Special Requirements for High Availability Environments In a HA environment, primary and secondary NameNodes must be configured as described in the HDP System Administration Guide.
To enable Ranger in the HDFS HA environment, the HDFS plugin must be set up in each NameNode, and then pointed to the same HDFS repository set up in the Security Manager. Any policies created within that HDFS repository are automatically synchronized to the primary and secondary NameNodes through the installed Apache Ranger plugin. That way, if the primary NameNode fails, the secondary namenode takes over and the Ranger plugin at that NameNode begins to enforce the same policies for access control.
When creating the repository, you must include the fs.default.name for the primary
NameNode. If the primary NameNode fails during policy creation, you can then temporarily use
the fs.default.name of the secondary NameNode in the repository details to enable directory
lookup for policy creation.
Primary NameNode failure does not affect the actual policy enforcement. In this setup for HA, access control is enforced during primary NameNode failure, by the Ranger plugs at the secondary NameNodes.
