Configure Ranger Admin
How to configure Ranger Admin, when setting up non-Ambari Ranger SSL using self-signed certificates.
- Stop Ranger Admin:
ranger-admin stop
. - Change to the Ranger Admin directory and create a self-signed certificate.
cd /etc/ranger/admin/conf keytool -genkey -keyalg RSA -alias rangeradmin -keystore ranger-admin-keystore.jks -storepass xasecure -validity 360 -keysize 2048 chown ranger:ranger ranger-admin-keystore.jks chmod 400 ranger-admin-keystore.jks
- When prompted, provide the host name as the value for the "What is your first and last name?" question. then provide answers to the subsequent questions to create the keystore.
- When prompted for your password, press the Enter key. This will not work for Java keytool version 1.5.
- Open the
ranger-admin-site.xml
file in a text editor:vi /usr/hdp/current/ranger-admin/ews/webapp/WEB-INF/classes/conf/ranger-admin-site.xml
. - Update
ranger-admin-site.xml
as follows:ranger.service.http.port
-- Comment out the value for this property.ranger.service.http.enabled
-- Set the value of this property tofalse
.ranger.service.https.atrrib.ssl.enabled
-- Set the value of this property totrue
.ranger.service.https.port
-- Make sure that this port is available, or change the value to an available port number.ranger.https.attrib.keystore.file
-- Provide the location of the keystore file created previously:/etc/ranger/admin/conf/ranger-admin-keystore.jks
.ranger.service.https.attrib.keystore.pass
-- Enter the password for the keystore (in this case,xasecure
).ranger.service.https.attrib.keystore.keyalias
-- Enter the alias name for the keystore private key (in this case,rangeradmin
).ranger.externalurl
-- Set the value of this property in the format:https://<hostname of policy manager>:<https port>
.
- Add or update the following properties with the values shown below:
<property> <name>ranger.service.https.attrib.clientAuth</name> <value>want</value> </property> <property> <name>ranger.service.https.attrib.client.auth</name> <value>want</value> </property> <property> <name>ranger.https.attrib.keystore.file</name> <value>/etc/ranger/admin/conf/ranger-admin-keystore.jks</value> </property> <property> <name>ranger.service.https.attrib.keystore.file</name> <value>/etc/ranger/admin/conf/ranger-admin-keystore.jks</value> </property>
- Save the changes to
ranger-admin-site.xml
, then use the following command to start Ranger Admin:ranger-admin start
.
ranger.service.https.port
property,
the browser should report that it does not trust the site. Click Proceed anyway and you
should be able to access the Ranger Admin UI over HTTPS with the self-signed cert you just
created.