Major Description
We use ranger with kerberos. When enable ranger-kms for hdfs encryption, we got an error from ranger admin web ui. On the premise that all configurations have been completed, I can not list keys in ranger admin, errors are as follows: Unauthenticated : Please check the permission in the policy for the user.
XXXX-XX-XX 13:09:39,164 [http-bio-6182-exec-10] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:63) - Request failed. loginId=keyadmin, logMessage=Unauthenticated : Please check the permission in the policy for the user
javax.ws.rs.WebApplicationException
at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56)
at org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:325)
at org.apache.ranger.rest.XKeyREST.handleError(XKeyREST.java:215)
at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:87)
at org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>)
......
I studied the problem and found that this problem have nothing to do with authentication, it is an exception caused by NPE. I try print that exception:
XXXX-XX-XX 07:16:42,615 [http-bio-6182-exec-2] ERROR org.apache.ranger.biz.KmsKeyMgr (KmsKeyMgr.java:176) - test_for_ranger:
java.lang.NullPointerException
at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:395)
at org.apache.hadoop.security.User.<init>(User.java:48)
at org.apache.hadoop.security.SecureClientLogin.loginUserFromKeytab(SecureClientLogin.java:66)
at org.apache.ranger.biz.KmsKeyMgr.getSubjectForKerberos(KmsKeyMgr.java:574)
at org.apache.ranger.biz.KmsKeyMgr.searchKeys(KmsKeyMgr.java:152)
at org.apache.ranger.rest.XKeyREST.searchKeys(XKeyREST.java:85)
at org.apache.ranger.rest.XKeyREST$$FastClassBySpringCGLIB$$c5260d52.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:736)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:69)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:671)
at org.apache.ranger.rest.XKeyREST$$EnhancerBySpringCGLIB$$5010f39f.searchKeys(<generated>)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542)
at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473)
at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409)
......
Here is the reason for the NPE exception:
private Subject getSubjectForKerberos(String provider) throws Exception{ String userName = getKMSUserName(provider); String password = getKMSPassword(provider); String nameRules = PropertiesUtil.getProperty(NAME_RULES); //here KerberosName.rules was set to DEFAULT or nameRules if (StringUtils.isEmpty(nameRules)) { KerberosName.setRules("DEFAULT"); }else{ KerberosName.setRules(nameRules); } Subject sub = new Subject(); String rangerPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME)); if (checkKerberos()) { if(SecureClientLogin.isKerberosCredentialExists(rangerPrincipal, PropertiesUtil.getProperty(ADMIN_USER_KEYTAB))){ //in function loginUserFromKeytab(),KerberosName.rules will be set once again, which depend on the value of nameRules. This means that if nameRules is null, KerberosName.rules will set to null, which lead to NPE error. sub = SecureClientLogin.loginUserFromKeytab(rangerPrincipal, PropertiesUtil.getProperty(ADMIN_USER_KEYTAB), nameRules); }else{ sub = SecureClientLogin.loginUserWithPassword(userName, password); } } else { sub = SecureClientLogin.login(userName); } return sub; }
The following patch solves this problem.
