Ranger KMS Administration Guide
Also available as:
PDF

Configure HDFS Encryption to use Ranger KMS Access

At this point, Ranger KMS should be installed and running. If you plan to use Ranger KMS for HDFS data at rest encryption, complete the following steps:

  1. Create a link to /etc/hadoop/conf/core-site.xml under /etc/ranger/kms/conf:

    sudo ln -s /etc/hadoop/conf/core-site.xml /etc/ranger/kms/conf/core-site.xml

  2. Configure HDFS to access Ranger KMS.

    1. In the left panel of the Ambari main menu, choose HDFS.

    2. Choose the Configs tab at the top of the page, and then choose the Advanced tab partway down the page.

    3. Specify the provider path (the URL where the Ranger KMS server is running) in the following two properties, if the path is not already specified:

      • In "Advanced core-site", specify hadoop.security.key.provider.path

      • In "Advanced hdfs-site", specify dfs.encryption.key.provider.uri

      The Ranger KMS host is where Ranger KMS is installed. The Ranger KMS host name should have the following format:

      kms://http@<kmshost>:9292/kms

  3. Under Custom core-site.xml, set the value of the hadoop.proxyuser.kms.groups property to * or service user.

  4. Restart the Ranger KMS service and the HDFS service.