Hi Bosco, I am Getting the same error Have configured as u mentioned and i didnt get this Log
javax.net.ssl.trustStore property was applied ***********while executing the command ps -ef | grep proc rangeradmin i am getting******************** root 28444 1 30 18:21 pts/1 00:00:20 java -Dproc_rangeradmin -XX:MaxPermSize=256m -Xmx1024m -Xms1024m -Dcatalina.base=/opt/ranger/ranger-0.4.0-admin/ews -cp /opt/ranger/ranger-0.4.0-admin/ews/webapp/WEB-INF/classes/conf:/opt/ranger/ranger-0.4.0-admin/ews/lib/*:/opt/ranger/ranger-0.4.0-admin/ews/ranger_jaas/*:/opt/ranger/ranger-0.4.0-admin/ews/webapp/WEB-INF/classes/conf/ranger_jaas:/usr/lib/java/jdk1.7.0_45/lib/* com.xasecure.server.tomcat.EmbededServer hadoop 29011 28994 0 18:22 pts/1 00:00:00 grep proc_rangeradmin *****************So i edited the ranger-admin-start script as************************** vi ranger-admin-start JAVA_OPTS=" ${JAVA_OPTS} -XX:MaxPermSize=256m -Xmx1024m -Xms1024m -Djavax.net <http://-djavax.net/> .ssl.trustStore=/opt/ranger/ranger-admin/cacerts.withknox" Hence while grepped the ranger admin process have got this 00:00:21 java -Dproc_rangeradmin -XX:MaxPermSize=256m -Xmx1024m -Xms1024m -Djavax.net <http://-djavax.net/>.ssl.trustStore=/opt/ranger/ranger-admin/cacerts.withknox -Dcatalina.base=/opt/ranger/ranger-0.4.0-admin/ews -cp /opt/ranger/ranger-0.4.0-admin/ews/webapp/WEB-INF/classes/conf:/opt/ranger/ranger-0.4.0-admin/ews/lib/*:/opt/ranger/ranger-0.4.0-admin/ews/ranger_jaas/*:/opt/ranger/ranger-0.4.0-admin/ews/webapp/WEB-INF/classes/conf/ranger_jaas:/usr/lib/java/jdk1.7.0_45/lib/* com.xasecure.server.tomcat.EmbededServer But the issue Not solved Cannot Connect to the Knox Url getting the ssl exceptions. Thank you, With Regard Amithsha On Tue, Dec 23, 2014 at 10:54 AM, Don Bosco Durai <bo...@apache.org> wrote: > Amithsha, seems you are using self signed certificate. Here are the steps > to use self-signed certificates. Note the paths for Knox and Ranger conf > folders might be different for you. > > > - cd /var/lib/knox/data/security/keystores/ > - Keytool –exportcert –alias gateway-identity –keystone gateway.jks > –file ~/knox.crt > - Return on password prompt > - cd ~ > - . /etc/ranger/admin/conf/java_home.sh > - cp $JAVA_HOME/jre/lib/security/cacerts cacerts.withknox > - keytool –import –trustcacerts –file knox.crt –alias knox –keystore > cacerts.withknox > - cp cacerts.withknox /etc/ranger/admin/conf > - cd /etc/ranger/admin/conf > - vi ranger-admin-env-knox_cert.sh > > #!/bin/bash > > certs_with_knox=/etc/ranger/admin/conf/cacerts.withknox > export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=${certs_with_knox}” > > > - chmod x+a ranger-admin-env-knox_cert.sh > - service ranger-admin stop > - service ranger-admin start > - ps –ef | grep proc_rangeradmin (verify that javax.net.ssl.trustStore > property was applied) > - Configure Knox repo in Ranger UI using URL - https:// > {ranger-ui-server}:8443/gateway/admin/api/v1/topologies/ > > Thanks > > Bosco > > On Dec 20, 2014, at 1:13 AM, Amith sha <amithsh...@gmail.com> wrote: > > Hi Bosco, > > Now almost i am clear with Ranger except Knox and have > configured Knox url as > https://MY_KNOX_IP:8443/gateway/admin/api/v1/topologies > <https://my_knox_ip:8443/gateway/admin/api/v1/topologies> i got this > Error > > 2014-12-20 12:52:10,327 [http-bio-6080-exec-29] ERROR > com.xasecure.knox.client.KnoxClient (KnoxClient.java:139) - Exception on > REST call to KnoxUrl : > https://xxxxxxxxxx:8443/gateway/admin/api/v1/topologies. > com.sun.jersey.api.client.ClientHandlerException: > javax.net.ssl.SSLHandshakeException: > java.security.cert.CertificateException: No subject alternative names > present > at > com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:131) > at > com.sun.jersey.api.client.filter.HTTPBasicAuthFilter.handle(HTTPBasicAuthFilter.java:81) > at com.sun.jersey.api.client.Client.handle(Client.java:616) > at com.sun.jersey.api.client.WebResource.handle(WebResource.java:559) > at > com.sun.jersey.api.client.WebResource.access$200(WebResource.java:72) > at > com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:454) > at > com.xasecure.knox.client.KnoxClient.getTopologyList(KnoxClient.java:86) > at com.xasecure.knox.client.KnoxClient$2.call(KnoxClient.java:360) > at com.xasecure.knox.client.KnoxClient$2.call(KnoxClient.java:357) > at com.xasecure.knox.client.KnoxClient.timedTask(KnoxClient.java:384) > at > com.xasecure.knox.client.KnoxClient.getKnoxResources(KnoxClient.java:365) > at > com.xasecure.knox.client.KnoxClient.testConnection(KnoxClient.java:278) > at com.xasecure.biz.AssetMgr.testConfig(AssetMgr.java:1657) > at com.xasecure.rest.AssetREST.testConfig(AssetREST.java:163) > at > com.xasecure.rest.AssetREST$$FastClassByCGLIB$$90363ab.invoke(<generated>) > at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:191) > at > org.springframework.aop.framework.Cglib2AopProxy$CglibMethodInvocation.invokeJoinpoint(Cglib2AopProxy.java:689) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) > at > org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) > at > org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:622) > at > com.xasecure.rest.AssetREST$$EnhancerByCGLIB$$a483aa9.testConfig(<generated>) > at sun.reflect.GeneratedMethodAccessor80.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:168) > at > com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:70) > at > com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:279) > at > com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:136) > at > com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:86) > at > com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:136) > at > com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:74) > at > com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1357) > at > com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1289) > at > com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1239) > at > com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1229) > at > com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:420) > at > com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:497) > at > com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:684) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) > at > com.xasecure.security.web.filter.XASecurityContextFormationFilter.doFilter(XASecurityContextFormationFilter.java:134) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) > at > org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) > at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:744) > Caused by: javax.net.ssl.SSLHandshakeException: > java.security.cert.CertificateException: No subject alternative names > present > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) > at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > at > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300) > at > java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468) > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338) > at > com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:218) > at > com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:129) > ... 89 more > Caused by: java.security.cert.CertificateException: No subject alternative > names present > at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142) > at sun.security.util.HostnameChecker.match(HostnameChecker.java:91) > > > ****************I am able to access the url after confirming the > certifications in Mozilla Firefox and chrome ********************** > > Can u suggest, > > Thank you with regards > Amithsha > > On Sat, Dec 20, 2014 at 5:42 AM, Don Bosco Durai <bo...@apache.org> wrote: > >> Amithsa >> >> Still,I have a doubt on creating DB that while enabling the hadoop,hive >> etc scripts we need to provide information like db name and user >> authentications where if i am providing separate servers i.e., Ranger >> server, Hadoop, Hive etc.At that point i need to provide a db informations >> for each server (jdbc:localhost) or a common db (jdbc:RANGER SERVER IP). >> >> I am not sure what you mean by create DB while enabling the plugins. The >> database detail we provide during enabling the component is only used to >> connect the DB. The DB and tables are only created during the Ranger Admin >> setup. >> From the design perspective, each plugin writes directly to the DB or to >> HDFS (if setup) with the audit logs. This helps removing the Ranger Admin >> server as the bottle neck for doing audit logging. The Ranger Admin host >> information is needed in the plugin, so that the plugin can pull the >> policies from the Ranger Admin. >> >> >> Regarding your Knox question, you have to set the URL as per your >> deployment. E.g. https://knox_host:8443/gateway/admin/api/v1/topologies >> (Replace the knox_host with your fully qualified host name) >> >> Thanks >> >> Bosco >> >> >> On Dec 19, 2014, at 1:33 AM, Amith sha <amithsh...@gmail.com> wrote: >> >> Hi All. >> >> Thanks Bosco,Selva and Muthu for your suggestion and feedback towards >> Ranger by which i am able to build and work successfully even with >> Hadoop,Hive lower Versions .Still,I have a doubt on creating DB that while >> enabling the hadoop,hive etc scripts we need to provide information like db >> name and user authentications where if i am providing separate servers >> i.e., Ranger server, Hadoop, Hive etc.At that point i need to provide a db >> informations for each server (jdbc:localhost) or a common db (jdbc:RANGER >> SERVER IP). >> And i am requesting you to provide the Knox Repo creating example. >> Because where i dont know what to provide in Knox url >> >> Thanks all >> With regards >> Amithsha >> >> >> On Fri, Dec 19, 2014 at 11:22 AM, Don Bosco Durai <bo...@apache.org> >> wrote: >> >>> Hi Muthupandi >>> >>> Glad to know it worked for you. Please continue to provide your feedback >>> and also if you have any suggestions to add new features. >>> >>> Thanks >>> >>> Bosco >>> >>> On Dec 18, 2014, at 3:13 AM, Muthu Pandi <muthu1...@gmail.com> wrote: >>> >>> Yes you are right i had done mistake by not configuring hive repository >>> correctly, after configuring hive repository and its name it use the ranger >>> authorization. >>> >>> >>> Great work Guys, Authorization look simple and effective. >>> >>> >>> >>> *RegardsMuthupandi.K* >>> >>> Think before you print. >>> >>> >>> >>> >>> >>> >>> On Wed, Dec 17, 2014 at 2:43 AM, Don Bosco Durai <bo...@apache.org> >>> wrote: >>>> >>>> Hi Muthupandi >>>> >>>> At an high level, it seems Hive is still using it’s native >>>> authorization. Can you check the Audit in Ranger to see whether Ranger is >>>> auditing it? >>>> >>>> Thanks >>>> >>>> Bosco >>>> >>>> >>>> >>>> On Dec 15, 2014, at 9:19 PM, Muthu Pandi <muthu1...@gmail.com> wrote: >>>> >>>> Hi All >>>> >>>> I have configured Ranger on Hadoop 2.6.0 and Hive 0.14 and set >>>> up users and policies. >>>> >>>> When i try to test the scenario using the ODBC i got exception >>>> as >>>> >>>> Driver Version: V1.1.0.0 >>>> >>>> Running connectivity tests... >>>> >>>> Attempting connection >>>> Failed to establish connection >>>> SQLSTATE: HY000[Microsoft][HiveODBC] (68) Error returned trying to set >>>> default as the initial database: Error while compiling statement: FAILED: >>>> HiveAccessControlException Permission denied: user [ami] does not have >>>> [USE] privilege on [default]; Also tried quoting the database name >>>> `default` but the query failed with the following error: Error while >>>> compiling statement: FAILED: HiveAccessControlException Permission denied: >>>> user [ami] does not have [USE] privilege on [default] >>>> >>>> TESTS COMPLETED WITH ERROR. >>>> >>>> >>>> It clearly states that the user doesn't have privilege for USE command >>>> in hive. While configuring user permission i can able to see different >>>> permissions like select,update,create,drop etc., but not USE. >>>> >>>> Kindly point me in direction where am missing. >>>> >>>> >>>> >>>> *RegardsMuthupandi.K* >>>> >>>> Think before you print. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >> >> > >