Install the Ranger Policy Manager
Make sure the HDP 2.6.0 resource-based service is added to your site's list of available repositories.
If it has not yet been added, add it now by performing the following steps:
For RHEL6/Centos6/Oracle LINUX 6:
wget -nv http://public-repo-1.hortonworks.com/HDP/centos6/2.x/GA/2.6.0.0/hdp.repo -O /etc/yum.repos.d/hdp.repo
For Ubuntu 12/14:
apt-get update wget http://public-repo-1.hortonworks.com/HDP/ubuntu12/2.x/GA/2.6.0.0/hdp.list -O /etc/apt/sources.list.d/hdp.list
For Debian:
apt-get update wget http://public-repo-1.hortonworks.com/HDP/debian<version>/2.x/GA/2.6.0.0/hdp.list -O /etc/apt/sources.list.d/hdp.list
Find the Ranger Policy Admin software:
For RHEL/Centos/Oracle LINUX:
yum search ranger
For Ubuntu 12/14, Debian:
aptitude search ranger
Install the Ranger Policy Admin software:
yum install ranger-admin
apt-get install <package_name>
In the Ranger Policy Administration installation directory, update the
install.properties
file:Go to the installation directory:
cd /usr/hdp/<version>/ranger-admin/
Edit the following
install.properties
entries:Table 5.1. install.properties Entries
Configuration Property
Default/Example Value
Required?
Ranger Policy Database
DB_FLAVOR Specifies the type of database used (MYSQL,ORACLE,POSTGRES,MSSQL)
MYSQL (default)
Y
SQL_CONNECTOR_JAR Path to SQL connector jar of the DB Flavor selected. The value should be the absolute path including the jar name.
/usr/share/java/mysql-connector-java.jar (default)
/usr/share/java/postgresql.jar
/usr/share/java/sqljdbc4.jar
/usr/share/java/ojdbc6.jar
Y
db_root_user database username who has privileges for creating database schemas and users
root (default)
Y
db_root_password database password for the "db_root_user"
rootPassW0Rd
Y
db_host Hostname of the Ranger policy database server
localhost
Y
db_name Ranger Policy database name
ranger (default)
Y
db_user db username used for performing all policy mgmt operation from policy admin tool
rangeradmin (default)
Y
db_password database password for the "db_user"
RangerAdminPassW0Rd
Y
Ranger Audit
audit_solr_urls http://<solr_host>:8886/solr/ranger_audits
Y audit_solr_user Y audit_solr_password Y audit_solr_zookeepers Only required if SolrCloud is used. Policy Admin Tool Config
policymgr_external_url URL used within Policy Admin tool when a link to its own page is generated in the Policy Admin Tool website
http://localhost:6080 (default) http://myexternalhost.xasecure.net:6080N
policymgr_http_enabled Enables/disables HTTP protocol for downloading policies by Ranger plug-ins
true (default)
Y
unix_user UNIX user who runs the Policy Admin Tool process
ranger (default)
Y
unix_group UNIX group associated with the UNIX user who runs the Policy Admin Tool process
ranger (default)
Y
Policy Admin Tool Authentication
authentication_method
Authentication Method used to log in to the Policy Admin Tool.
NONE: only users created within the Policy Admin Tool may log in
UNIX: allows UNIX userid authentication using the UNIX authentication service (see below)
LDAP: allows Corporate LDAP authentication (see below)
ACTIVE_DIRECTORY: allows authentication using an Active Directory
none (default)
Y
UNIX Authentication Service
remoteLoginEnabled Flag to enable/disable remote Login via Unix Authentication Mode
true (default)
Y, if UNIX authentication_method is selected
authServiceHostName Server Name (or ip-addresss) where ranger-usersync module is running (along with Unix Authentication Service)
localhost (default) myunixhost.domain.com
Y, if UNIX authentication_method is selected
authServicePort Port Number where ranger-usersync module is running Unix Authentication Service
5151 (default)
Y, if UNIX authentication_method is selected
LDAP Authentication
xa_ldap_url URL for the LDAP service
ldap://<ldapServer>:389
Y, if LDAP authentication_method is selected
xa_ldap_userDNpattern LDAP DN Pattern used to uniquely locate the login user
uid={0},ou=users,dc=xasecure,dc=net
Y, if LDAP authentication_method is selected
xa_ldap_groupSearchBase LDAP Base node location to get all groups associated with login user
ou=groups,dc=xasecure,dc=net
Y, if LDAP authentication_method is selected
xa_ldap_groupSearchFilter LDAP search filter used to retrieve groups for the login user
(member=uid={0},ou=users, dc=xasecure,dc=net)
Y, if LDAP authentication_method is selected
xa_ldap_groupRoleAttribute Attribute used to retrieve the group names from the group search filters
cn
Y, if LDAP authentication_method is selected
Active Directory Authentication
xa_ldap_ad_domain Active Directory Domain Name used for AD login
xasecure.net
Y, if ACTIVE_DIRECTORY authentication_method is selected
xa_ldap_ad_url Active Directory LDAP URL for authentication of user
ldap://ad.xasecure.net:389
Y, if ACTIVE_DIRECTORY authentication_method is selected
If you are using an SSL-enabled, MySQL database for Ranger, add the following properties to
install.properties
:db_ssl_enabled=false db_ssl_required=false db_ssl_verifyServerCertificate=false javax_net_ssl_keyStore= javax_net_ssl_keyStorePassword= javax_net_ssl_trustStore= javax_net_ssl_trustStorePassword=
If Ranger Admin is SSL-enabled, add the following Ranger Admin SSL properties to the
install.properties
file. These properties secure the Ranger SSL password in thejceks
file.policymgr_https_keystore_file=<SSL keystore file path used to configure Ranger in SSL> policymgr_https_keystore_keyalias=rangeradmin policymgr_https_keystore_password=<SSL password used to create keystore>
If Unix-Auth and User-Sync service is SSL-enabled, add the following Ranger Unix-Auth SSL properties to the
install.properties
file:ranger_unixauth_keystore=keystore.jks ranger_unixauth_keystore_password=password ranger_unixauth_truststore=cacerts ranger_unixauth_truststore_password=changeit
The RANGER_PID_DIR_PATH property introduces a custom PID path for the Ranger Admin Process. To configure this property to start and stop the Ranger Admin service, add the following property to
install.properties
. The default value is/var/run/ranger
.RANGER_PID_DIR_PATH=/var/run/ranger
Check the JAVA_HOME environment variable. If it has not yet been set, enter:
export JAVA_HOME=<path of installed jdk version folder>