Command Line Installation
Also available as:
PDF
loading table of contents...

Install the Ranger Policy Manager

  1. Make sure the HDP 2.6.0 resource-based service is added to your site's list of available repositories.

    If it has not yet been added, add it now by performing the following steps:

    • For RHEL6/Centos6/Oracle LINUX 6:

      wget -nv http://public-repo-1.hortonworks.com/HDP/centos6/2.x/GA/2.6.0.0/hdp.repo -O /etc/yum.repos.d/hdp.repo
    • For Ubuntu 12/14:

      apt-get update wget http://public-repo-1.hortonworks.com/HDP/ubuntu12/2.x/GA/2.6.0.0/hdp.list -O /etc/apt/sources.list.d/hdp.list
    • For Debian:

      apt-get update wget http://public-repo-1.hortonworks.com/HDP/debian<version>/2.x/GA/2.6.0.0/hdp.list -O /etc/apt/sources.list.d/hdp.list
  2. Find the Ranger Policy Admin software:

    1. For RHEL/Centos/Oracle LINUX:

      yum search ranger

    2. For Ubuntu 12/14, Debian:

      aptitude search ranger
  3. Install the Ranger Policy Admin software:

    yum install ranger-admin
  4. apt-get install <package_name>

    In the Ranger Policy Administration installation directory, update the install.properties file:

    • Go to the installation directory:

      cd /usr/hdp/<version>/ranger-admin/
    • Edit the following install.properties entries:

      Table 5.1. install.properties Entries

      Configuration Property

      Default/Example Value

      Required?

      Ranger Policy Database

      DB_FLAVOR Specifies the type of database used (MYSQL,ORACLE,POSTGRES,MSSQL)

      MYSQL (default)

      Y

      SQL_CONNECTOR_JAR Path to SQL connector jar of the DB Flavor selected. The value should be the absolute path including the jar name.

      /usr/share/java/mysql-connector-java.jar (default)

      /usr/share/java/postgresql.jar

      /usr/share/java/sqljdbc4.jar

      /usr/share/java/ojdbc6.jar

      Y

      db_root_user database username who has privileges for creating database schemas and users

      root (default)

      Y

      db_root_password database password for the "db_root_user"

      rootPassW0Rd

      Y

      db_host Hostname of the Ranger policy database server

      localhost

      Y

      db_name Ranger Policy database name

      ranger (default)

      Y

      db_user db username used for performing all policy mgmt operation from policy admin tool

      rangeradmin (default)

      Y

      db_password database password for the "db_user"

      RangerAdminPassW0Rd

      Y

      Ranger Audit

      audit_solr_urls

      http://<solr_host>:8886/solr/ranger_audits

      Y
      audit_solr_user Y
      audit_solr_password Y
      audit_solr_zookeepers Only required if SolrCloud is used.

      Policy Admin Tool Config

       

      policymgr_external_url URL used within Policy Admin tool when a link to its own page is generated in the Policy Admin Tool website

      http://localhost:6080 (default) http://myexternalhost.xasecure.net:6080N

      policymgr_http_enabled Enables/disables HTTP protocol for downloading policies by Ranger plug-ins

      true (default)

      Y

      unix_user UNIX user who runs the Policy Admin Tool process

      ranger (default)

      Y

      unix_group UNIX group associated with the UNIX user who runs the Policy Admin Tool process

      ranger (default)

      Y

      Policy Admin Tool Authentication

      authentication_method

      Authentication Method used to log in to the Policy Admin Tool.

      NONE: only users created within the Policy Admin Tool may log in

      UNIX: allows UNIX userid authentication using the UNIX authentication service (see below)

      LDAP: allows Corporate LDAP authentication (see below)

      ACTIVE_DIRECTORY: allows authentication using an Active Directory

      none (default)

      Y

      UNIX Authentication Service

      remoteLoginEnabled Flag to enable/disable remote Login via Unix Authentication Mode

      true (default)

      Y, if UNIX authentication_method is selected

      authServiceHostName Server Name (or ip-addresss) where ranger-usersync module is running (along with Unix Authentication Service)

      localhost (default) myunixhost.domain.com

      Y, if UNIX authentication_method is selected

      authServicePort Port Number where ranger-usersync module is running Unix Authentication Service

      5151 (default)

      Y, if UNIX authentication_method is selected

      LDAP Authentication

      xa_ldap_url URL for the LDAP service

      ldap://<ldapServer>:389

      Y, if LDAP authentication_method is selected

      xa_ldap_userDNpattern LDAP DN Pattern used to uniquely locate the login user

      uid={0},ou=users,dc=xasecure,dc=net

      Y, if LDAP authentication_method is selected

      xa_ldap_groupSearchBase LDAP Base node location to get all groups associated with login user

      ou=groups,dc=xasecure,dc=net

      Y, if LDAP authentication_method is selected

      xa_ldap_groupSearchFilter LDAP search filter used to retrieve groups for the login user

      (member=uid={0},ou=users, dc=xasecure,dc=net)

      Y, if LDAP authentication_method is selected

      xa_ldap_groupRoleAttribute Attribute used to retrieve the group names from the group search filters

      cn

      Y, if LDAP authentication_method is selected

      Active Directory Authentication

      xa_ldap_ad_domain Active Directory Domain Name used for AD login

      xasecure.net

      Y, if ACTIVE_DIRECTORY authentication_method is selected

      xa_ldap_ad_url Active Directory LDAP URL for authentication of user

      ldap://ad.xasecure.net:389

      Y, if ACTIVE_DIRECTORY authentication_method is selected


  5. If you are using an SSL-enabled, MySQL database for Ranger, add the following properties to install.properties:

    db_ssl_enabled=false                                                    
    db_ssl_required=false                                                   
    db_ssl_verifyServerCertificate=false                                    
    javax_net_ssl_keyStore=                                                 
    javax_net_ssl_keyStorePassword=                                         
    javax_net_ssl_trustStore=                                               
    javax_net_ssl_trustStorePassword=
    
  6. If Ranger Admin is SSL-enabled, add the following Ranger Admin SSL properties to the install.properties file. These properties secure the Ranger SSL password in the jceks file.

    policymgr_https_keystore_file=<SSL keystore file path used to configure Ranger in SSL>
    policymgr_https_keystore_keyalias=rangeradmin
    policymgr_https_keystore_password=<SSL password used to create keystore>
    
  7. If Unix-Auth and User-Sync service is SSL-enabled, add the following Ranger Unix-Auth SSL properties to the install.properties file:

    ranger_unixauth_keystore=keystore.jks
    ranger_unixauth_keystore_password=password
    ranger_unixauth_truststore=cacerts
    ranger_unixauth_truststore_password=changeit
    
  8. The RANGER_PID_DIR_PATH property introduces a custom PID path for the Ranger Admin Process. To configure this property to start and stop the Ranger Admin service, add the following property to install.properties. The default value is /var/run/ranger.

    RANGER_PID_DIR_PATH=/var/run/ranger
  9. Check the JAVA_HOME environment variable. If it has not yet been set, enter:

    export JAVA_HOME=<path of installed jdk version folder>