Configuring Ranger Plugins
The following steps describe how to configure the Ranger HDFS plugin for SSL with a self-signed certificate in a non-Ambari cluster. You can use the same procedure for other Ranger components.
Use the following CLI command to stop the NameNode.
su -l hdfs -c "/usr/hdp/current/hadoop-client/sbin/hadoop-daemon.sh stop namenode"
Use the following commands to change to the Ranger HDFS plugin directory and create a self-signed certificate.
cd /etc/hadoop/conf keytool -genkey -keyalg RSA -alias rangerHdfsAgent -keystore ranger-plugin-keystore.jks -storepass myKeyFilePassword -validity 360 -keysize 2048 chown hdfs:hdfs ranger-plugin-keystore.jks chmod 400 ranger-plugin-keystore.jks
When prompted, provide an identifiable string as the value for the "What is your first and last name?" question. then provide answers to the subsequent questions to create the keystore. When prompted for a password, press the Enter key.
Note Important note: In the case where multiple servers talking to ranger admin for downloading policies for the same service/repository (e.g. HBase Master and Region servers, multiple NameNodes or Hive servers in an HA environment, be sure to use the repo name or a common string across all of the nodes (such as HbasePlugin, HdfsPlugin etc). (Note this and enter the same value in Common Name For Certificate field in the edit repository page in the Policy Manager UI).
Use the following CLI commands to create a truststore for the agent and add the Admin public key as a trusted entry. When prompted for a password, press the Enter key.
cd /etc/hadoop/conf keytool -export -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias rangeradmin -file ranger-admin-trust.cer keytool -import -file ranger-admin-trust.cer -alias rangeradmintrust -keystore ranger-plugin-truststore.jks -storepass changeit chown hdfs:hdfs ranger-plugin-truststore.jks chmod 400 ranger-plugin-truststore.jks
Open the HDFS
install.properties
file in a text editor.vi /usr/hdp/<version>/ranger-hdfs-plugin/install.properties
Update
install.properties
as follows:POLICY_MGR_URL
-- Set this value in the format:https://<hostname of policy manager>:<https port>
SSL_KEYSTORE_FILE_PATH
-- The path to the location of the keystore file.SSL_KEYSTORE_PASSWORD
-- The keystore password.SSL_TRUSTSTORE_FILE_PATH
-- The truststore file path.SSL_TRUSTSTORE_PASSWORD
-- The truststore password.
Save the changes to the
install.properties
file.Use the following command to see if
JAVA_HOME
is available.echo $JAVA_HOME
If
JAVA_HOME
is not available , use the following command to setJAVA_HOME
(Note that Ranger requires java 1.8).export JAVA_HOME=<path for java 1.8>
Run the following commands to switch to the HDFS plugin install directory and run the install agent to update the plugin with the new configuration settings.
cd /usr/hdp/<version>/ranger-hdfs-plugin/ ./enable-hdfs-plugin.sh
Use the following command to stop Ranger Admin.
ranger-admin stop
Use the following commands to add the agent's self-signed cert to the Admin's trustedCACerts.
cd /etc/ranger/admin/conf keytool -export -keystore /etc/hadoop/conf/ranger-plugin-keystore.jks -alias rangerHdfsAgent -file ranger-hdfsAgent-trust.cer -storepass myKeyFilePassword keytool -import -file ranger-hdfsAgent-trust.cer -alias rangerHdfsAgentTrust -keystore <Truststore file used by Ranger Admin - can be the JDK cacerts> -storepass changeit
Use the following command to start Ranger Admin.
ranger-admin start
Log into the Ranger Policy Manager UI as the admin user. Click the Edit button of your repository (in this case, hadoopdev) and provide the CN name of the keystore as the value for Common Name For Certificate, then save your changes.
Use the following command to start the NameNode.
su -l hdfs -c "/usr/hdp/current/hadoop-client/sbin/hadoop-daemon.sh start namenode"
In the Policy Manager UI, select Audit > Plugins. You should see an entry for your repo name with HTTP Response Code 200.