Security
Also available as:
PDF
loading table of contents...

Install Multiple Ranger KMS

Multiple services can be set up for high availability of Ranger KMS. HDFS interacts with the active process.

Prerequisite: an instance with more than one node.

To install Ranger KMS on multiple nodes:

  1. First install Ranger KMS on a single node (see Installing the Ranger Key Management Service).

  2. Next, add the Ranger KMS service to another node.

    In the Ambari Web UI for the additional node, go to Ranger KMS service → Summary → Service Actions → Add Ranger KMS server.

  3. After adding Ranger KMS server, Ambari will show a pop-up message.

  4. Press OK. Ambari will modify two HDFS properties, hadoop.security.key.provider.path and dfs.encryption.key.provider.uri.

  5. Restart the HDFS service:

  6. For the Ranger KMS service, go to the Advanced kms-site list and change the following property values:

    hadoop.kms.cache.enable=false

    hadoop.kms.cache.timeout.ms=0

    hadoop.kms.current.key.cache.timeout.ms=0

    hadoop.kms.authentication.signer.secret.provider=zookeeper

    hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string={internal ip of first node}:2181,{internal ip of second node}:2181, ...

    hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type=none

  7. Save your configuration changes and restart the Ranger KMS service.

Next, check connectivity from Ranger admin for the newly-added Ranger KMS server:

  1. Go to the Ranger UI: http://<gateway>:6080

  2. Login with your keyadmin user ID and password (the defaults are keyadmin, keyadmin; these should be changed as soon as possible after installation). The default repository will be added under Ranger KMS service.

  3. Under Config properties of the Ranger KMS URL, add the newly added Ranger KMS server FQDN. For example:

    Previous Ranger KMS URL = kms://http@<internal host name>:9292/kms

    New Ranger KMS URL = kms://http@<internal host name1>;<internal host name2>;...:9292/kms

  4. Run a test connection for the service. You should see a ‘connected successfully’ message.

  5. Choose the Audit > Plugin tab.

  6. Check whether plugins are communicating. The UI should display HTTP Response Code = 200 for the respective plugin.