(Optional) To configure Ranger using the Setup GUI, complete the following steps.
Enable Ranger from the
Additional components
tab, and specify its authentication method.Click the
Ranger Policy Admin
tab in the middle of the HDP Setup Form.Enter host information, credentials for database saving policies, Admin user credentials, and Audit user credentials.
Table 2.6. Ranger configuration property information
Configuration Property Name
Description
Example Value
Mandatory/Optional/Conditional
Ranger host
Hostname of the host where Ranger-Admin and Ranger-UserSync services will be installed
WIN-Q0EOPEACTR1
Mandatory
Ranger external URL
URL used for Ranger
localhost:6080
Optional
Ranger admin DB host
MySQL server instance for use by the Ranger Admin database host. (MySQL should be up and running at installation time.)
localhost
Mandatory
Ranger admin DB port
Port number for Ranger-Admin database server
3306
Mandatory
Ranger admin DB name
Ranger-Admin policy database name
ranger (default)
Mandatory
Ranger admin DB username
Ranger-Admin policy database username
rangeradmin (default)
Mandatory
Ranger admin DB password
Password for the Ranger admin DB user
RangerAdminPassW0Rd
Mandatory
Copy admin settings to audit
Use admin settings for audit database
Selected
Ranger audit DB host
Host for Ranger Audit database. (MySQL should be up and running at installation time). This can be the same as the Ranger host, or you can specify a different server.
localhost
Mandatory
Ranger audit DB name
Ranger audit database name. This can be a different database in the same database server mentioned above.
ranger_audit (default)
Mandatory
Ranger audit DB port
Port number where Ranger-Admin runs audit service
3306
Mandatory
Ranger audit DB ROOT password
Database password for the Ranger audit DB username (required for audit database creation)
RangerAuditPassW0Rd
Mandatory
Ranger audit DB username
Database user that performs all audit logging operations from Ranger plugins
rangerlogger (default)
Mandatory
Ranger audit DB password
Database password for the Ranger audit DB username
RangerAuditPassW0Rd
Mandatory
Ranger LDAP AD domain
Active Directory Domain Name used for AD login
rangrad.net
Mandatory if authentication method is AD
Ranger LDAP AD URL
Active Directory LDAP URL for authentication of users
ldap://ad.rangerad.net:389
Mandatory if authentication method is AD
Click the
Ranger Plugins
tab in the middle of the HDP Setup Form.Complete the following fields. These allow communication between Ranger-Admin and each plugin.
Table 2.7. Ranger-Admin and plugin communication configuration information
Configuration Property Name
Description
Example Value
Mandatory/Optional/Conditional
Ranger Policy Admin URL
URL used within policy admin tool when a link to its own page is generated in the policy admin tool website
localhost:6080
Optional
Knox agents: Ranger knox repository
The repository name used in Policy Admin Tool for defining policies for Knox
knoxdev
Mandatory if using Ranger on Knox
HDFS agents: Ranger HDFS repository
The repository name used in Policy Admin Tool for defining policies for HDFS
hadoopdev
Mandatory if using Ranger on HDFS
Storm agents: Ranger storm repository
The repository name used in Policy Admin Tool for defining policies for Storm
stormdev
Mandatory if using Ranger on Storm
Hive agents: Ranger hive repository
The repository name used in Policy Admin Tool for defining policies for Hive
hivedev
Mandatory if using Ranger on Hive
HBase agents: Ranger hbase repository
The repository name used in Policy Admin Tool for defining policies for HBase
hbasedev
Mandatory if using Ranger on HBase
Click the
User/Group Sync Process
tab in the middle of the HDP Setup Form.Complete the following fields.
Add the Ranger-Admin host URL to Ranger User/Group Sync; this enables communication between Ranger-Admin and the User-Sync service.
Set appropriate values for the other parameters based on sync source:
If users will be synchronized from an LDAP server, supply LDAP server credentials and all properties associated with synchronizing users and groups from the LDAP server.
If users will be synchronized with an Active Directory, supply Active Directory credentials and all properties associated with synchronizing users and groups via Active Directory.
Table 2.8. Ranger LDAP configuration information
Configuration Property Name
Description
Example Value
Mandatory/Optional/Conditional
Ranger host
Hostname of the host where Ranger-Admin and Ranger-UserSync services will be installed
WIN-Q0EOPEACTR1
Mandatory
Ranger sync interval
Specifies the interval (in minutes) between synchronization cycles. Note: the second sync cycle will NOT start until the first sync cycle is complete.
5
Mandatory
Ranger sync LDAP search base
Search base for users
ou=users, dc=hadoop, dc=apache, dc=org
Mandatory
Ranger sync LDAP URL
LDAP URL for synchronizing users
ldap://ldap.example.com:389
Mandatory
Ranger sync LDAP bind DN
LDAP bind DN used to connect to LDAP and query for users and group. This must be a user with admin privileges to search the directory for users/groups.
cn=admin,ou=users, dc=hadoop,dc=apache, dc-org
Mandatory
Ranger sync LDAP bind password
Password for the LDAP bind DN
LdapAdminPassW0Rd
Mandatory
Ranger sync LDAP user search scope
Scope for user search
base, one, and sub are supported values
Mandatory
Ranger sync LDAP user object class
Object class to identify user entries
person (default)
Mandatory
Ranger sync LDAP user search filter
Additional filter constraining the users selected for syncing
[objectcategory=person]
Optional
Ranger sync LDAP user name attribute
Attribute from user entry that will be treated as username
cn (default)
Mandatory
Ranger sync LDAP user group name attribute
Attribute from user entry whose values will be treated as group values to be pushed into the Policy Manager database.
One or more attribute names separated by commas, such as: memberof,ismemberof
Mandatory
Ranger sync LDAP username case conversion
Convert all usernames to lowercase or uppercase
none: no conversion; keep as-is in SYNC_SOURCE. lower: (default) convert to lowercase when saving usernames to the Ranger database. upper: convert to uppercase when saving usernames to the Ranger db.
Mandatory
Ranger sync LDAP group name case case conversion
Convert all groupnames to lowercase or uppercase
(same as username case conversion)
Mandatory
After specifying Ranger-UserSync properties, make sure that the following properties are defined on other tabs:
On the Additional Components tab, set the Ranger authentication method to LDAP, Active Directory, or None, based on your synchronization source.
On the Ranger Policy Admin tab, make sure that you have specified Authentication Properties.