Hadoop Security Guide
Also available as:
loading table of contents...

Configuring Ranger Plugins

This section shows how to configure the Ranger HDFS plugin for SSL. You can use the same procedure for other Ranger components.

  1. Use the following CLI command to stop the NameNode.

    su -l hdfs -c "/usr/hdp/current/hadoop-client/sbin/hadoop-daemon.sh stop namenode"
  2. Open the HDFS install.properties file in a text editor.

    vi /usr/hdp/<version>/ranger-hdfs-plugin/install.properties
  3. Update install.properties as follows:

    • POLICY_MGR_URL -- Set this value in the format: https://<hostname of policy manager>:<https port>

    • SSL_KEYSTORE_FILE_PATH -- The path to the location of the Public CA issued keystore file.

    • SSL_KEYSTORE_PASSWORD -- The keystore password.

    • SSL_TRUSTSTORE_FILE_PATH -- The truststore file path.

    • SSL_TRUSTSTORE_PASSWORD -- The truststore password.

    Save the changes to the install.properties file.

  4. Use the following command to see if JAVA_HOME is available.

    echo $JAVA_HOME
  5. If JAVA_HOME is not available , use the following command to set JAVA_HOME (Note that Ranger requires Java 1.7).

    export JAVA_HOME=<path for java 1.7>
  6. Run the following commands to switch to the HDFS plugin install directory and run the install agent to update the plugin with the new configuration settings.

    cd /usr/hdp/<version>/ranger-hdfs-plugin/
  7. Log into the Ranger Policy Manager UI as the admin user. Click the Edit button of your repository (in this case, hadoopdev) and provide the CN name of the keystore as the value for Common Name For Certificate, then save your changes.

  8. Use the following command to start the NameNode.

    su -l hdfs -c "/usr/hdp/current/hadoop-client/sbin/hadoop-daemon.sh start namenode"
  9. In the Policy Manager UI, select Audit > Plugins. You should see an entry for your repo name with HTTP Response Code 200.