Hadoop Security Guide
Also available as:
loading table of contents...

Configuring Ranger Plugins

The following steps describe how to configure the Ranger HDFS plugin for SSL with a self-signed certificate in a non-Ambari cluster. You can use the same procedure for other Ranger components.

  1. Use the following CLI command to stop the NameNode.

    su -l hdfs -c "/usr/hdp/current/hadoop-client/sbin/hadoop-daemon.sh stop namenode"
  2. Use the following commands to change to the Ranger HDFS plugin directory and create a self-signed certificate.

  3. cd /etc/hadoop/conf
    keytool -genkey -keyalg RSA -alias rangerHdfsAgent -keystore ranger-plugin-keystore.jks -storepass myKeyFilePassword -validity 360 -keysize 2048
    chown hdfs:hdfs ranger-plugin-keystore.jks
    chmod 400 ranger-plugin-keystore.jks

    When prompted, provide an identifiable string as the value for the "What is your first and last name?" question. then provide answers to the subsequent questions to create the keystore. When prompted for a password, press the Enter key.


    Important note: In the case where multiple servers talking to ranger admin for downloading policies for the same service/repository (e.g. HBase Master and Region servers, multiple NameNodes or Hive servers in an HA environment, be sure to use the repo name or a common string across all of the nodes (such as HbasePlugin, HdfsPlugin etc). (Note this and enter the same value in Common Name For Certificate field in the edit repository page in the Policy Manager UI).

  4. Use the following CLI commands to create a truststore for the agent and add the Admin public key as a trusted entry. When prompted for a password, press the Enter key.

    cd /etc/hadoop/conf
    keytool -export -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias rangeradmin -file ranger-admin-trust.cer
    keytool -import -file ranger-admin-trust.cer -alias rangeradmintrust -keystore ranger-plugin-truststore.jks -storepass changeit
    chown hdfs:hdfs ranger-plugin-truststore.jks
    chmod 400 ranger-plugin-truststore.jks
  5. Open the HDFS install.properties file in a text editor.

    vi /usr/hdp/<version>/ranger-hdfs-plugin/install.properties
  6. Update install.properties as follows:

    • POLICY_MGR_URL -- Set this value in the format: https://<hostname of policy manager>:<https port>

    • SSL_KEYSTORE_FILE_PATH -- The path to the location of the keystore file.

    • SSL_KEYSTORE_PASSWORD -- The keystore password.

    • SSL_TRUSTSTORE_FILE_PATH -- The truststore file path.

    • SSL_TRUSTSTORE_PASSWORD -- The truststore password.

    Save the changes to the install.properties file.

  7. Use the following command to see if JAVA_HOME is available.

    echo $JAVA_HOME
  8. If JAVA_HOME is not available , use the following command to set JAVA_HOME (Note that Ranger requires Java 1.7).

    export JAVA_HOME=<path for java 1.7>
  9. Run the following commands to switch to the HDFS plugin install directory and run the install agent to update the plugin with the new configuration settings.

    cd /usr/hdp/<version>/ranger-hdfs-plugin/
  10. Use the following command to stop Ranger Admin.

    ranger-admin stop
  11. Use the following commands to add the agent's self-signed cert to the Admin's trustedCACerts.

    cd /etc/ranger/admin/conf
    keytool -export -keystore /etc/hadoop/conf/ranger-plugin-keystore.jks -alias rangerHdfsAgent -file ranger-hdfsAgent-trust.cer -storepass myKeyFilePassword
    keytool -import -file ranger-hdfsAgent-trust.cer -alias rangerHdfsAgentTrust -keystore <Truststore file used by Ranger Admin - can be the JDK cacerts> -storepass changeit
  12. Use the following command to start Ranger Admin.

    ranger-admin start
  13. Log into the Ranger Policy Manager UI as the admin user. Click the Edit button of your repository (in this case, hadoopdev) and provide the CN name of the keystore as the value for Common Name For Certificate, then save your changes.

  14. Use the following command to start the NameNode.

    su -l hdfs -c "/usr/hdp/current/hadoop-client/sbin/hadoop-daemon.sh start namenode"
  15. In the Policy Manager UI, select Audit > Plugins. You should see an entry for your repo name with HTTP Response Code 200.