Apache Ambari Upgrade
Also available as:
PDF

Post-upgrade Tasks for Ranger with Kerberos

  1. If you have not already done so, you should migrate your audit logs from DB to Solr.

  2. After successfully upgrading, use the procedure in "How to Regenerate Keytabs" to regenerate keytabs. Select the "Only regenerate keytabs for missing hosts and components" check box, confirm the keytab regeneration, then restart all required services.

  3. Log in to the Ranger Admin UI and select Settings > Users/Groups. Select the Users tab, then click Add New User. On the User Detail page, enter the short-name of the principal “ranger.lookup.kerberos.principal” (if that user does not already exist) in the User Name box. For example, if the lookup principal is “rangerlookup/_HOST@${realm}”, enter "rangelookup" as the user name. Enter the other settings shown below, then click Save to create the user. Add the new "rangerlookup" user in Ranger policies and services. You can use Test Connection on the Services pages to chcck the connection.

Additional Steps for Ranger HA with Kerberos

If Ranger HA (High Availability) is set up along with Kerberos, perform the following additional steps:

  1. Use SSH to connect to the KDC server host. Use the kadmin.local command to access the Kerberos CLI, then check the list of principals for each domain where Ranger Admin and the load-balancer are installed.

    kadmin.local
    kadmin.local: list_principals

    For example, if Ranger Admin is installed on <host1> and <host2>, and the load-balancer is installed on <host3>, the list returned should include the following entries:

    HTTP/ <host3>@EXAMPLE.COM
    HTTP/ <host2>@EXAMPLE.COM
    HTTP/ <host1>@EXAMPLE.COM

    If the HTTP principal for any of these hosts is not listed, use the following command to add the principal:

    kadmin.local: addprinc -randkey HTTP/<host3>@EXAMPLE.COM
    [Note]Note

    This step will need to be performed each time the Spnego keytab is regenerated.

  2. Use the following kadmin.local commands to add the HTTP Principal of each of the Ranger Admin and load-balancer nodes to the Spnego keytab file:

    kadmin.local: ktadd -norandkey -kt /etc/security/keytabs/spnego.service.keytab HTTP/ <host3>@EXAMPLE.COM
    kadmin.local: ktadd -norandkey -kt /etc/security/keytabs/spnego.service.keytab HTTP/ <host2>@EXAMPLE.COM
    kadmin.local: ktadd -norandkey -kt /etc/security/keytabs/spnego.service.keytab HTTP/ <host1>@EXAMPLE.COM

    Use the exit command to exit ktadmin.local.

  3. Run the following command to check the Spnego keytab file:

    klist -kt /etc/security/keytabs/spnego.service.keytab

    The output should include the principals of all of the nodes on which Ranger Admin and the load-balancer are installed. For example:

    Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
    KVNO Timestamp     	Principal
    ---- ----------------- --------------------------------------------------------
       1 07/22/16 06:27:31 HTTP/ <host3>@EXAMPLE.COM
       1 07/22/16 06:27:31 HTTP/ <host3>@EXAMPLE.COM
       1 07/22/16 06:27:31 HTTP/ <host3>@EXAMPLE.COM
       1 07/22/16 06:27:31 HTTP/ <host3>@EXAMPLE.COM
       1 07/22/16 06:27:31 HTTP/ <host3>@EXAMPLE.COM
       1 07/22/16 08:37:23 HTTP/ <host2>@EXAMPLE.COM
       1 07/22/16 08:37:23 HTTP/ <host2>@EXAMPLE.COM
       1 07/22/16 08:37:23 HTTP/ <host2>@EXAMPLE.COM
       1 07/22/16 08:37:23 HTTP/ <host2>@EXAMPLE.COM
       1 07/22/16 08:37:23 HTTP/ <host2>@EXAMPLE.COM
       1 07/22/16 08:37:23 HTTP/ <host2>@EXAMPLE.COM
       1 07/22/16 08:37:35 HTTP/ <host1>@EXAMPLE.COM
       1 07/22/16 08:37:36 HTTP/ <host1>@EXAMPLE.COM
       1 07/22/16 08:37:36 HTTP/ <host1>@EXAMPLE.COM
       1 07/22/16 08:37:36 HTTP/ <host1>@EXAMPLE.COM
       1 07/22/16 08:37:36 HTTP/ <host1>@EXAMPLE.COM
       1 07/22/16 08:37:36 HTTP/ <host1>@EXAMPLE.COM
  4. Use scp to copy the Spnego keytab file to every node in the cluster on which Ranger Admin and the load-balancer are installed. Verify that the /etc/security/keytabs/spnego.service.keytab file is present on all Ranger Admin and load-balancer hosts.

  5. On the Ambari dashboard, select Ranger > Configs > Advanced, then select Advanced ranger-admin-site. Set the value of the ranger.spnego.kerberos.principal property to *.

  6. Click Save to save the configuration, then restart Ranger Admin.