Installing Ranger Plug-ins
The following sections describe how to install Ranger plugins.
Installing the Ranger HDFS Plug-in
The Ranger HDFS plugin helps to centralize HDFS authorization policies.
This section describes how to create an HDFS repository and install the HDFS plug-in.
Install the HDFS Plug-in
Create an HDFS repository in the Ranger Policy Manager. To do this, complete the HDFS Create Repository screen, as described in the "HDFS Repository Configuration" section of the Apache Ranger User Guide.
Make a note of the name you gave to this repository; you will need to use it again during HDFS plug-in setup.
At all servers where NameNode is installed, install the HDFS plug-in by following the steps listed below:
Go to the home directory of the HDFS plug-in:
/usr/hdp/<version>/ranger-hdfs-plugin
Edit the following HDFS-related properties in the install.properties file:
Table 13.3. HDFS-Related Properties to Edit in the install.properties File
Configuration Property Name
Default/Example Value
Required?
Policy Admin Tool
POLICY_MGR-URL URL for policy admin
http://policymanager.xasecure.net:6080
Y
REPOSITORY_NAME The repository name used in Policy Admin Tool for defining policies
hadoopdev
Y
Audit Database
SQL_CONNECTOR_JAR Path to SQL connector JAR. DB driver location for Mysql, If Oracle db is used, copy the oracle jdbc driver to file, /usr/share/java/ojdbc6.jar ** In Windows, only MySQL is supported.
/usr/share/java/mysql-connector-java.jar (default0
Y
XAAUDIT.DB.IS_ENABLEDEnable or disable database audit logging.
Note: If this property is set to FALSE, Ranger will not store audit logs in the audit DB, and audit logs will not be visible in the Ranger UI. If you would like to access audit logs from the UI, set this value to TRUE.
FALSE (default), TRUE
Y
XAAUDIT.DB.FLAVOUR Specifies the type of database used for audit logging (MYSQL,ORACLE)
MYSQL (default)
Y
XAAUDIT.DB.HOSTNAME Hostname of the audit database server
localhost
Y
XAAUDIT.DB.DATABASE_NAME Audit database name
ranger_audit
Y
XAAUDIT.DB.USER_NAME Username used for performing audit log inserts (should be same username used in the ranger-admin installation process)
rangerlogger
Y
XAAUDIT.DB.PASSWORD database password associated with the above database user - for db audit logging
rangerlogger
Y
HDFS Audit
XAAUDIT.HDFS.IS_ENABLED Flag to enable/disable hdfs audit logging.If the hdfs audit logging is turned off, it will not log any access control to hdfs
Y
XAAUDIT.HDFS.DESTINATION _DIRECTORY HDFS directory where the audit log will be stored
hdfs://__REPLACE__NAME_NODE_HOST:8020/ (format) hdfs://namenode.mycompany.com:8020/ranger/audit/%app-type%/%time:yyyyMMdd%
Y
XAAUDIT.HDFS.LOCAL_BUFFER _DIRECTORY Local directory where the audit log will be saved for intermediate storage
hdfs://__REPLACE__NAME_NODE_HOST:8020/ (format) /var/log/%app-type%/audit
Y
XAAUDIT.HDFS.LOCAL_ARCHIVE _DIRECTORY Local directory where the audit log will be archived after it is moved to hdfs
__REPLACE__LOG_DIR%app-type%/audit/archive (format) /var/log/%app-type%/audit/archive
Y
XAAUDIT.HDFS.DESTINATION_FILE hdfs audit file name (format)
%hostname%-audit.log (default)
Y
XAAUDIT.HDFS.DESTINATION _FLUSH_INTERVAL_SECONDS hdfs audit log file writes are flushed to HDFS at regular flush interval
900
Y
XAAUDIT.HDFS.DESTINATION _ROLLOVER_INTERVAL_SECONDS hdfs audit log file is rotated to write to a new file at a rollover interval specified here
86400
Y
XAAUDIT.HDFS.DESTINATION _OPEN_RETRY_INTERVAL_SECONDS hdfs audit log open() call is failed, it will be re-tried at this interval
60
Y
XAAUDIT.HDFS.LOCAL_BUFFER _FILE Local filename used to store in audit log (format)
%time:yyyyMMdd-HHmm.ss%.log (default)
Y
XAAUDIT.HDFS.LOCAL_BUFFER _FLUSH_INTERVAL_SECONDS Local audit log file writes are flushed to filesystem at regular flush interval
60
Y
XAAUDIT.HDFS.LOCAL_BUFFER _ROLLOVER_INTERVAL_SECONDS Local audit log file is rotated to write to a new file at a rollover interval specified here
600
Y
XAAUDIT.HDFS.LOCAL_ARCHIVE _MAX_FILE_COUNT The maximum number of local audit log files will be kept in the archive directory
10
Y
SSL Information (https connectivity to Policy Admin Tool)
SSL_KEYSTORE_FILE_PATH Java Keystore Path where SSL key for the plugin is stored. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
/etc/hadoop/conf/ranger-plugin-keystore.jks (default)
Only if SSL is enabled
SSL_KEYSTORE_PASSWORD Password associated with SSL Keystore. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
none (default)
Only if SSL is enabled
SSL_TRUSTSTORE_FILE_PATH Java Keystore Path where the trusted certificates are stored for verifying SSL connection to Policy Admin Tool. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
/etc/hadoop/conf/ranger-plugin-truststore.jks (default)
Only if SSL is enabled
SSL_TRUSTSTORE_PASSWORD Password associated with Truststore file. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
none (default)
Only if SSL is enabled
To enable the HDFS plug-in, run the following commands:
cd /usr/hdp/<version>/ranger-hdfs-plugin
./enable-hdfs-plugin.sh
To confirm that installation and configuration are complete, go to the Audit Tab of the Ranger Admin Console and check Agents. You should see HDFS listed there.
Installing the Ranger HBase Plug-in
The Ranger HBase Plug-in integrates with HBase to enforce authorization policies.
This section describes how to install the HBase plug-in:
Create an HBase repository
Install the HBase plug-in and configure related HBase properties
Enable the HBase plug-in
Restart HBase
Install the HBase Plug-in
Create an HBase repository in the Ranger Policy Manager. To do this, complete the HBase Create Repository screen, as described in the "HBase Repository Configuration" section of the Apache Ranger User Guide.
Make a note of the name you gave to this repository; you will use it again during HBase plug-in setup.
At all servers where the HBase Master and RegionServers are installed, install and configure the HBase plug-in, as follows:
Go to the home directory of the HBase plug-in:
/usr/hdp/<version>/ranger-hbase-plugin
Edit the following HBase-related properties in the install.properties file:
Table 13.4. HBase Properties to Edit in the install.properties File
Configuration Property Name
Default/Example Value
Required?
Policy Admin Tool
POLICY_MGR-URL URL for policy admin
http://policymanager.xasecure.net:6080
Y
REPOSITORY_NAME The repository name used in Policy Admin Tool for defining policies
hbasedev
Y
Audit Database
SQL_CONNECTOR_JAR Path to SQL connector JAR. DB driver location for Mysql, If Oracle db is used, copy the oracle jdbc driver to file, /usr/share/java/ojdbc6.jar ** In Windows, only MySQL is supported.
/usr/share/java/mysql-connector-java.jar (default)
Y
XAAUDIT.DB.IS_ENABLEDEnable or disable database audit logging.
Note: If this property is set to FALSE, Ranger will not store audit logs in the audit DB, and audit logs will not be visible in the Ranger UI. If you would like to access audit logs from the UI, set this value to TRUE.
FALSE (default)
Y
XAAUDIT.DB.FLAVOUR Specifies the type of database used for audit logging (MYSQL,ORACLE)
MYSQL (default)
Y
XAAUDIT.DB.HOSTNAME Hostname of the audit database server
localhost
Y
XAAUDIT.DB.DATABASE_NAME Audit database name
ranger_audit
Y
XAAUDIT.DB.USER_NAME Username used for performing audit log inserts (should be same username used in the ranger-admin installation process)
rangerlogger
Y
XAAUDIT.DB.PASSWORD Database password associated with the above database user - for db audit logging
rangerlogger
Y
HDFS Audit
XAAUDIT.HDFS.IS_ENABLED Flag to enable/disable hdfs audit logging.If the hdfs audit logging is turned off, it will not log any access control to hdfs
TRUE
Y
XAAUDIT.HDFS.DESTINATION _DIRECTORY HDFS directory where the audit log will be stored
hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd% (format) hdfs://namenode.mycompany.com:8020/ranger/audit/%app-type%/%time:yyyyMMdd%
Y
XAAUDIT.HDFS.LOCAL _BUFFER_DIRECTORY Local directory where the audit log will be saved for intermediate storage
__REPLACE__LOG_DIR/%app-type%/audit (format) /var/tmp/%app-type%/audit
Y
XAAUDIT.HDFS.LOCAL _ARCHIVE_DIRECTORY Local directory where the audit log will be archived after it is moved to hdfs
__REPLACE__LOG_DIR/%app-type%/audit/archive (format) /var/tmp/%app-type%/audit/archive
Y
XAAUDIT.HDFS.DESTINATION_FILE HDFS audit file name (format)
%hostname%-audit.log (default)
Y
XAAUDIT.HDFS.DESTINATION _FLUSH_INTERVAL_SECONDS HDFS audit log file writes are flushed to HDFS at regular flush interval
900
Y
XAAUDIT.HDFS.DESTINATION _ROLLOVER_INTERVAL_SECONDS HDFS audit log file is rotated to write to a new file at a rollover interval specified here
86400
Y
XAAUDIT.HDFS.DESTINATION _OPEN_RETRY_INTERVAL_SECONDS If HDSF audit log open() call fails, it will be re-tried at this interval
60
Y
XAAUDIT.HDFS.LOCAL _BUFFER_FILE Local filename used to store in audit log (format)
%time:yyyyMMdd-HHmm.ss%.log (default)
Y
XAAUDIT.HDFS.LOCAL_BUFFER _FLUSH_INTERVAL_SECONDS Interval that local audit log file writes are flushed to filesystem
60
Y
XAAUDIT.HDFS.LOCAL_BUFFER _ROLLOVER_INTERVAL_SECONDS Interval that local audit log file is rolled over (rotated to write to a new file)
600
Y
XAAUDIT.HDFS.LOCAL_ARCHIVE _MAX_FILE_COUNT The maximum number of local audit log files will be kept in the archive directory
10
Y
SSL_KEYSTORE_FILE_PATH Java Keystore Path where SSL key for the plugin is stored. Used only if SSL is enabled between Policy Admin Tool and Plugin. If SSL is not enabled, leave the default value as it is (should not be set as EMPTY).
/etc/hbase/conf/ranger-plugin-keystore.jks (default)
Y, if SSL is enabled
SSL_KEYSTORE_PASSWORD Password associated with SSL Keystore. Used only if SSL is enabled between Policy Admin Tool and Plugin. If SSL is not Enabled, leave the default value as it is (should not be set as EMPTY).
myKeyFilePassword (default)
Y, if SSL is enabled
SSL_TRUSTSTORE_FILE_PATH Java Keystore Path where the trusted certificates are stored for verifying SSL connection to Policy Admin Tool. Used only if SSL is enabled between Policy Admin Tool and Plugin. If SSL is not enabled, leave the default value as it is (should not be set as EMPTY).
/etc/hbase/conf/ranger-plugin-truststore.jks (default)
Y, if SSL is enabled
SSL_TRUSTSTORE_PASSWORD Password associated with Truststore file. Used only if SSL is enabled between Policy Admin Tool and Plugin. If SSL is not Enabled, leave the default value as it is (should not be set as EMPTY).
changeit (default)
Y, if SSL is enabled
HBase GRANT/REVOKE Commands
UPDATE_XAPOLICIES_ON_GRANT_RE VOKE Provide ability for XAAgent to update the policies based on the GRANT/REVOKE commands from the HBase client
TRUE (default)
Y
To enable the HBase plug-in, enter the following commands:
cd /usr/hdp/<version>l/ranger-hbase-plugin
./enable-hbase-plugin.sh
Restart HBase.
To confirm that installation and configuration are complete, go to the Audit Tab of the Ranger Admin Console and check Agents. You should see HBase listed there.
Installing the Ranger Hive Plug-in
The Ranger Hive plugin integrates with Hive to enforce authorization policies.
Note | |
---|---|
The Ranger plugin for HIve only needs to be set up for HiveServer2. For Hive clients, it is recommended that you protect data using HDFS policies in Ranger. Do not install or set up Ranger plugins on individual Hive client machines. |
This section describes how to install the Ranger Hive plug-in:
Create a Hive repository
Install the Hive plug-in and configure related Hive properties
Enable the Hive plug-in
Restart Hive
Install the Hive Plug-in
Create a Hive repository. To create the Hive repository, complete the Hive Create Repository screen as described in the "Hive Repository Configuration" section of the Apache Ranger User Guide.
Make a note of the name you gave to this repository; you will need to use it again during Hive plug-in setup.
At the server where HiveServer2 is installed, install the Hive plug-in:
Go to the home directory of the Hive plug-in:
cd /usr/hdp/<version>/ranger-hive-plugin
Edit the following Hive-related properties in the install.properties file:
Table 13.5. Hive-Related Properties to Edit in the install.properties File
Configuration Property Name
Default/Example Value
Required?
Policy Admin Tool
POLICY_MGR-URL URL for policy admin
http://policymanager.xasecure.net:6080
Y
REPOSITORY_NAME The repository name used in Policy Admin Tool for defining policies
hivedev
Y
Audit Database
SQL_CONNECTOR_JAR Path to SQL connector JAR. DB driver location for Mysql, If Oracle db is used, copy the oracle jdbc driver to file, /usr/share/java/ojdbc6.jar ** Windows supports only MySQL
/usr/share/java/mysql-connector-java.jar (default)
Y
XAAUDIT.DB.IS_ENABLED Enable or disable database audit logging.
Note: If this property is set to FALSE, Ranger will not store audit logs in the audit DB, and audit logs will not be visible in the Ranger UI. If you would like to access audit logs from the UI, set this value to TRUE.
FALSE (default) TRUE
Y
XAAUDIT.DB.FLAVOUR pecifies the type of database used for audit logging (MYSQL,ORACLE)
MYSQL (default)
Y
XAAUDIT.DB.HOSTNAME Hostname of the audit database server
localhost
Y
XAAUDIT.DB.DATABASE_NAME Audit database name
ranger_audit
Y
XAAUDIT.DB.USER_NAME Username used for performing audit log inserts (should be same username used in the ranger-admin installation process)
rangerlogger
Y
XAAUDIT.DB.PASSWORD database password associated with the above database user - for db audit logging
rangerlogger
Y
HDFS Audit
XAAUDIT.HDFS.IS_ENABLED Flag to enable/disable hdfs audit logging.If the hdfs audit logging is turned off, it will not log any access control to hdfs
Y
XAAUDIT.HDFS.DESTINATION _DIRECTORY HDFS directory where the audit log will be stored
hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd% (format) hdfs://namenode.mycompany.com:8020/ranger/audit/%app-type%/%time:yyyyMMdd%
Y
XAAUDIT.HDFS.LOCAL_BUFFER _DIRECTORY Local directory where the audit log will be saved for intermediate storage
__REPLACE__LOG_DIR/%app-type%/audit (format) /var/tmp/%app-type%/audit
Y
XAAUDIT.HDFS.LOCAL_ARCHIVE _DIRECTORY Local directory where the audit log will be archived after it is moved to hdfs
__REPLACE__LOG_DIR/%app-type%/audit (format) /var/tmp/%app-type%/audit/archive
Y
XAAUDIT.HDFS.DESTINATION_FILE hdfs audit file name (format)
%hostname%-audit.log (default)
Y
XAAUDIT.HDFS.DESTINATION _FLUSH_INTERVAL_SECONDS hdfs audit log file writes are flushed to HDFS at regular flush interval
900
Y
XAAUDIT.HDFS.DESTINATION _ROLLOVER_INTERVAL_SECONDS hdfs audit log file is rotated to write to a new file at a rollover interval specified here
86400
Y
XAAUDIT.HDFS.DESTINATION _OPEN_RETRY_INTERVAL_SECONDS hdfs audit log open() call is failed, it will be re-tried at this interval
60
Y
XAAUDIT.HDFS.LOCAL_BUFFER _FILE Local filename used to store in audit log (format)
%time:yyyyMMdd-HHmm.ss%.log (default)
Y
XAAUDIT.HDFS.LOCAL_BUFFER _FLUSH_INTERVAL_SECONDS Local audit log file writes are flushed to filesystem at regular flush interval
60
Y
XAAUDIT.HDFS.LOCAL_BUFFER _ROLLOVER_INTERVAL_SECONDS Local audit log file is rotated to write to a new file at a rollover interval specified here
600
Y
XAAUDIT.HDFS.LOCAL_ARCHIVE _MAX_FILE_COUNT The maximum number of local audit log files will be kept in the archive directory
10
Y
SSL Information (https connectivity to Policy Admin Tool)
SSL_KEYSTORE_FILE_PATH Java Keystore Path where SSL key for the plugin is stored. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
/etc/hive/conf/ranger-plugin-keystore.jks (default)
If SSL is enabled
SSL_KEYSTORE_PASSWORD Password associated with SSL Keystore. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
none (default)
If SSL is enabled
SSL_TRUSTSTORE_FILE_PATH Java Keystore Path where the trusted certificates are stored for verifying SSL connection to Policy Admin Tool. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
/etc/hive/conf/ranger-plugin-truststore.jks (default)
If SSL is enabled
SSL_TRUSTSTORE_PASSWORD Password associated with Truststore file. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
none (default)
If SSL is enabled
Hive GRANT/REVOKE Command Handling
UPDATE_XAPOLICIES_ON_GRANT _REVOKE Provide ability for XAAgent to update the policies based on the grant/revoke commands from the Hive beeline client
TRUE (default)
Y
To enable the Hive plug-in, enter the following commands:
cd /usr/hdp/<version>/ranger-hive-plugin
./enable-hive-plugin.sh
Restart Hive.
To confirm that installation and configuration are complete, go to the Audit Tab of the Ranger Admin Console and check Agents. You should see Hive listed there.
Installing the Ranger Knox Plug-in
The Ranger Knox plugin integrates with Knox to enforce authorization policies.
This section describes how to install the Knox plug-in:
Create a Knox repository
Install the Knox plug-in and configure related Hive properties
Enable the Knox plug-in
Restart Knox
Instructions assume that Knox has already been installed, as described in "Installing Knox."
Install the Knox Plug-in
Create a Knox repository. To do this, complete the Knox Create Repository screen as described in the "Knox Repository Configuration" section of the Apache Ranger User Guide.
Set the URL to https://knox_host:8443/gateway/admin/api/v1/topologies, where knox_host is the full-qualified name of your Knox host machine.
Make a note of the name you gave to this repository; you will need to use it again during Knox plug-in setup.
At all servers where Knox Gateway is installed, install the Knox plug-in:
Go to the home directory of the Knox plug-in:
/usr/hdp/<version>/ranger-knox-plugin
Edit the following Knox-related properties in the install.properties file:
Table 13.6. Knox-Related Properties to Edit in the install.properties File
Configuration Property Name
Default/Example Value
Mandatory?
Policy Admin Tool
POLICY_MGR-URL URL for policy admin
http://policymanager.xasecure.net:6080
Y
REPOSITORY_NAME The repository name used in Policy Admin Tool for defining policies
knoxdev
Y
Knox Component Installation
KNOX_HOME Home directory where Knox software is installed
/usr/hdp/current/knox
Y
Audit Database
SQL_CONNECTOR_JAR Path to SQL connector JAR. DB driver location for Mysql, If Oracle db is used, copy the oracle jdbc driver to file, /usr/share/java/ojdbc6.jar ** Only Mysql is supported in Windows.
/usr/share/java/mysql-connector-java.jar
Y
XAAUDIT.DB.IS_ENABLEDEnable or disable database audit logging.
Note: If this property is set to FALSE, Ranger will not store audit logs in the audit DB, and audit logs will not be visible in the Ranger UI. If you would like to access audit logs from the UI, set this value to TRUE.
true
Y
XAAUDIT.DB.FLAVOUR Specifies the type of database used for audit logging (MYSQL,ORACLE)
MYSQL
Y
XAAUDIT.DB.HOSTNAME Hostname of the audit database server
localhost
Y
XAAUDIT.DB.DATABASE_NAME Audit database name
ranger_audit
Y
XAAUDIT.DB.USER_NAME Username used for performing audit log inserts (should be same username used in the ranger-admin installation process)
rangerlogger
Y
XAAUDIT.DB.PASSWORD database password associated with the above database user - for db audit logging
rangerlogger
Y
HDFS Audit
XAAUDIT.HDFS.IS_ENABLED Flag to enable/disable hdfs audit logging.If the hdfs audit logging is turned off, it will not log any access control to hdfs
Y
XAAUDIT.HDFS.DESTINATION _DIRECTORY HDFS directory where the audit log will be stored
hdfs://namenode.mycompany.com:8020/ranger/audit/%app-type%/%time:yyyyMMdd%
Y
XAAUDIT.HDFS.LOCAL_BUFFER _DIRECTORY Local directory where the audit log will be saved for intermediate storage
/var/tmp/%app-type%/audit
Y
XAAUDIT.HDFS.LOCAL_ARCHIVE _DIRECTORY Local directory where the audit log will be archived after it is moved to hdfs
/var/tmp/%app-type%/audit/archive
Y
XAAUDIT.HDFS.DESTINATION_FILE hdfs audit file name (format)
%hostname%-audit.log
Y
XAAUDIT.HDFS.DESTINATION _FLUSH_INTERVAL_SECONDS hdfs audit log file writes are flushed to HDFS at regular flush interval
900
Y
XAAUDIT.HDFS.DESTINATION _ROLLOVER_INTERVAL_SECONDS hdfs audit log file is rotated to write to a new file at a rollover interval specified here
86400
Y
XAAUDIT.HDFS.DESTINATION _OPEN_RETRY_INTERVAL_SECONDS hdfs audit log open() call is failed, it will be re-tried at this interval
60
Y
XAAUDIT.HDFS.LOCAL_BUFFER _FILE Local filename used to store in audit log (format)
%time:yyyyMMdd-HHmm.ss%.log
Y
XAAUDIT.HDFS.LOCAL_BUFFER _FLUSH_INTERVAL_SECONDS Local audit log file writes are flushed to filesystem at regular flush interval
60
Y
XAAUDIT.HDFS.LOCAL_BUFFER _ROLLOVER_INTERVAL_SECONDS Local audit log file is rotated to write to a new file at a rollover interval specified here
600
Y
XAAUDIT.HDFS.LOCAL_ARCHIVE _MAX_FILE_COUNT The maximum number of local audit log files will be kept in the archive directory
10
Y
SSL (https connectivity to Policy Admin Tool)
SSL_KEYSTORE_FILE_PATH Java Keystore Path where SSL key for the plugin is stored. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
/etc/knox/conf/ranger-plugin-keystore.jks
If SSL is enabled
SSL_KEYSTORE_PASSWORD Password associated with SSL Keystore. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
myKeyFilePassword
If SSL is enabled
SSL_TRUSTSTORE_FILE_PATH Java Keystore Path where the trusted certificates are stored for verifying SSL connection to Policy Admin Tool. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
/etc/knox/conf/ranger-plugin-truststore.jks
If SSL is enabled
SSL_TRUSTSTORE_PASSWORD Password associated with Truststore file. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
changeit
If SSL is enabled
To enable the Knox plug-in, enter the following commands:
cd /usr/hdp/<version>/ranger-knox-plugin
./enable-knox-plugin.sh
Restart the Knox Gateway.
To confirm that installation and configuration are complete, go to the Audit Tab of the Ranger Admin Console and check Agents. You should see Knox listed there.
Installing the Ranger Storm Plug-in
The Ranger Storm plugin integrates with Storm to enforce authorization policies.
This section describes how to perform the following administrative tasks: It assumes that Storm has already been installed, as described in "Installing and Configuring Apache Storm" in this guide.
Create a Storm repository
Install the Storm plug-in and configure related Storm properties
Enable the Storm plug-in
Restart Storm
These steps assume that Storm has already been installed, as described in Installing and Configuring Apache Storm.
Install the Storm Plug-in
Create a Storm repository, as described in the "Storm Repository Configuration" section of the Apache Ranger User Guide.
Make a note of the name you gave to this repository; you will need to use it again during Storm plug-in setup.
On the Nimbus server, install the Storm plug-in:
Go to the home directory of the Storm plug-in:
/usr/hdp/<version>/ranger-storm-plugin
Edit the following Storm-related properties in the install.properties file:
Table 13.7. Storm-Related Properties to Edit in the install.properties File
Configuration Property Name
Default/Example Value
Mandatory?
Policy Admin Tool
POLICY_MGR-URL URL for policy admin
http://policymanager.xasecure.net:6080
Y
REPOSITORY_NAME The repository name used in Policy Admin Tool for defining policies
stormdev
Y
Audit Database
SQL_CONNECTOR_JAR Path to SQL connector JAR. DB driver location for Mysql, If Oracle db is used, copy the oracle jdbc driver to file, /usr/share/java/ojdbc6.jar ** Only Mysql is supported in Windows.
/usr/share/java/mysql-connector-java.jar (default)
Y
XAAUDIT.DB.IS_ENABLEDEnable or disable database audit logging.
Note: If this property is set to FALSE, Ranger will not store audit logs in the audit DB, and audit logs will not be visible in the Ranger UI. If you would like to access audit logs from the UI, set this value to TRUE.
false (default) true
Y
XAAUDIT.DB.FLAVOUR Specifies the type of database used for audit logging (MYSQL,ORACLE)
MYSQL (defalt)
Y
XAAUDIT.DB.HOSTNAME Hostname of the audit database server
localhost
Y
XAAUDIT.DB.DATABASE_NAME Audit database name
ranger_audit
Y
XAAUDIT.DB.USER_NAME Username used for performing audit log inserts (should be same username used in the ranger-admin installation process)
rangerlogger
Y
XAAUDIT.DB.PASSWORD database password associated with the above database user - for db audit logging
rangerlogger
Y
HDFS Audit
XAAUDIT.HDFS.IS_ENABLED Flag to enable/disable hdfs audit logging.If the hdfs audit logging is turned off, it will not log any access control to hdfs
false
Y
XAAUDIT.HDFS.DESTINATION _DIRECTORY HDFS directory where the audit log will be stored
hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit/%app-type%/%te:yyyyMMdd% (format) hdfs://namenode.mycompany.com:8020/ranger/audit/%app-type%/%time:yyyyMMdd%
Y
XAAUDIT.HDFS.LOCAL_BUFFER _DIRECTORY Local directory where the audit log will be saved for intermediate storage
__REPLACE__LOG_DIR/%app-type%/audit (format) /var/log/%app-type%/audit
Y
XAAUDIT.HDFS.LOCAL_ARCHIVE _DIRECTORY Local directory where the audit log will be archived after it is moved to hdfs
__REPLACE__LOG_DIR/%app-type%/audit/archive (format) /var/log/%app-type%/audit/archive
Y
XAAUDIT.HDFS.DESTINATION_FILE hdfs audit file name (format)
%hostname%-audit.log (default)
Y
XAAUDIT.HDFS.DESTINATION _FLUSH_INTERVAL_SECONDS hdfs audit log file writes are flushed to HDFS at regular flush interval
900 (default)
Y
XAAUDIT.HDFS.DESTINATION _ROLLOVER_INTERVAL_SECONDS hdfs audit log file is rotated to write to a new file at a rollover interval specified here
86400 (default)
Y
XAAUDIT.HDFS.DESTINATION _OPEN_RETRY_INTERVAL_SECONDS hdfs audit log open() call is failed, it will be re-tried at this interval
60 (default)
Y
XAAUDIT.HDFS.LOCAL_BUFFER _FILE Local filename used to store in audit log (format)
%time:yyyyMMdd-HHmm.ss%.log (default)
Y
XAAUDIT.HDFS.LOCAL_BUFFER _FLUSH_INTERVAL_SECONDS Local audit log file writes are flushed to filesystem at regular flush interval
60 (default)
Y
XAAUDIT.HDFS.LOCAL_BUFFER _ROLLOVER_INTERVAL_SECONDS Local audit log file is rotated to write to a new file at a rollover interval specified here
600 (default)
Y
XAAUDIT.HDFS.LOCAL_ARCHIVE _MAX_FILE_COUNT The maximum number of local audit log files will be kept in the archive directory
10 (default)
Y
SSL Information (https connectivity to policy Admin Tool)
SSL_KEYSTORE_FILE_PATH Java Keystore Path where SSL key for the plugin is stored. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
/etc/storm/conf/ranger-plugin-keystore.jks (default)
If SSL is enabled
SSL_KEYSTORE_PASSWORD Password associated with SSL Keystore. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
myKeyFilePassword (default)
If SSL is enabled
SSL_TRUSTSTORE_FILE_PATH Java Keystore Path where the trusted certificates are stored for verifying SSL connection to Policy Admin Tool. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
/etc/storm/conf/ranger-plugin-truststore.jks (default)
If SSL is enabled
SSL_TRUSTSTORE_PASSWORD Password associated with Truststore file. Is used only if SSL is enabled between Policy Admin Tool and Plugin; If SSL is not Enabled, leave the default value as it is - do not set as EMPTY if SSL not used
changeit (default)
If SSL is enabled
Enable the Storm plug-in by entering the following commands:
cd /usr/hdp/<version>/ranger-storm-plugin
./enable-storm-plugin.sh
Restart Storm.
To confirm that installation and configuration are complete, go to the Audit Tab of the Ranger Admin Console and check Agents. You should see Storm listed there.