[Step4]Ranger HDFS Repository 创建失败修复
# Ranger HDFS Repository 创建失败排查与修复(FreeIPA 用户缺失导致 statusCode=1)
需要 ttr-release 版本 >= 2.2.3
Ambari 3.0.0 + Free IPA 统一认证体系 本文示例环境:Kylin V10 SP3 x86,Realm = TEST.COM
# 一、问题现象:HDFS Repository 一直创建失败
Ranger Admin 侧通过 Ambari 创建 HDFS Repository 时,过程会反复重试,最终仍失败。
# 1、Ambari 执行日志特征
日志中可以看到:
- 先
kinit获取票据 - 再以
hdfs用户发起对 Ranger Admin 的 API 请求 - POST 创建 service 后返回
{"statusCode":1} - Ambari 记录
Repository creation failed
2026-02-15 12:55:39,152 - checked_call['/usr/bin/kinit -c /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099 -kt /etc/security/keytabs/nn.service.keytab nn/dev1.test.com@TEST.COM > /dev/null'] {'user': 'hdfs'}
2026-02-15 12:55:39,369 - checked_call returned (0, '')
2026-02-15 12:55:39,371 - call['ambari-sudo.sh su hdfs -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/235a889c-252b-42c6-a9d8-33b4e5596b3b -c /var/lib/ambari-agent/tmp/cookies/235a889c-252b-42c6-a9d8-33b4e5596b3b -w '"'"'%{http_code}'"'"' http://dev2.test.com:6080/login.jsp --connect-timeout 10 --max-time 12 -o /dev/null 1>/tmp/tmp0p1lgo3a 2>/tmp/tmp76c2yzia''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099'}}
2026-02-15 12:55:39,648 - call returned (0, '')
2026-02-15 12:55:39,649 - get_user_call_output returned (0, '200', ' % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 4283 100 4283 0 0 298k 0 --:--:-- --:--:-- --:--:-- 321k')
2026-02-15 12:55:39,650 - call['/usr/bin/klist -s /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099'] {'user': 'hdfs'}
2026-02-15 12:55:39,852 - call returned (0, '')
2026-02-15 12:55:39,854 - call['ambari-sudo.sh su hdfs -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/6535ef25-b7c2-4346-9ff3-af576d88ec22 -c /var/lib/ambari-agent/tmp/cookies/6535ef25-b7c2-4346-9ff3-af576d88ec22 '"'"'http://dev2.test.com:6080/service/public/v2/api/service?serviceName=abc_hadoop&serviceType=hdfs&isEnabled=true'"'"' --connect-timeout 10 --max-time 12 -X GET 1>/tmp/tmpxitx036o 2>/tmp/tmphf3vwjz5''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099'}}
2026-02-15 12:55:40,143 - call returned (0, '')
2026-02-15 12:55:40,144 - get_user_call_output returned (0, '{"statusCode":403,"msgDesc":"User is not allowed to access the API"}', ' % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 68 0 68 0 0 809 0 --:--:-- --:--:-- --:--:-- 819')
2026-02-15 12:55:40,146 - Will retry 4 time(s), caught exception: Error in call for getting Ranger service:
Extra data: line 1 column 13 - line 1 column 67 (char 12 - 66). Sleeping for 8 sec(s)
2026-02-15 12:55:48,155 - checked_call['/usr/bin/kinit -c /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099 -kt /etc/security/keytabs/nn.service.keytab nn/dev1.test.com@TEST.COM > /dev/null'] {'user': 'hdfs'}
2026-02-15 12:55:48,362 - checked_call returned (0, '')
2026-02-15 12:55:48,364 - call['ambari-sudo.sh su hdfs -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/843c6133-d353-4860-94de-aefd42250e5e -c /var/lib/ambari-agent/tmp/cookies/843c6133-d353-4860-94de-aefd42250e5e '"'"'http://dev2.test.com:6080/service/public/v2/api/service?serviceName=abc_hadoop&serviceType=hdfs&isEnabled=true'"'"' --connect-timeout 10 --max-time 12 -X GET 1>/tmp/tmpzhwqaocg 2>/tmp/tmpskpumdz7''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099'}}
2026-02-15 12:55:48,603 - call returned (0, '')
2026-02-15 12:55:48,604 - get_user_call_output returned (0, '[]', ' % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 2 0 2 0 0 64 0 --:--:-- --:--:-- --:--:-- 64')
2026-02-15 12:55:48,605 - call['/usr/bin/klist -s /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099'] {'user': 'hdfs'}
2026-02-15 12:55:48,798 - call returned (0, '')
2026-02-15 12:55:48,799 - call['ambari-sudo.sh su hdfs -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/b5601506-41fe-4d09-94da-0725f86c4101 -c /var/lib/ambari-agent/tmp/cookies/b5601506-41fe-4d09-94da-0725f86c4101 http://dev2.test.com:6080/service/public/v2/api/service --connect-timeout 10 --max-time 12 -H '"'"'Content-Type: application/json'"'"' -X POST -d '"'"'{"isEnabled": "true", "configs": {"username": "hdfs", "password": "hadoop", "hadoop.security.authentication": "kerberos", "hadoop.security.authorization": true, "fs.default.name": "hdfs://dev1.test.com:8020", "hadoop.security.auth_to_local": "RULE:[1:$1@$0](ambari-qa-abc@TEST.COM)s/.*/ambari-qa/\nRULE:[1:$1@$0](hdfs-abc@TEST.COM)s/.*/hdfs/\nRULE:[1:$1@$0](rangerlookup-abc@TEST.COM)s/.*/ranger/\nRULE:[1:$1@$0](.*@TEST.COM)s/@.*//\nRULE:[2:$1@$0](dn@TEST.COM)s/.*/hdfs/\nRULE:[2:$1@$0](nn@TEST.COM)s/.*/hdfs/\nRULE:[2:$1@$0](rangeradmin@TEST.COM)s/.*/ranger/\nRULE:[2:$1@$0](rangertagsync@TEST.COM)s/.*/rangertagsync/\nRULE:[2:$1@$0](rangerusersync@TEST.COM)s/.*/rangerusersync/\nDEFAULT", "hadoop.rpc.protection": "authentication", "commonNameForCertificate": "", "dfs.datanode.kerberos.principal": "dn/dev1.test.com@TEST.COM", "dfs.namenode.kerberos.principal": "nn/dev1.test.com@TEST.COM", "dfs.secondary.namenode.kerberos.principal": "nn/dev1.test.com@TEST.COM", "policy.download.auth.users": "hdfs", "tag.download.auth.users": "hdfs", "ambari.service.check.user": "ambari-qa"}, "description": "hdfs repo", "name": "abc_hadoop", "type": "hdfs"}'"'"' 1>/tmp/tmpe1vtamqs 2>/tmp/tmp31v8cju9''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099'}}
2026-02-15 12:55:49,125 - call returned (0, '')
2026-02-15 12:55:49,126 - get_user_call_output returned (0, '{"statusCode":1}', ' % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 1166 0 16 100 1150 141 10176 --:--:-- --:--:-- --:--:-- 10318')
2026-02-15 12:55:49,127 - Repository creation failed
2026-02-15 12:56:19,158 - checked_call['/usr/bin/kinit -c /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099 -kt /etc/security/keytabs/nn.service.keytab nn/dev1.test.com@TEST.COM > /dev/null'] {'user': 'hdfs'}
2026-02-15 12:56:19,381 - checked_call returned (0, '')
2026-02-15 12:56:19,382 - call['ambari-sudo.sh su hdfs -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/76eaee30-fad6-42ae-a472-7ea02e9633f3 -c /var/lib/ambari-agent/tmp/cookies/76eaee30-fad6-42ae-a472-7ea02e9633f3 '"'"'http://dev2.test.com:6080/service/public/v2/api/service?serviceName=abc_hadoop&serviceType=hdfs&isEnabled=true'"'"' --connect-timeout 10 --max-time 12 -X GET 1>/tmp/tmpkdtls12l 2>/tmp/tmp3qr6am_a''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099'}}
2026-02-15 12:56:19,630 - call returned (0, '')
2026-02-15 12:56:19,630 - get_user_call_output returned (0, '[]', ' % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 2 0 2 0 0 68 0 --:--:-- --:--:-- --:--:-- 68')
2026-02-15 12:56:19,631 - call['/usr/bin/klist -s /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099'] {'user': 'hdfs'}
2026-02-15 12:56:19,836 - call returned (0, '')
2026-02-15 12:56:19,837 - call['ambari-sudo.sh su hdfs -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/a6d96467-ad28-4a5c-ba85-5df94cf822a4 -c /var/lib/ambari-agent/tmp/cookies/a6d96467-ad28-4a5c-ba85-5df94cf822a4 http://dev2.test.com:6080/service/public/v2/api/service --connect-timeout 10 --max-time 12 -H '"'"'Content-Type: application/json'"'"' -X POST -d '"'"'{"isEnabled": "true", "configs": {"username": "hdfs", "password": "hadoop", "hadoop.security.authentication": "kerberos", "hadoop.security.authorization": true, "fs.default.name": "hdfs://dev1.test.com:8020", "hadoop.security.auth_to_local": "RULE:[1:$1@$0](ambari-qa-abc@TEST.COM)s/.*/ambari-qa/\nRULE:[1:$1@$0](hdfs-abc@TEST.COM)s/.*/hdfs/\nRULE:[1:$1@$0](rangerlookup-abc@TEST.COM)s/.*/ranger/\nRULE:[1:$1@$0](.*@TEST.COM)s/@.*//\nRULE:[2:$1@$0](dn@TEST.COM)s/.*/hdfs/\nRULE:[2:$1@$0](nn@TEST.COM)s/.*/hdfs/\nRULE:[2:$1@$0](rangeradmin@TEST.COM)s/.*/ranger/\nRULE:[2:$1@$0](rangertagsync@TEST.COM)s/.*/rangertagsync/\nRULE:[2:$1@$0](rangerusersync@TEST.COM)s/.*/rangerusersync/\nDEFAULT", "hadoop.rpc.protection": "authentication", "commonNameForCertificate": "", "dfs.datanode.kerberos.principal": "dn/dev1.test.com@TEST.COM", "dfs.namenode.kerberos.principal": "nn/dev1.test.com@TEST.COM", "dfs.secondary.namenode.kerberos.principal": "nn/dev1.test.com@TEST.COM", "policy.download.auth.users": "hdfs", "tag.download.auth.users": "hdfs", "ambari.service.check.user": "ambari-qa"}, "description": "hdfs repo", "name": "abc_hadoop", "type": "hdfs"}'"'"' 1>/tmp/tmp886hmvv5 2>/tmp/tmpfpqq1hh_''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099'}}
2026-02-15 12:56:20,183 - call returned (0, '')
2026-02-15 12:56:20,183 - get_user_call_output returned (0, '{"statusCode":1}', ' % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 1166 0 16 100 1150 125 9055 --:--:-- --:--:-- --:--:-- 9181')
2026-02-15 12:56:20,184 - Repository creation failed
2026-02-15 12:56:50,215 - checked_call['/usr/bin/kinit -c /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099 -kt /etc/security/keytabs/nn.service.keytab nn/dev1.test.com@TEST.COM > /dev/null'] {'user': 'hdfs'}
2026-02-15 12:56:50,427 - checked_call returned (0, '')
2026-02-15 12:56:50,428 - call['ambari-sudo.sh su hdfs -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/59a5734b-89aa-4a75-a2d2-3d18251735ee -c /var/lib/ambari-agent/tmp/cookies/59a5734b-89aa-4a75-a2d2-3d18251735ee '"'"'http://dev2.test.com:6080/service/public/v2/api/service?serviceName=abc_hadoop&serviceType=hdfs&isEnabled=true'"'"' --connect-timeout 10 --max-time 12 -X GET 1>/tmp/tmp_wdwrkk7 2>/tmp/tmpkc_jnn3i''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099'}}
2026-02-15 12:56:50,654 - call returned (0, '')
2026-02-15 12:56:50,655 - get_user_call_output returned (0, '[]', ' % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 2 0 2 0 0 60 0 --:--:-- --:--:-- --:--:-- 62')
2026-02-15 12:56:50,656 - call['/usr/bin/klist -s /var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099'] {'user': 'hdfs'}
2026-02-15 12:56:50,846 - call returned (0, '')
2026-02-15 12:56:50,847 - call['ambari-sudo.sh su hdfs -l -s /bin/bash -c 'curl --location-trusted -k --negotiate -u : -b /var/lib/ambari-agent/tmp/cookies/5a955daf-c04c-4f27-9c13-8a4be135fa8d -c /var/lib/ambari-agent/tmp/cookies/5a955daf-c04c-4f27-9c13-8a4be135fa8d http://dev2.test.com:6080/service/public/v2/api/service --connect-timeout 10 --max-time 12 -H '"'"'Content-Type: application/json'"'"' -X POST -d '"'"'{"isEnabled": "true", "configs": {"username": "hdfs", "password": "hadoop", "hadoop.security.authentication": "kerberos", "hadoop.security.authorization": true, "fs.default.name": "hdfs://dev1.test.com:8020", "hadoop.security.auth_to_local": "RULE:[1:$1@$0](ambari-qa-abc@TEST.COM)s/.*/ambari-qa/\nRULE:[1:$1@$0](hdfs-abc@TEST.COM)s/.*/hdfs/\nRULE:[1:$1@$0](rangerlookup-abc@TEST.COM)s/.*/ranger/\nRULE:[1:$1@$0](.*@TEST.COM)s/@.*//\nRULE:[2:$1@$0](dn@TEST.COM)s/.*/hdfs/\nRULE:[2:$1@$0](nn@TEST.COM)s/.*/hdfs/\nRULE:[2:$1@$0](rangeradmin@TEST.COM)s/.*/ranger/\nRULE:[2:$1@$0](rangertagsync@TEST.COM)s/.*/rangertagsync/\nRULE:[2:$1@$0](rangerusersync@TEST.COM)s/.*/rangerusersync/\nDEFAULT", "hadoop.rpc.protection": "authentication", "commonNameForCertificate": "", "dfs.datanode.kerberos.principal": "dn/dev1.test.com@TEST.COM", "dfs.namenode.kerberos.principal": "nn/dev1.test.com@TEST.COM", "dfs.secondary.namenode.kerberos.principal": "nn/dev1.test.com@TEST.COM", "policy.download.auth.users": "hdfs", "tag.download.auth.users": "hdfs", "ambari.service.check.user": "ambari-qa"}, "description": "hdfs repo", "name": "abc_hadoop", "type": "hdfs"}'"'"' 1>/tmp/tmp_c56684b 2>/tmp/tmpr0oinrpg''] {'quiet': False, 'env': {'KRB5CCNAME': '/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099'}}
2026-02-15 12:56:51,135 - call returned (0, '')
2026-02-15 12:56:51,135 - get_user_call_output returned (0, '{"statusCode":1}', ' % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 1166 0 16 100 1150 192 13855 --:--:-- --:--:-- --:--:-- 14048')
2026-02-15 12:56:51,136 - Repository creation failed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
关键点
返回 {"statusCode":1} 并不等价于“Ranger 服务不可用”,它更多表示 Ranger 业务层拒绝/异常,需要回看 Ranger Admin 日志。
# 二、抓住关键请求:还原 Ambari 实际调用的 curl
排查这类问题,建议先把 Ambari 打出来的 call 还原为可执行命令。
# 1、定位关键 POST
观察日志中这段调用:
2026-02-15 12:56:50,847 - call['ambari-sudo.sh su hdfs ... -X POST -d '{"isEnabled": "true", ... }'']
...
get_user_call_output returned (0, '{"statusCode":1}', ...)
1
2
3
2
3
# 2、格式化为可执行命令
KRB5CCNAME=/var/lib/ambari-agent/tmp/curl_krb_cache/ranger_admin_calls_hdfs_cc_cbd47cd075950af990c63883e4ddb5cd4902f83306c17ea850c00099 \
ambari-sudo.sh su hdfs -l -s /bin/bash -c '
curl --location-trusted -k --negotiate -u : \
-b /var/lib/ambari-agent/tmp/cookies/5a955daf-c04c-4f27-9c13-8a4be135fa8d \
-c /var/lib/ambari-agent/tmp/cookies/5a955daf-c04c-4f27-9c13-8a4be135fa8d \
http://dev2.test.com:6080/service/public/v2/api/service \
--connect-timeout 10 --max-time 12 \
-H "Content-Type: application/json" \
-X POST \
-d "{"
"\"isEnabled\": \"true\","
"\"configs\": {"
"\"username\": \"hdfs\","
"\"password\": \"hadoop\","
"\"hadoop.security.authentication\": \"kerberos\","
"\"hadoop.security.authorization\": true,"
"\"fs.default.name\": \"hdfs://dev1.test.com:8020\","
"\"hadoop.security.auth_to_local\": \""
"RULE:[1:\$1@\$0](ambari-qa-abc@TEST.COM)s/.*/ambari-qa/\\n"
"RULE:[1:\$1@\$0](hdfs-abc@TEST.COM)s/.*/hdfs/\\n"
"RULE:[1:\$1@\$0](rangerlookup-abc@TEST.COM)s/.*/ranger/\\n"
"RULE:[1:\$1@\$0](.*@TEST.COM)s/@.*//\\n"
"RULE:[2:\$1@\$0](dn@TEST.COM)s/.*/hdfs/\\n"
"RULE:[2:\$1@\$0](nn@TEST.COM)s/.*/hdfs/\\n"
"RULE:[2:\$1@\$0](rangeradmin@TEST.COM)s/.*/ranger/\\n"
"RULE:[2:\$1@\$0](rangertagsync@TEST.COM)s/.*/rangertagsync/\\n"
"RULE:[2:\$1@\$0](rangerusersync@TEST.COM)s/.*/rangerusersync/\\n"
"DEFAULT"
"\","
"\"hadoop.rpc.protection\": \"authentication\","
"\"commonNameForCertificate\": \"\","
"\"dfs.datanode.kerberos.principal\": \"dn/dev1.test.com@TEST.COM\","
"\"dfs.namenode.kerberos.principal\": \"nn/dev1.test.com@TEST.COM\","
"\"dfs.secondary.namenode.kerberos.principal\": \"nn/dev1.test.com@TEST.COM\","
"\"policy.download.auth.users\": \"hdfs\","
"\"tag.download.auth.users\": \"hdfs\","
"\"ambari.service.check.user\": \"ambari-qa\""
"},"
"\"description\": \"hdfs repo\","
"\"name\": \"abc_hadoop\","
"\"type\": \"hdfs\""
"}" \
1>/tmp/tmp_c56684b \
2>/tmp/tmpr0oinrpg
'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
执行后,返回值仍为:
{"statusCode":1}
1
提示
到这里,已经可以确认:不是 Ambari 重试逻辑问题,而是 Ranger Admin 侧处理这次请求时出现业务异常。
# 三、回看 Ranger Admin 日志:登录会话创建失败
继续沿着时间点(12:56 ~ 13:10)回看 Ranger Admin 日志,发现核心异常发生在 Session 处理阶段。
# 1、典型错误特征
2026-02-15 13:09:47,762 [http-nio-6080-exec-10] WARN [XUserMgr.java:1755] XUserMgr.searchXUsers: unexpected searchCriteriaParam:name
2026-02-15 13:09:48,655 [http-nio-6080-exec-3] ERROR [SessionMgr.java:128] Error getting user for loginId=hdfs
java.lang.Exception: null
at org.apache.ranger.biz.SessionMgr.processSuccessLogin(SessionMgr.java:128)
at org.apache.ranger.biz.SessionMgr$$FastClassBySpringCGLIB$$d758ade0.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:793)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:763)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:123)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:388)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:119)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:763)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:708)
at org.apache.ranger.biz.SessionMgr$$EnhancerBySpringCGLIB$$1ef7a18a.processSuccessLogin(<generated>)
at org.apache.ranger.security.web.filter.RangerSecurityContextFormationFilter.doFilter(RangerSecurityContextFormationFilter.java:124)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:81)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:122)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:126)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:81)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
这里有两个重要信息:
| 关键字段 | 含义 |
|---|---|
loginId=hdfs | Ranger 尝试用 hdfs 建立登录会话 |
Error getting user | Ranger 在用户表/目录中找不到该用户或无法解析 |
根因指向
Ranger Admin 在处理 API 请求时需要建立会话(或校验用户),但对应用户(如 hdfs/ambari-qa)在 FreeIPA 目录侧不完整,导致会话创建失败,最终返回 statusCode=1。
# 五、闭环验证:创建成功 + 页面正常
用户补齐后,重新触发创建流程,可以观察到:
- Ambari 创建成功日志出现
- Ranger Admin 日志不再报
Error getting user for loginId=... - Ranger 页面 HDFS repo 可见
# 1、Ambari 创建成功日志
# 2、Ranger Admin 日志恢复正常
# 3、Ranger 页面验证成功
- 03
- Ranger Admin 证书快速导入脚本02-15