(Optional) To configure Ranger using the Setup GUI, complete the following steps.
Enable Ranger from the
Additional componentstab.
Click the
Ranger Policy Admintab in the middle of the HDP Setup Form.
Enter host information, credentials for database saving policies, Admin user credentials, and Audit user credentials.
Table 2.6. Ranger Policy Admin screen values
Configuration Property Name
Description
Example Value
Mandatory/Optional/Conditional
Ranger host
Host name of the host where Ranger-Admin and Ranger-UserSync services will be installed
WIN-Q0EOPEACTR1
Mandatory
Ranger external URL
URL used for Ranger
http://localhost:6080
Mandatory
Ranger admin DB host
MySQL server instance for use by the Ranger Admin database host. (MySQL should be up and running at installation time.)
localhost
Mandatory
Ranger admin DB port
Port number for Ranger-Admin database server
3306
Mandatory
Ranger admin DB ROOT password
Database password for the Ranger admin DB user name
RangerAdminPassW0rd
Mandatory
Ranger admin DB name
Ranger-Admin policy database name
ranger (default)
Mandatory
Ranger admin DB user name
Ranger-Admin policy database user name
rangeradmin (default)
Mandatory
Ranger admin DB password
Password for the Ranger admin DB user
RangerAdminPassW0Rd
Mandatory
Copy admin settings to audit
Use admin settings for audit database
Selected
Ranger audit DB host
Host for Ranger Audit database. (MySQL should be up and running at installation time). This can be the same as the Ranger host, or you can specify a different server.
localhost
Mandatory
Ranger audit DB name
Ranger audit database name. This can be a different database in the same database server mentioned above.
ranger_audit (default)
Mandatory
Ranger audit DB port
Port number where Ranger-Admin runs audit service
3306
Mandatory
Ranger audit DB ROOT password
Database password for the Ranger audit DB user name (required for audit database creation)
RangerAuditPassW0Rd
Mandatory
Ranger audit DB user name
Database user that performs all audit logging operations from Ranger plugins
rangerlogger (default)
Mandatory
Ranger audit DB password
Database password for the Ranger audit DB user name
RangerAuditPassW0Rd
Mandatory
Click the
Ranger Pluginstab in the middle of the HDP Setup Form.
Complete the following fields. These allow communication between Ranger-Admin and each plugin.
Table 2.7. Ranger Plugins screen values
Configuration Property Name
Description
Example Value
Mandatory/Optional/Conditional
Ranger Policy Admin URL
URL used within policy admin tool when a link to its own page is generated in the policy admin tool website
http://localhost:6080
Mandatory
Knox agents: Ranger Knox repository
The repository name used in Policy Admin Tool for defining policies for Knox
knoxdev
Mandatory if using Ranger on Knox
HDFS agents: Ranger HDFS repository
The repository name used in Policy Admin Tool for defining policies for HDFS
hadoopdev
Mandatory if using Ranger on HDFS
Storm agents: Ranger storm repository
The repository name used in Policy Admin Tool for defining policies for Storm
stormdev
Mandatory if using Ranger on Storm
Hive agents: Ranger hive repository
The repository name used in Policy Admin Tool for defining policies for Hive
hivedev
Mandatory if using Ranger on Hive
HBase agents: Ranger hbase repository
The repository name used in Policy Admin Tool for defining policies for HBase
hbasedev
Mandatory if using Ranger on HBase
Click the
User/Group Sync Processtab in the middle of the HDP Setup Form.
Complete the following fields.
Add the Ranger-Admin host URL to Ranger User/Group Sync; this enables communication between Ranger-Admin and the User-Sync service.
Set appropriate values for the other parameters based on sync source:
If users will be synchronized from an LDAP server, supply LDAP server credentials and all properties associated with synchronizing users and groups from the LDAP server.
If users will be synchronized with an Active Directory, supply Active Directory credentials and all properties associated with synchronizing users and groups via Active Directory.
Table 2.8. User/Group Sync Process screen field values
Configuration Property Name
Description
Example Value
Mandatory/Optional/Conditional
Ranger host
host name of the host where Ranger-Admin and Ranger-UserSync services will be installed
WIN-Q0EOPEACTR1
Mandatory
Ranger sync interval
Specifies the interval (in minutes) between synchronization cycles. Note: the second sync cycle will NOT start until the first sync cycle is complete.
5
Mandatory
Ranger sync LDAP search base
Search base for users
ou=users, dc=hadoop, dc=apache, dc=org
Mandatory
Ranger sync LDAP URL
LDAP URL for synchronizing users
ldap://ldap.example.com:389
Mandatory
Ranger sync LDAP bind DN
LDAP bind DN used to connect to LDAP and query for users and group. This must be a user with admin privileges to search the directory for users/groups.
cn=admin,ou=users, dc=hadoop,dc=apache, dc-org
Mandatory
Ranger sync LDAP bind password
Password for the LDAP bind DN
LdapAdminPassW0Rd
Mandatory
Ranger sync LDAP user search scope
Scope for user search
base, one, and sub are supported values
Mandatory
Ranger sync LDAP user object class
Object class to identify user entries
person (default)
Mandatory
Ranger sync LDAP user search filter
Additional filter constraining the users selected for syncing
[objectcategory=person]
Optional
Ranger sync LDAP user name attribute
Attribute from user entry that will be treated as user name
cm (default)
Mandatory
Ranger sync LDAP user group name attribute
Attribute from user entry whose values will be treated as group values to be pushed into the Policy Manager database.
One or more attribute names separated by commas, such as: member of,ismemberof
Mandatory
Ranger sync LDAP user name case conversion
Convert all user names to lowercase or uppercase
none: no conversion; keep as-is in SYNC_SOURCE. lower: (default) convert to lowercase when saving user names to the Ranger database. upper: convert to uppercase when saving user names to the Ranger db.
Mandatory
Ranger sync LDAP group name case conversion
Convert all group names to lowercase or uppercase
(same as user name case conversion)
Mandatory
After specifying Ranger-UserSync properties, make sure that the following properties are defined on other tabs:
On the Additional Components tab, set the Ranger authentication method to LDAP, Active Directory, or None, based on your synchronization source.
On the Ranger Policy Admin tab, make sure that you have specified Authentication Properties.
Click the
Ranger Authenticationtab in the middle of the HDP Setup Form.
Specify whether you want to use LDAP or Active Directory Ranger authentication and complete the fields pertaining to your choice.
Table 2.9. Ranger Authentication screen field values for LDAP authentication
Configuration Property Name
Description
Example Value
Mandatory/Optional/Conditional
Ranger LDAP URL
Specifies the LDAP Server URL
ldap://10.129.86.185:10389
Mandatory
Ranger LDAP user DN pattern
The user distinguished name (DN) pattern is expanded when a user is logging in. For example, if the user
ldapadminattempts to log in, the LDAP Server attempts to bind against the DNuid=ldapadmin,ou=users,dc=example,dc=com, and uses the password userldapadminprovides.cn=(0),ou=users,o=example
Mandatory
Ranger LDAP group search base
Defines the part of the directory under which you want group searches to be performed.
o=example
Mandatory
Ranger LDAP group search filter
Defines the filter you want to use to search for group membership. The default is
uniqueMember={0}, corresponding to thegroupOfUniqueNamesLDAP class. For Ranger authentication, the substituted parameter is the full, distinguished name of the user. You can use parameter {0} if you want to filter on the login name.(member=cn=(0),ou=users,o=example)
Mandatory
Ranger LDAP group role attribute
Specifies the attribute that contains the name of the authority defined by the group entry.
cn
Mandatory
Ranger LDAP base dn
Specifies the DN of the starting point for your directory server searches.
o=example
Mandatory
Ranger LDAP bind dn
Specifies the full DN, including the common name (CN), of the LDAP user account that has privileges to search for users.
cn=admin,ou=users,o=freestone
Mandatory
Ranger LDAP bind password
Specifies the password for the account that can search for users.
RangerLDAPBindPassW0rd
Mandatory
Ranger LDAP referral
Defines search result processing behavior. Possible values are follow, ignore, and throw.
follow
Mandatory
Table 2.10. Ranger Authentication screen field values for Active Directory authentication
Configuration Property Name
Description
Example Value
Mandatory/Optional/Conditional
Ranger LDAP AD domain
LDAP Server domain name using a
prefix.suffixformat.example.com
Mandatory
Ranger LDAP AD URL
Specifies the LDAP Server URL.
ldap://10.129.86.200:389
Mandatory
Ranger LDAP AD base dn
Specifies the distinguished name (DN) of the starting point for directory server searches.
dc=example,dc=local
Mandatory
Ranger LDAP AD bind dn
Specifies the full DN, including common name (CN), of an Active Directory user account that has privileges to search for users. This user account must have at least domain user privileges.
cn=Administrator,cn=Users,dc=example,dc=local
Mandatory
Ranger LDAP AD bind password
Specifies the password for the account that can search for users.
Ranger_LDAP_AD_Bind_PassW0rd
Mandatory
Ranger LDAP AD referral
Defines search result processing behavior. Possible values are follow, ignore, and throw.
follow
Mandatory
