Hi all ! As I was working on the subject with a colleague of mine, he found out the handshake exception in UserSync logs that comes every minutes is actually linked to Ambari metrics that just checks that UserSync is alive but does not perform a complete handshake before returning.
I will fill a JIRA later about this issue. Regards, Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-06-12 14:54 GMT+02:00 Loïc Chanel <[email protected]>: > Dilli, > > Sorry for answering this late, but yes that is actually exactly what I > want to do, and no matter what its configuration is Ranger UserSync keep > returning me the same error I talked about in my first eMail. > > As I know this Handshake exception is often linked to certificate issues, > I triple-checked that LDAP certificates are in the certificates trusted by > Java, but it seems that the error persists. > Do you have an idea about where it might come from ? > > Thanks, > > > Loïc > > Loïc CHANEL > Engineering student at TELECOM Nancy > Trainee at Worldline - Villeurbanne > > 2015-06-09 21:36 GMT+02:00 Dilli Arumugam <[email protected]>: > >> Assuming your users are in LDAP, what you need to do is: >> Make user Ranger UserSync and NameNode ldap group mapping provider point >> to the same LDAP. >> >> Please see the following for some help. >> http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/ >> >> Thanks >> Dilli >> >> From: Loïc Chanel <[email protected]> >> Reply-To: "[email protected]" < >> [email protected]> >> Date: Tuesday, June 9, 2015 8:29 AM >> To: "[email protected]" <[email protected]> >> Subject: Re: Issues with UserSync >> >> Hi Dilli, >> >> First of all, thanks for answering so fast. >> >> Actually, I would like to have some synchronization between RangerAdmin >> UI and NameNode users, in order to manage Users and authorizations directly >> from RangerAdmin UI. >> >> Is it possible somehow via Ranger UserSync ? >> >> Thanks, >> >> >> Loïc >> >> Loïc CHANEL >> Engineering student at TELECOM Nancy >> Trainee at Worldline - Villeurbanne >> >> 2015-06-09 17:18 GMT+02:00 Dilli Arumugam <[email protected]>: >> >>> Please note that user/group mapping that you see in RangerAdmin UI is >>> only used for policy definition time. >>> At policy enforcement time, user group membership is computed by >>> NameNode based on group mapping provider defined in NameNode. >>> >>> You can check what NameNode sees as groups that a user belongs to by >>> issuing command >>> >>> hdfs groups sam >>> >>> Sam is sample username here. >>> You would use your username in its place. >>> Thanks >>> Dilli >>> >>> From: Loïc Chanel <[email protected]> >>> Reply-To: "[email protected]" < >>> [email protected]> >>> Date: Tuesday, June 9, 2015 7:39 AM >>> To: "[email protected]" <[email protected] >>> > >>> Subject: Issues with UserSync >>> >>> Hi All, >>> >>> As I am using Ranger with Unix authentication to manage the security of >>> HDFS on my cluster, I could not help but notice that even if I add users to >>> groups in the Ranger console, Ranger cannot find to which groups they >>> belong, and therefore do not authorize them to perform actions they should >>> be able to do. >>> >>> As I thought this issue came from UserSync, I noticed that in its logs >>> the following exception is printed every minute : >>> >>> ERROR PasswordValidator [Thread-22] - Response [FAILED: unable to >>> validate due to error javax.net.ssl.SSLHandshakeException: Remote host >>> closed connection during handshake] for user: null >>> javax.net.ssl.SSLHandshakeException: Remote host closed connection >>> during handshake >>> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) >>> at >>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) >>> at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source) >>> at sun.security.ssl.AppInputStream.read(Unknown Source) >>> at sun.nio.cs.StreamDecoder.readBytes(Unknown Source) >>> at sun.nio.cs.StreamDecoder.implRead(Unknown Source) >>> at sun.nio.cs.StreamDecoder.read(Unknown Source) >>> at java.io.InputStreamReader.read(Unknown Source) >>> at java.io.BufferedReader.fill(Unknown Source) >>> at java.io.BufferedReader.readLine(Unknown Source) >>> at java.io.BufferedReader.readLine(Unknown Source) >>> at >>> com.xasecure.authentication.PasswordValidator.run(PasswordValidator.java:58) >>> at java.lang.Thread.run(Unknown Source) >>> Caused by: java.io.EOFException: SSL peer shut down incorrectly >>> at sun.security.ssl.InputRecord.read(Unknown Source) >>> ... 13 more >>> >>> As usually this is the sign of a problem of missing certificate, I >>> ensured the certificate corresponding to Unix authentication (<host>:5151) >>> is in Java trustore and restarted the NameNode and Ranger, but nothing >>> changed. >>> >>> When looking a little bit more into RangerAdmin and RangerUserSync >>> logs, it seems that RangerAdmin is the source of the problem, closing the >>> connection before handshake is fully established, but I have no idea about >>> how to correct it. >>> >>> Did someone encountered this error too ? Did I miss something ? >>> >>> Thanks in advance for your help, >>> >>> >>> Loïc >>> >>> Loïc CHANEL >>> Engineering student at TELECOM Nancy >>> Trainee at Worldline - Villeurbanne >>> >> >> >
