Using the Ranger Key Management Service
Ranger KMS can be accessed at the Ranger admin URL,
http://<hostname>:6080
. Note, however, that the login user for Ranger
KMS is different than that for Ranger. Logging on as the Ranger KMS admin user leads to a
different set of screens.
Role Separation
By default, Ranger admin uses a different admin user
(keyadmin
) to manage access policies and keys for Ranger KMS.
The person accessing Ranger KMS via the keyadmin
user should be a
different person than the administrator who works with regular Ranger access policies. This
approach separates encryption work (encryption keys and policies) from Hadoop cluster
management and access policy management.
Accessing the Ranger KMS Web UI
To access Ranger KMS, log in as user keyadmin
, password
keyadmin
.
Important | |
---|---|
Change the password after you log in. |
After logging in, you will see the Service Manager screen. To view or edit Ranger KMS repository properties, click on the edit button next to the repository name:
You will see a list of service details and config properties for the repository:
Listing and Creating Keys
To list existing keys:
Choose the Encryption tab at the top of the Ranger Web UI screen.
Select the Ranger KMS service from the drop-down list.
To create a new key:
Click on "Add New Key".
Add a valid key name.
Select the cipher name. Ranger supports AES/CTR/NoPadding as the cipher suite.
Specify the key length, 128 or 256 bits.
Add other attributes as needed, and then save the key.
Rolling Over an Existing Key
Rolling over (or "rotating") a key retains the same key name, but the key will have a different version. This operation re-encrypts existing file keys, but does not re-encrypt the actual file. Keys can be rolled over at any time.
After a key is rotated in Ranger KMS, new files will have the file key encrypted by the new master key for the encryption zone.
To rotate a key, click the edit button next to the key name in the list of keys, as shown in the following screenshot:
Edit the key information, and then press Save.
When asked to confirm the rollover, click "OK":
Deleting a Key
Warning | |
---|---|
Deleting a key associated with an existing encryption zone will result in data loss. |
To delete an existing key:
Choose the Encryption tab at the top of the Ranger Web UI screen.
Select Ranger KMS service from the drop-down list.
Click on the delete symbol next to the key.
You will see a confirmation popup window; confirm or cancel.