Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there anyway to enable ssl between the ranger plugin agents on trino and audit store (opensearch)? #24592

Open
BaoICTHustK67 opened this issue Dec 30, 2024 · 1 comment
Open

Is there anyway to enable ssl between the ranger plugin agents on trino and audit store (opensearch)? #24592

BaoICTHustK67 opened this issue Dec 30, 2024 · 1 comment

Comments

@BaoICTHustK67
Copy link

The ranger-admin connect to the audit store source was fine, it created index for logs. But the agent on trino cannot send the audit logs to the audit store . Here is the error log

2024-12-30T02:52:17.727Z	INFO	org.apache.ranger.audit.queue.AuditBatchQueue1	stdout	ERROR - Error sending message to OpenSearchjavax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
See https://opensearch.org/docs/latest/clients/java-rest-high-level/ for troubleshooting.
	at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:948)
	at org.opensearch.client.RestClient.performRequest(RestClient.java:333)
	at org.opensearch.client.RestClient.performRequest(RestClient.java:321)
	at org.opensearch.client.transport.rest_client.RestClientTransport.performRequest(RestClientTransport.java:147)
	at org.opensearch.client.opensearch.OpenSearchClient.bulk(OpenSearchClient.java:219)
	at org.apache.ranger.audit.destination.OpenSearchAuditDestination.log(OpenSearchAuditDestination.java:188)
	at org.apache.ranger.audit.queue.AuditBatchQueue.runLogAudit(AuditBatchQueue.java:303)
	at org.apache.ranger.audit.queue.AuditBatchQueue.run(AuditBatchQueue.java:220)
	at java.base/java.lang.Thread.run(Thread.java:1570)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1326)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1203)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1146)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1274)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:714)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205)
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:288)
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:356)
	at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:541)
	at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
	at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
	... 1 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
	at java.base/sun.security.validator.Validator.validate(Validator.java:256)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1304)
	... 19 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
	... 24 common frames omitted

i have insert the valid cert to trino cacerts file and set the ranger-policymgr-ssl.xml as below but it still not working


  ranger-trino-policymgr-ssl.xml: |
    <?xml version="1.0"?>
    <?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
    <configuration xmlns:xi="http://www.w3.org/2001/XInclude">
      <!-- properties used for 2-way SSL between the Trino plugin and Apache Ranger server -->
      <property>
        <name>xasecure.policymgr.clientssl.keystore</name>
        <value></value>
        <description>Path to keystore file. Only required for two-way SSL. This property should not be included for one-way SSL</description>
      </property>

      <property>
        <name>xasecure.policymgr.clientssl.keystore.type</name>
        <value>jks</value>
        <description>Type of keystore. Default: jks</description>
      </property>

      <property>
        <name>xasecure.policymgr.clientssl.keystore.credential.file</name>
        <value></value>
        <description>Path to credential file for the keystore; the credential should be in alias sslKeyStore. Only required for two-way SSL. This property should not be included for one-way SSL</description>
      </property>

      <property>
        <name>xasecure.policymgr.clientssl.truststore</name>
        <value>/usr/lib/jvm/temurin/jdk-22.0.1+8/lib/security/cacerts</value>
        <description>Path to truststore file</description>
      </property>

      <property>
        <name>xasecure.policymgr.clientssl.truststore.type</name>
        <value>jks</value>
        <description>Type of truststore. Default: jks</description>
      </property>
@lozbrown
Copy link
Contributor

lozbrown commented Jan 2, 2025

i think you will need to initialize a creds file, the default pass to the trustore should be changeit

java -cp /usr/lib/trino/plugin/apache-ranger/io.trino.hadoop_hadoop-apache-3.3.5-3.jar org.apache.hadoop.security.alias.CredentialShell create sslTrustStore -value changeit -provider jceks:///etc/trino/ranger_creds.jceks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lozbrown @BaoICTHustK67