DocsHortonworks Data Platform

 

 5. Set Ranger Properties

(Optional) To configure Ranger using the Setup GUI, complete the following steps.

  1. Enable Ranger from the Additional components tab, and specify its authentication method.

  2. Click the Ranger Policy Admin tab in the middle of the HDP Setup Form.

  3. Enter host information, credentials for database saving policies, Admin user credentials, and Audit user credentials.

     

    Table 2.6. Ranger configuration property information

    Configuration Property Name

    Description

    Example Value

    Mandatory/Optional/Conditional

    Ranger host

    Hostname of the host where Ranger-Admin and Ranger-UserSync services will be installed

    WIN-Q0EOPEACTR1

    Mandatory

    Ranger external URL

    URL used for Ranger

    localhost:6080

    Optional

    Ranger admin DB host

    MySQL server instance for use by the Ranger Admin database host. (MySQL should be up and running at installation time.)

    localhost

    Mandatory

    Ranger admin DB port

    Port number for Ranger-Admin database server

    3306

    Mandatory

    Ranger admin DB name

    Ranger-Admin policy database name

    ranger (default)

    Mandatory

    Ranger admin DB username

    Ranger-Admin policy database username

    rangeradmin (default)

    Mandatory

    Ranger admin DB password

    Password for the Ranger admin DB user

    RangerAdminPassW0Rd

    Mandatory

    Copy admin settings to audit

    Use admin settings for audit database

    Selected

    Ranger audit DB host

    Host for Ranger Audit database. (MySQL should be up and running at installation time). This can be the same as the Ranger host, or you can specify a different server.

    localhost

    Mandatory

    Ranger audit DB name

    Ranger audit database name. This can be a different database in the same database server mentioned above.

    ranger_audit (default)

    Mandatory

    Ranger audit DB port

    Port number where Ranger-Admin runs audit service

    3306

    Mandatory

    Ranger audit DB ROOT password

    Database password for the Ranger audit DB username (required for audit database creation)

    RangerAuditPassW0Rd

    Mandatory

    Ranger audit DB username

    Database user that performs all audit logging operations from Ranger plugins

    rangerlogger (default)

    Mandatory

    Ranger audit DB password

    Database password for the Ranger audit DB username

    RangerAuditPassW0Rd

    Mandatory

    Ranger LDAP AD domain

    Active Directory Domain Name used for AD login

    rangrad.net

    Mandatory if authentication method is AD

    Ranger LDAP AD URL

    Active Directory LDAP URL for authentication of users

    ldap://ad.rangerad.net:389

    Mandatory if authentication method is AD


  4. Click the Ranger Plugins tab in the middle of the HDP Setup Form.

  5. Complete the following fields. These allow communication between Ranger-Admin and each plugin.

     

    Table 2.7. Ranger-Admin and plugin communication configuration information

    Configuration Property Name

    Description

    Example Value

    Mandatory/Optional/Conditional

    Ranger Policy Admin URL

    URL used within policy admin tool when a link to its own page is generated in the policy admin tool website

    localhost:6080

    Optional

    Knox agents: Ranger knox repository

    The repository name used in Policy Admin Tool for defining policies for Knox

    knoxdev

    Mandatory if using Ranger on Knox

    HDFS agents: Ranger HDFS repository

    The repository name used in Policy Admin Tool for defining policies for HDFS

    hadoopdev

    Mandatory if using Ranger on HDFS

    Storm agents: Ranger storm repository

    The repository name used in Policy Admin Tool for defining policies for Storm

    stormdev

    Mandatory if using Ranger on Storm

    Hive agents: Ranger hive repository

    The repository name used in Policy Admin Tool for defining policies for Hive

    hivedev

    Mandatory if using Ranger on Hive

    HBase agents: Ranger hbase repository

    The repository name used in Policy Admin Tool for defining policies for HBase

    hbasedev

    Mandatory if using Ranger on HBase


  6. Click the User/Group Sync Process tab in the middle of the HDP Setup Form.

  7. Complete the following fields.

    1. Add the Ranger-Admin host URL to Ranger User/Group Sync; this enables communication between Ranger-Admin and the User-Sync service.

    2. Set appropriate values for the other parameters based on sync source:

      • If users will be synchronized from an LDAP server, supply LDAP server credentials and all properties associated with synchronizing users and groups from the LDAP server.

      • If users will be synchronized with an Active Directory, supply Active Directory credentials and all properties associated with synchronizing users and groups via Active Directory.

     

    Table 2.8. Ranger LDAP configuration information

    Configuration Property Name

    Description

    Example Value

    Mandatory/Optional/Conditional

    Ranger host

    Hostname of the host where Ranger-Admin and Ranger-UserSync services will be installed

    WIN-Q0EOPEACTR1

    Mandatory

    Ranger sync interval

    Specifies the interval (in minutes) between synchronization cycles. Note: the second sync cycle will NOT start until the first sync cycle is complete.

    5

    Mandatory

    Ranger sync LDAP search base

    Search base for users

    ou=users, dc=hadoop, dc=apache, dc=org

    Mandatory

    Ranger sync LDAP URL

    LDAP URL for synchronizing users

    ldap://ldap.example.com:389

    Mandatory

    Ranger sync LDAP bind DN

    LDAP bind DN used to connect to LDAP and query for users and group. This must be a user with admin privileges to search the directory for users/groups.

    cn=admin,ou=users, dc=hadoop,dc=apache, dc-org

    Mandatory

    Ranger sync LDAP bind password

    Password for the LDAP bind DN

    LdapAdminPassW0Rd

    Mandatory

    Ranger sync LDAP user search scope

    Scope for user search

    base, one, and sub are supported values

    Mandatory

    Ranger sync LDAP user object class

    Object class to identify user entries

    person (default)

    Mandatory

    Ranger sync LDAP user search filter

    Additional filter constraining the users selected for syncing

    [objectcategory=person]

    Optional

    Ranger sync LDAP user name attribute

    Attribute from user entry that will be treated as username

    cn (default)

    Mandatory

    Ranger sync LDAP user group name attribute

    Attribute from user entry whose values will be treated as group values to be pushed into the Policy Manager database.

    One or more attribute names separated by commas, such as: memberof,ismemberof

    Mandatory

    Ranger sync LDAP username case conversion

    Convert all usernames to lowercase or uppercase

    none: no conversion; keep as-is in SYNC_SOURCE. lower: (default) convert to lowercase when saving usernames to the Ranger database. upper: convert to uppercase when saving usernames to the Ranger db.

    Mandatory

    Ranger sync LDAP group name case case conversion

    Convert all groupnames to lowercase or uppercase

    (same as username case conversion)

    Mandatory


  8. After specifying Ranger-UserSync properties, make sure that the following properties are defined on other tabs:

    • On the Additional Components tab, set the Ranger authentication method to LDAP, Active Directory, or None, based on your synchronization source.

    • On the Ranger Policy Admin tab, make sure that you have specified Authentication Properties.

Legal notices
loading table of contents...