Hadoop Security Guide
Also available as:
loading table of contents...

Ranger KMS Properties

This chapter describes configuration properties for the Ranger Key Management Service (KMS).

Table 6.1. Properties in Advanced dbks-site Menu (dbks-site.xml)

Property NameDefault ValueDescription
ranger.ks.masterkey.credential.aliasranger.ks.masterkey.passwordCredential alias used for masterkey.
ranger.ks.jpa.jdbc.userrangerkmsDatabase username used for operation.
ranger.ks.jpa.jdbc.urljdbc:log4jdbc:mysql://localhost:3306/rangerkmsJDBC connection URL for database.
ranger.ks.jpa.jdbc.password_ (default it’s encrypted)Database user's password.
ranger.ks.jpa.jdbc.drivernet.sf.log4jdbc.DriverSpyDriver used for database.
ranger.ks.jpa.jdbc.dialectorg.eclipse.persistence.platform. database.MySQLPlatformDialect used for database.
ranger.ks.jpa.jdbc.credential. provider.path/etc/ranger/kms/rangerkms.jceksCredential provider path.
ranger.ks.jpa.jdbc.credential.aliasranger.ks.jdbc.passwordCredential alias used for password.
ranger.ks.jdbc.sqlconnectorjar/usr/share/java/mysql-connector-java.jarDriver jar used for database.
ranger.db.encrypt.key.password_ (Default; it’s encrypted)Password used for encrypting the Master Key.
hadoop.kms.blacklist.DECRYPT_EEKhdfsBlacklist for decrypt EncryptedKey CryptoExtension operations. This can have multiple user IDs in a comma separated list. e.g stormuser,yarn,hdfs.

Table 6.2. Properties in Advanced kms-env

Property NameDefault ValueDescription
Kms UserkmsRanger KMS process will be started using this user.
Kms GroupkmsRanger KMS process will be started using this group.
LD library path LD library path (basically used when the db flavor is SQLA). Example: /opt/sqlanywhere17/lib64
kms_port9292Port used by Ranger KMS.
kms_log_dir/var/log/ranger/kmsDirectory where the Ranger KMS log will be generated.

Table 6.3. Properties in Advanced kms-properties (install.properties)

Property NameDefault ValueDescription
db_userrangerkmsDatabase username used for the operation.
db_root_user Database root username. Default is blank. Specify the root user.
db_root_password Database root user’s password. Default is blank. Specify the root user password.
db_password Database user’s password for the operation. Default is blank. Specify the Ranger KMS database password.
db_namerangerkmsDatabase name for Ranger KMS.
db_host<FQDN of instance where the Ranger KMS is installed>Hostname where the database is installed. Note: Check the hostname for DB and change it accordingly.
SQL_CONNECTOR_JAR/usr/share/java/mysql-connector.jarLocation of DB client library.
REPOSITORY_CONFIG_USERNAMEkeyadminUser used in default repo for Ranger KMS.
REPOSITORY_CONFIG_PASSWORDkeyadminPassword for user used in default repo for Ranger KMS.
KMS_MASTER_KEY_PASSWD Password used for encrypting the Master Key. Default value is blank. Set the master key to any string.
DB_FLAVORMYSQLDatabase flavor used for Ranger KMS. Supported values: MYSQL, SQLA, ORACLE, POSTGRES, MSSQL

Table 6.4. Properties in Advanced kms-site (kms-site.xml)

Property NameDefault ValueDescription
hadoop.security.keystore. JavaKeyStoreProvider.passwordnoneIf using the JavaKeyStoreProvide, the password for the keystore file.
hadoop.kms.security. authorization.managerorg.apache.ranger. authorization.kms. authorizer.RangerKmsAuthorizerRanger KMS security authorizer.
hadoop.kms.key.provider.uridbks://http@localhost:9292/kmsURI of the backing KeyProvider for the KMS.
hadoop.kms.current.key. cache.timeout.ms30000Expiry time for the KMS current key cache, in milliseconds. This affects getCurrentKey operations.
hadoop.kms.cache.timeout.ms600000Expiry time for the KMS key version and key metadata cache, in milliseconds. This affects getKeyVersion and getMetadata.

Whether the KMS will act as a cache for the backing KeyProvider. When the cache is enabled, operations like getKeyVersion, getMetadata, and getCurrentKey will sometimes return cached data without consulting the backing KeyProvider. Cached values are flushed when keys are deleted or modified.

Note: This setting is beneficial if Single KMS and single mode are used. If this is set to true when multiple KMSs are used, or when the key operations are from different modes (Ranger UI, CURL, or hadoop command), it might cause inconsistency.

hadoop.kms.authentication.typesimpleAuthentication type for the Ranger KMS. Can be either “simple” or “kerberos”.
hadoop.kms.authentication.signer. secret.provider.zookeeper.path/hadoop-kms/hadoop-auth-signature-secretThe ZooKeeper ZNode path where the Ranger KMS instances will store and retrieve the secret from.
hadoop.kms.authentication. signer.secret.provider. zookeeper.kerberos.principalkms/#HOSTNAME#The Kerberos service principal used to connect to ZooKeeper
hadoop.kms.authentication. signer.secret.provider. zookeeper.kerberos.keytab/etc/hadoop/conf/kms.keytabThe absolute path for the Kerberos keytab with the credentials to connect to ZooKeeper.
hadoop.kms.authentication. signer.secret.provider. zookeeper.connection.string#HOSTNAME#:#PORT#,...

The ZooKeeper connection string, a list of hostnames and port comma separated. For example:

<FQDN for first instance>:2181,<FQDN for second instance>:2181

hadoop.kms.authentication. signer.secret.provider. zookeeper.auth.typekerberosZooKeeper authentication type: 'none' or 'sasl' (Kerberos)
hadoop.kms.authentication. signer. secret.providerrandomIndicates how the secret to sign authentication cookies will be stored. Options are 'random' (default), 'string', and zookeeper'. If you have multiple Ranger KMS instances, specify 'zookeeper'.
hadoop.kms.authentication. kerberos.principalHTTP/localhostThe Kerberos principal to use for the HTTP endpoint. The principal must start with 'HTTP/' as per the Kerberos HTTP SPNEGO specification.
hadoop.kms.authentication. kerberos.name.rulesDEFAULTRules used to resolve Kerberos principal names.
hadoop.kms.authentication. kerberos.keytab${user.home}/kms.keytabPath to the keytab with credentials for the configured Kerberos principal.
hadoop.kms.audit. aggregation.window.ms10000Specified in ms. Duplicate audit log events within this aggregation window are quashed to reduce log traffic. A single message for aggregated events is printed at the end of the window, along with a count of the number of aggregated events.

Table 6.5. Properties in Advanced ranger-kms-audit (ranger-kms-audit.xml)

Property NameDefault ValueDescription
Audit provider summary enabled Enable audit provider summary.
xasecure.audit.is.enabledtrueEnable audit.
xasecure.audit.destination. solr.zookeepersnoneSpecify solr zookeeper string.

Specify solr URL.

Note: In Ambari this value is populated from the Ranger Admin by default.

xasecure.audit.destination. solr.batch.filespool.dir/var/log/ranger/kms/audit/solr/spoolDirectory for solr audit spool.
Audit to SOLR Enable audit to solr.

HDFS directory to write audit.

Note: Make sure the service user has required permissions.

xasecure.audit.destination. hdfs.batch.filespool.dir/var/log/ranger/kms/audit/hdfs/spoolDirectory for HDFS audit spool.
Audit to HDFS Enable hdfs audit.

xa audit db user

Note: In Ambari this value is populated from the Ranger Admin by default.

xasecure.audit.destination. db.passwordencrypted (it’s in encrypted format)

xa audit db user password

Note: In Ambari this value is populated from the Ranger Admin by default.


Database JDBC URL for xa audit.

Note: In Ambari the value for this is populated from the Ranger Admin by default.

xasecure.audit.destination. db.jdbc.driver{{jdbc_driver}}

Database JDBC driver.

Note: In Ambari this value is populated from the Ranger Admin by default.

xasecure.audit.destination. db.batch.filespool.dir/var/log/ranger/kms/audit/db/spoolDirectory for database audit spool.
Audit to DB Enable audit to database.
xasecure.audit.credential.provider.filejceks://file{{credential_file}}Credential provider file.

Table 6.6. Properties in Advanced ranger-kms-policymgr-ssl

Property NameDefault ValueDescription
xasecure.policymgr.clientssl. truststore.passwordchangeitPassword for the truststore.
xasecure.policymgr.clientssl. truststore/usr/hdp/current/ranger-kms/conf/ranger-plugin-truststore.jksjks file for truststore
xasecure.policymgr.clientssl. keystore.passwordmyKeyFilePasswordPassword for keystore.
xasecure.policymgr.clientssl. keystore.credential.filejceks://file{{credential_file}}Java keystore credential file.
xasecure.policymgr.clientssl. keystore/usr/hdp/current/ranger-kms/conf/ranger-plugin-keystore.jksJava keystore file.
xasecure.policymgr.clientssl. truststore.credential.filejceks://file{{credential_file}}Java truststore file.

Table 6.7. Properties in Advanced ranger-kms-security

Property NameDefault ValueDescription
ranger.plugin.kms.service.name<default name for Ranger KMS Repo>Name of the Ranger service containing policies for the KMS instance. Note: In Ambari the default value is <clusterName>_kms.
ranger.plugin.kms.policy.source.implorg.apache.ranger.admin.client. RangerAdminRESTClientClass to reterive policies from the source.
ranger.plugin.kms.policy.rest.url{{policymgr_mgr_url}}URL for Ranger Admin.
ranger.plugin.kms.policy.rest. ssl.config.file/etc/ranger/kms/conf/ranger-policymgr-ssl.xmlPath to the file containing SSL details for contacting the Ranger Admin.
ranger.plugin.kms.policy. pollIntervalMs30000Time interval to poll for changes in policies.
ranger.plugin.kms.policy.cache.dir/etc/ranger/{{repo_name}}/policycacheDirectory where Ranger policies are cached after successful retrieval from the source.