>> authorization.
>>>
>>>
>>> Great work Guys, Authorization look simple and effective.
>>>
>>> Regards
>>> Muthupandi.K
>>>
>>> Think before you print.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Dec 17, 2014 at 2:43 AM, Don Bosco Durai <bo...@apache.org
>>> <mailto:bo...@apache.org>> wrote:
>>> Hi Muthupandi
>>>
>>> At an high level, it seems Hive is still using it’s native authorization.
>>> Can you check the Audit in Ranger to see whether Ranger is auditing it?
>>>
>>> Thanks
>>>
>>> Bosco
>>>
>>>
>>>
>>>> On Dec 15, 2014, at 9:19 PM, Muthu Pandi <muthu1...@gmail.com
>>>> <mailto:muthu1...@gmail.com>> wrote:
>>>>
>>>> Hi All
>>>>
>>>> I have configured Ranger on Hadoop 2.6.0 and Hive 0.14 and set up
>>>> users and policies.
>>>>
>>>> When i try to test the scenario using the ODBC i got exception as
>>>>
>>>> Driver Version: V1.1.0.0
>>>>
>>>> Running connectivity tests...
>>>>
>>>> Attempting connection
>>>> Failed to establish connection
>>>> SQLSTATE: HY000[Microsoft][HiveODBC] (68) Error returned trying to set
>>>> default as the initial database: Error while compiling statement: FAILED:
>>>> HiveAccessControlException Permission denied: user [ami] does not have
>>>> [USE] privilege on [default]; Also tried quoting the database name
>>>> `default` but the query failed with the following error: Error while
>>>> compiling statement: FAILED: HiveAccessControlException Permission denied:
>>>> user [ami] does not have [USE] privilege on [default]
>>>>
>>>> TESTS COMPLETED WITH ERROR.
>>>>
>>>>
>>>> It clearly states that the user doesn't have privilege for USE command in
>>>> hive. While configuring user permission i can able to see different
>>>> permissions like select,update,create,drop etc., but not USE.
>>>>
>>>> Kindly point me in direction where am missing.
>>>>
>>>> Regards
>>>> Muthupandi.K
>>>>
>>>> Think before you print.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>
>
