Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is there anyway to enable ssl between the ranger plugin agents on trino and audit store (opensearch)? #24592

Closed
BaoICTHustK67 opened this issue Dec 30, 2024 · 3 comments

Comments

@BaoICTHustK67
Copy link

The ranger-admin connect to the audit store source was fine, it created index for logs. But the agent on trino cannot send the audit logs to the audit store . Here is the error log

2024-12-30T02:52:17.727Z	INFO	org.apache.ranger.audit.queue.AuditBatchQueue1	stdout	ERROR - Error sending message to OpenSearchjavax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
See https://opensearch.org/docs/latest/clients/java-rest-high-level/ for troubleshooting.
	at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:948)
	at org.opensearch.client.RestClient.performRequest(RestClient.java:333)
	at org.opensearch.client.RestClient.performRequest(RestClient.java:321)
	at org.opensearch.client.transport.rest_client.RestClientTransport.performRequest(RestClientTransport.java:147)
	at org.opensearch.client.opensearch.OpenSearchClient.bulk(OpenSearchClient.java:219)
	at org.apache.ranger.audit.destination.OpenSearchAuditDestination.log(OpenSearchAuditDestination.java:188)
	at org.apache.ranger.audit.queue.AuditBatchQueue.runLogAudit(AuditBatchQueue.java:303)
	at org.apache.ranger.audit.queue.AuditBatchQueue.run(AuditBatchQueue.java:220)
	at java.base/java.lang.Thread.run(Thread.java:1570)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1326)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1203)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1146)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1274)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:714)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205)
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:288)
	at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:356)
	at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:541)
	at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
	at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
	at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
	at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
	at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
	... 1 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
	at java.base/sun.security.validator.Validator.validate(Validator.java:256)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1304)
	... 19 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
	... 24 common frames omitted

i have insert the valid cert to trino cacerts file and set the ranger-policymgr-ssl.xml as below but it still not working


  ranger-trino-policymgr-ssl.xml: |
    <?xml version="1.0"?>
    <?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
    <configuration xmlns:xi="http://www.w3.org/2001/XInclude">
      <!-- properties used for 2-way SSL between the Trino plugin and Apache Ranger server -->
      <property>
        <name>xasecure.policymgr.clientssl.keystore</name>
        <value></value>
        <description>Path to keystore file. Only required for two-way SSL. This property should not be included for one-way SSL</description>
      </property>

      <property>
        <name>xasecure.policymgr.clientssl.keystore.type</name>
        <value>jks</value>
        <description>Type of keystore. Default: jks</description>
      </property>

      <property>
        <name>xasecure.policymgr.clientssl.keystore.credential.file</name>
        <value></value>
        <description>Path to credential file for the keystore; the credential should be in alias sslKeyStore. Only required for two-way SSL. This property should not be included for one-way SSL</description>
      </property>

      <property>
        <name>xasecure.policymgr.clientssl.truststore</name>
        <value>/usr/lib/jvm/temurin/jdk-22.0.1+8/lib/security/cacerts</value>
        <description>Path to truststore file</description>
      </property>

      <property>
        <name>xasecure.policymgr.clientssl.truststore.type</name>
        <value>jks</value>
        <description>Type of truststore. Default: jks</description>
      </property>
@lozbrown
Copy link
Contributor

lozbrown commented Jan 2, 2025

i think you will need to initialize a creds file, the default pass to the trustore should be changeit

java -cp /usr/lib/trino/plugin/apache-ranger/io.trino.hadoop_hadoop-apache-3.3.5-3.jar org.apache.hadoop.security.alias.CredentialShell create sslTrustStore -value changeit -provider jceks:///etc/trino/ranger_creds.jceks

@viethqb
Copy link

viethqb commented Jan 7, 2025

You need to edit ranger's org.apache.ranger_ranger-plugins-audit-2.5.0.jar library, add OpenSearchAuditDestination class. I also have the same problem you can refer to this way: https://github.com/viethqb/trino-ranger-access-control-poc/

@BaoICTHustK67
Copy link
Author

You need to edit ranger's org.apache.ranger_ranger-plugins-audit-2.5.0.jar library, add OpenSearchAuditDestination class. I also have the same problem you can refer to this way: https://github.com/viethqb/trino-ranger-access-control-poc/

I have refer to your way and see that it worked so well!! Thank you very much for your help, i really appriciate that 💯

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants