Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-2853

"Unauthenticated : Please check the permission in the policy for the user": An NPE in ranger admin when enable kms.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.2.0
    • Fix Version/s: 2.1.0
    • Component/s: admin
    • Labels:
      None

      Description

      We use ranger with kerberos. When enable ranger-kms for hdfs encryption, we got an error from ranger admin web ui. On the premise that all configurations have been completed, I can not list keys in ranger admin, errors are as follows: Unauthenticated : Please check the permission in the policy for the user. 

      logs in ranger admin:

      XXXX-XX-XX 13:09:39,164 [http-bio-6182-exec-10] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:63) - Request failed. loginId=keyadmin, logMessage=Unauthenticated : Please check the permission in the policy for the user
      javax.ws.rs.WebApplicationException
      at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56)
      at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:325)
      at org.apache.ranger.rest.XKeyREST.handleError(XKeyREST.java:215)
      at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:87)
      at org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>)

      ......

      I studied the problem and found that this problem have nothing to do with authentication, it is an exception caused by NPE. I try print that exception:

      NPE

      XXXX-XX-XX 07:16:42,615 [http-bio-6182-exec-2] ERROR org.apache.ranger.biz.KmsKeyMgr (KmsKeyMgr.java:176) - test_for_ranger:
      java.lang.NullPointerException
      at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:395)
      at org.apache.hadoop.security.User.<init>(User.java:48)
      at org.apache.hadoop.security.SecureClientLogin.loginUserFromKeytab(SecureClientLogin.java:66)
      at org.apache.ranger.biz.KmsKeyMgr.getSubjectForKerberos(KmsKeyMgr.java:574)
      at org.apache.ranger.biz.KmsKeyMgr.searchKeys(KmsKeyMgr.java:152)
      at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:85)
      at org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>)
      at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
      at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:736)
      at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
      at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:69)
      at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
      at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
      at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
      at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
      at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
      at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:671)
      at org.apache.ranger.rest.XKeyREST$$EnhancerBySpringCGLIB$$5010f39f.searchKeys(<generated>)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
      at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
      at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
      at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
      at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
      at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
      at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
      at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
      at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542)
      at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473)
      at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
      at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409)

      ......

       

      Here is the reason for the NPE exception:

      private Subject getSubjectForKerberos(String provider) throws Exception{
         String userName = getKMSUserName(provider);
         String password = getKMSPassword(provider);
         String nameRules = PropertiesUtil.getProperty(NAME_RULES);
         //here KerberosName.rules was set to DEFAULT or nameRules
          if (StringUtils.isEmpty(nameRules)) {
                 KerberosName.setRules("DEFAULT");
             }else{
                KerberosName.setRules(nameRules);
             }
          Subject sub = new Subject();
          String rangerPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME));
          if (checkKerberos()) {
             if(SecureClientLogin.isKerberosCredentialExists(rangerPrincipal, PropertiesUtil.getProperty(ADMIN_USER_KEYTAB))){
                //in function loginUserFromKeytab(),KerberosName.rules will be set once again, which depend on the value of nameRules. This means that if nameRules is null, KerberosName.rules will set to null, which lead to NPE error.
                sub = SecureClientLogin.loginUserFromKeytab(rangerPrincipal, PropertiesUtil.getProperty(ADMIN_USER_KEYTAB), nameRules);
             }else{
                sub = SecureClientLogin.loginUserWithPassword(userName, password);
             }
         } else {
            sub = SecureClientLogin.login(userName);
         }
             return sub;
      }
      

      The following patch solves this problem.

       

       

        Attachments

        1. image.png
          43 kB
          gaozhan ding
        2. 0001-RANGER-2853-fix-NPE-error-in-ranger-admin-when-enabl.patch
          1.0 kB
          gaozhan ding

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              lalapala gaozhan ding
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: