Cloudera Docs » 2.5.0 » Release Notes
Release Notes
Also available as:
PDF

Workaround for BUG-64033

Description of Problem: Tags are not getting synchronized from any source in SSL environment or when Ranger admin is SSL enabled (BUG-64033).

Error Message: Tagsync process is not coming up due to below error in file /var/log/ranger/tagsync/tagsync.log

10 Aug 2016 07:25:08  INFO TagSynchronizer [main] - 177
        at org.apache.hadoop.conf.Configuration.getProps(Configuration.java:2418)
        at org.apache.hadoop.conf.Configuration.get(Configuration.java:981)
        at org.apache.ranger.plugin.util.RangerRESTClient.init(RangerRESTClient.java:246)
        at org.apache.ranger.plugin.util.RangerRESTClient.<init>(RangerRESTClient.java:116)
        at org.apache.ranger.tagsync.sink.tagadmin.TagAdminRESTSink.initialize(TagAdminRESTSink.java:97)
        at org.apache.ranger.tagsync.process.TagSynchronizer.initializeTagSink(TagSynchronizer.java:202)
        at org.apache.ranger.tagsync.process.TagSynchronizer.initialize(TagSynchronizer.java:104)
        at org.apache.ranger.tagsync.process.TagSynchronizer.main(TagSynchronizer.java:60)
10 Aug 2016 07:25:10 ERROR TagSynchronizer [main] - 207 Failed to initialize TAG sink. Error details:
java.lang.RuntimeException: com.sun.org.apache.xerces.internal.impl.io.MalformedByteSequenceException: Invalid byte 1 of 1-byte UTF-8 sequence.
        at org.apache.hadoop.conf.Configuration.loadResource(Configuration.java:2673)
        at org.apache.hadoop.conf.Configuration.loadResources(Configuration.java:2536)
        at org.apache.hadoop.conf.Configuration.getProps(Configuration.java:2418)
        at org.apache.hadoop.conf.Configuration.get(Configuration.java:981)
        at org.apache.ranger.plugin.util.RangerRESTClient.init(RangerRESTClient.java:246)
        at org.apache.ranger.plugin.util.RangerRESTClient.<init>(RangerRESTClient.java:116)
        at org.apache.ranger.tagsync.sink.tagadmin.TagAdminRESTSink.initialize(TagAdminRESTSink.java:97)
        at org.apache.ranger.tagsync.process.TagSynchronizer.initializeTagSink(TagSynchronizer.java:202)
        at org.apache.ranger.tagsync.process.TagSynchronizer.initialize(TagSynchronizer.java:104)
        at org.apache.ranger.tagsync.process.TagSynchronizer.main(TagSynchronizer.java:60)
Caused by: com.sun.org.apache.xerces.internal.impl.io.MalformedByteSequenceException: Invalid byte 1 of 1-byte UTF-8 sequence.
        at com.sun.org.apache.xerces.internal.impl.io.UTF8Reader.invalidByte(UTF8Reader.java:687)
        at com.sun.org.apache.xerces.internal.impl.io.UTF8Reader.read(UTF8Reader.java:557)
        at com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.load(XMLEntityScanner.java:1753)
        at com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.arrangeCapacity(XMLEntityScanner.java:1629)
        at com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.skipString(XMLEntityScanner.java:1667)
        at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(XMLVersionDetector.java:196)
        at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:812)
        at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
        at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
        at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:243)
        at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:347)
        at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121)
        at org.apache.hadoop.conf.Configuration.parse(Configuration.java:2514)
        at org.apache.hadoop.conf.Configuration.loadResource(Configuration.java:2587)

Workaround:

  1. Create file ranger-policymgr-ssl.xml under /usr/hdp/current/ranger-tagsync/conf/ with below content

    <configuration>
    <property>
      <name>xasecure.policymgr.clientssl.keystore</name>
      <value>/etc/security/serverKeys/ranger-tagsync-keystore.jks</value>
    </property>
    
    <property>
      <name>xasecure.policymgr.clientssl.keystore.credential.file</name>
      <value>jceks://file/etc/ranger/tagsync/cred.jceks</value>
    </property>
    
    <property>
      <name>xasecure.policymgr.clientssl.keystore.password</name>
      <value>myKeyFilePassword</value>
    </property>

    <property>
      <name>xasecure.policymgr.clientssl.truststore</name>
      <value>/etc/security/serverKeys/ranger-tagsync-mytruststore.jks</value>
    </property>
    
    <property>
      <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
      <value>jceks://file/etc/ranger/tagsync/cred.jceks</value>
    </property>
    
    <property>
      <name>xasecure.policymgr.clientssl.truststore.password</name>
      <value>changeit</value>
    </property>
 
  </configuration>

  2. Created below directory path if not exist:

    1. /etc/ranger/tagsync/

    2. /etc/security/serverKeys/

  3. Create ranger-tagsync-keystore.jks:

    [Note]Note

    This is just provided as an example. How you implement this step depends on your deployment.

    1. keytool -genkey -keyalg RSA -alias rangerTagsync -keystore /etc/security/serverKeys/ranger-tagsync-keystore.jks -storepass myKeyFilePassword -validity 360 -keysize 2048

    2. chmod 640 /etc/security/serverKeys/ranger-tagsync-keystore.jks

    3. chmod ranger:ranger /etc/security/serverKeys/ranger-tagsync-keystore.jks [1]

  4. Create truststore ranger-tagsync-mytruststore.jks:

    [Note]Note

    This is just provided as an example. How you implement this step depends on your deployment.

    1. Export ranger-admin-keystore.jks into ranger-admin-trust.cer running the below command on ranger-admin host [2]:

      keytool -export -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias rangeradmin -file ranger-admin-trust.cer

    2. Import ranger-admin-trust.cer into ranger-tagsync-mytruststore.jks.

      keytool -import -file ranger-admin-trust.cer -alias rangeradmintrust -keystore /etc/security/serverKeys/ranger-tagsync-mytruststore.jks -storepass changeit

    3. chmod 640 /etc/security/serverKeys/ranger-tagsync-mytruststore.jks

    4. chmod ranger:ranger /etc/security/serverKeys/ranger-tagsync-mytruststore.jks [1]

  5. Create cred.jceks:

    1. java -cp "/usr/hdp/current/ranger-tagsync/lib/*" org.apache.ranger.credentialapi.buildks create sslKeyStore -value myKeyFilePassword -provider jceks://file/etc/ranger/tagsync/cred.jceks

    2. java -cp "/usr/hdp/current/ranger-tagsync/lib/*" org.apache.ranger.credentialapi.buildks create sslTrustStore -value changeit -provider jceks://file/etc/ranger/tagsync/cred.jceks

    3. chmod 640 /etc/ranger/tagsync/cred.jceks

    4. chown ranger:ranger /etc/ranger/tagsync/cred.jceks [1]

  6. From Ambari:

    1. In Ranger config -> Advanced -> Advanced ranger-tagsync-site, update the ranger.tagsync.dest.ranger.ssl.config.filename property value to /usr/hdp/current/ranger-tagsync/conf/ranger-policymgr-ssl.xml

    2. Restart Ranger Tagsync.

Note:

  1. Supply ownership to the ranger tagsync process user for .jks and .jceks files.

  2. You will need to copy ranger-admin-trust.cer to ranger-tagsync host if ranger-admin and ranger-tagsync are not running on the same host.

© 2012–2021 by Cloudera, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Cloudera.com | Documentation | Support | Community