[RANGER-4022] Facing Ranger AD sync issue - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 2.0.0
Fix Version/s: None
Component/s: usersync
Labels:
None

Description

Hi Team,

I am working on creating Open_source KAFKA/RANGER/AMBARI cluster , however everything has been setup but facing error while RANGER_AD sync. So Ranger admin and Ranger usersync are getting started via Ambari however with below errors it is getting failed. I am at a point where i am not able to find where the issue is at , any help will be appreciate able.

Below is the error snap.

Note:- this is a sample user taken from Ldap

13 Dec 2022 18:19:42  INFO UnixAuthenticationService [main] - Starting User Sync Service!
13 Dec 2022 18:19:43  INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.username.regex
13 Dec 2022 18:19:43  INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.groupname.regex
13 Dec 2022 18:19:43  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder created
13 Dec 2022 18:19:43  INFO UserGroupSyncConfig [UnixUserSyncThread] - Sleep Time Between Cycle can not be lower than [3600000] millisec. resetting to min value.
13 Dec 2022 18:19:43  INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder
13 Dec 2022 18:19:44 DEBUG Tracer [UnixUserSyncThread] - sampler.classes = ; loaded no samplers
13 Dec 2022 18:19:44 DEBUG Tracer [UnixUserSyncThread] - span.receiver.classes = ; loaded no span receivers
13 Dec 2022 18:19:45  INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.username.regex
13 Dec 2022 18:19:45  INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.groupname.regex
13 Dec 2022 18:19:45  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder created
13 Dec 2022 18:19:45  INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder
13 Dec 2022 18:19:45  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization started
13 Dec 2022 18:19:46  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization completed with --  ldapUrl: ldap://ldap-aws-us-east.mstarext.com:389,  ldapBindDn: CN=aws_hadoop_prd_ad_user,OU=Service Accounts,OU=Hadoop,OU=CORESVC_Core Services,OU=Servers and Services,DC=mstarext,DC=com,  ldapBindPassword: ***** ,  ldapAuthenticationMechanism: simple,  searchBase: DC=mstarext,DC=com,  userSearchBase: [dc=mstarext,dc=com],  userSearchScope: 2,  userObjectClass: user,  userSearchFilter: (&(objectClass=person)(objectClass=user)),  extendedUserSearchFilter: null,  userNameAttribute: sAMAccountName,  userSearchAttributes: [uSNChanged, sAMAccountName, modifytimestamp],  userGroupNameAttributeSet: null,  pagedResultsEnabled: true,  pagedResultsSize: 500,  groupSearchEnabled: true,  groupSearchBase: [DC=mstarext,DC=com],  groupSearchScope: 2,  groupObjectClass: group,  groupSearchFilter: (objectClass=group),  extendedGroupSearchFilter: (&null(|(member={0})(member={1}))),  extendedAllGroupsSearchFilter: null,  groupMemberAttributeName: member,  groupNameAttribute: sAMAccountName, groupSearchAttributes: [uSNChanged, sAMAccountName, member, modifytimestamp],  groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false, userSearchEnabled: false,  ldapReferral: follow
13 Dec 2022 18:19:46  INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
13 Dec 2022 18:19:46  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder updateSink started
13 Dec 2022 18:19:46  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user search first
13 Dec 2022 18:19:46  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedUserSearchFilter = (&(objectclass=user)(|(uSNChanged>=0)(modifyTimestamp>=19700101120000Z))(&(objectClass=person)(objectClass=user)))
13 Dec 2022 18:19:46  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal = 77639505and currentDeltaSyncTime = 77639505
13 Dec 2022 18:19:46 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - INFO: addPMAccount(MSPRDDCAWSE02$)
13 Dec 2022 18:19:46 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==> LdapPolicyMgrUserGroupBuilder.getMUser()
13 Dec 2022 18:19:46 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==> LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
13 Dec 2022 18:19:46 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==> LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()
13 Dec 2022 18:19:47 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - USER GROUP MAPPING{"loginId":"MSPRDDCAWSE02$","firstName":"MSPRDDCAWSE02$","lastName":"MSPRDDCAWSE02$","userRoleList":[null]}
13 Dec 2022 18:19:47  INFO UnixAuthenticationService [main] - Enabling Unix Auth Service!
13 Dec 2022 18:19:48  INFO UnixAuthenticationService [main] - Disabling Protocol: [TLSv1.3]
13 Dec 2022 18:19:48  INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2]
13 Dec 2022 18:19:48  INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1]
13 Dec 2022 18:19:48  INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1]
13 Dec 2022 18:19:48  INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello]
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - <== LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - <== LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - RESPONSE[<!doctype html><html lang="en"><head><title>HTTP Status 403 – Forbidden</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}</style></head><body><h1>HTTP Status 403 – Forbidden</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)</p><p><b>Description</b> The server understood the request but refuses to authorize it.</p><hr class="line" /><h3>Apache Tomcat/7.0.94</h3></body></html>]
13 Dec 2022 18:19:58 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User :
com.google.gson.JsonSyntaxException: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was STRING at line 1 column 1
        at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$Adapter.read(ReflectiveTypeAdapterFactory.java:176)
        at com.google.gson.Gson.fromJson(Gson.java:803)
        at com.google.gson.Gson.fromJson(Gson.java:768)
        at com.google.gson.Gson.fromJson(Gson.java:717)
        at com.google.gson.Gson.fromJson(Gson.java:689)
        at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.getMUser(LdapPolicyMgrUserGroupBuilder.java:844)
        at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.access$600(LdapPolicyMgrUserGroupBuilder.java:71)
        at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder$7.run(LdapPolicyMgrUserGroupBuilder.java:808)
        at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder$7.run(LdapPolicyMgrUserGroupBuilder.java:804)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:360)
        at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.addMUser(LdapPolicyMgrUserGroupBuilder.java:804)
        at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.addOrUpdateUser(LdapPolicyMgrUserGroupBuilder.java:292)
        at org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder.getUsers(LdapDeltaUserGroupBuilder.java:525)
        at org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder.updateSink(LdapDeltaUserGroupBuilder.java:335)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
        at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was STRING at line 1 column 1
        at com.google.gson.stream.JsonReader.beginObject(JsonReader.java:374)
        at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$Adapter.read(ReflectiveTypeAdapterFactory.java:165)
        ... 16 more
13 Dec 2022 18:19:58 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add portal user
13 Dec 2022 18:19:58 ERROR LdapDeltaUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUser failed with exception: Failed to add portal user, for user: MSPRDDCAWSE02$
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==> LdapPolicyMgrUserGroupBuilder.addUserGroupInfo MSPRDDCAWSE02$ and groups
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - INFO: addPMXAUser(MSPRDDCAWSE02$)
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==> LdapPolicyMgrUserGroupBuilder.getUsergroupInfo(UserGroupInfo ret)
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - USER GROUP MAPPING{"xuserInfo":{"name":"MSPRDDCAWSE02$","description":"MSPRDDCAWSE02$ - add from Unix box","groupNameList":[],"userRoleList":[]},"xgroupInfo":[]}
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==> LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - ==> LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - USER GROUP MAPPING{"xuserInfo":{"name":"MSPRDDCAWSE02$","description":"MSPRDDCAWSE02$ - add from Unix box","groupNameList":[],"userRoleList":[]},"xgroupInfo":[]}
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - <== LdapPolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - <== LdapPolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
13 Dec 2022 18:19:58 DEBUG LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - RESPONSE: [<!doctype html><html lang="en"><head><title>HTTP Status 403 – Forbidden</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}</style></head><body><h1>HTTP Status 403 – Forbidden</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)</p><p><b>Description</b> The server understood the request but refuses to authorize it.</p><hr class="line" /><h3>Apache Tomcat/7.0.94</h3></body></html>]
13 Dec 2022 18:19:58 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User Group Info :
com.google.gson.JsonSyntaxException: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was STRING at line 1 column 1
        at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$Adapter.read(ReflectiveTypeAdapterFactory.java:176)
        at com.google.gson.Gson.fromJson(Gson.java:803)
        at com.google.gson.Gson.fromJson(Gson.java:768)
        at com.google.gson.Gson.fromJson(Gson.java:717)
        at com.google.gson.Gson.fromJson(Gson.java:689)
        at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.getUsergroupInfo(LdapPolicyMgrUserGroupBuilder.java:424)
        at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.access$200(LdapPolicyMgrUserGroupBuilder.java:71)
        at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder$2.run(LdapPolicyMgrUserGroupBuilder.java:337)
        at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder$2.run(LdapPolicyMgrUserGroupBuilder.java:333)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:360)
        at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.addUserGroupInfo(LdapPolicyMgrUserGroupBuilder.java:333)
        at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.addOrUpdateUser(LdapPolicyMgrUserGroupBuilder.java:178)
        at org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder.getUsers(LdapDeltaUserGroupBuilder.java:557)
        at org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder.updateSink(LdapDeltaUserGroupBuilder.java:335)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
        at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was STRING at line 1 column 1
        at com.google.gson.stream.JsonReader.beginObject(JsonReader.java:374)
        at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$Adapter.read(ReflectiveTypeAdapterFactory.java:165)
        ... 16 more
13 Dec 2022 18:19:58 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add addorUpdate user group info
13 Dec 2022 18:19:58 ERROR LdapDeltaUserGroupBuilder [UnixUserSyncThread] - sink.addOrUpdateUserGroups failed with exception: Failed to add addorUpdate user group info, for user: MSPRDDCAWSE02$ and groups: []
13 Dec 2022 18:19:58  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Updating user count: 1, userName: MSPRDDCAWSE02$
13 Dec 2022 18:19:58  INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal = 78055074and currentDeltaSyncTime = 78055074

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Ajay

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 16/Dec/22 12:12

Updated:: 21/Sep/23 11:11