Use a Kerberos Principal for the Ranger KMS Repository
In Ranger, all access policies are configured within a repository for each service. For more information, refer to the Ranger User Guide.
To manage access policies for Ranger KMS, a repository is needed with Ranger for the Ranger KMS service. Ambari creates the repository automatically using the repository config user and password provided.
The repository config user also needs to be created as a principal in Kerberos with a password. Use the following steps to use a Kerberos principla for the Ranger KMS repository.
Create system user
keyadmin
which should be sync in User Tabs in Ranger Admin.Create principal
keyadmin@EXAMPLE.COM
with passwordkeyadmin
:kadmin.local -q 'addprinc -pw keyadmin keyadmin'
On the Add Service wizard Customize Services page, set the required values (marked in red).
Under ranger-kms-properties, set the principal and password in the REPOSITORY_CONFIG_USERNAME and REPOSITORY_CONFIG_PASSWORD fields.
To check logs, select Audit to DB under Advanced ranger-kms-audit.
Click Next to continue with the Ranger KMS Add Service wizard.