Security Reference
Also available as:
loading table of contents...

Configure Ranger Plugins

How to configure Ranger Plugins, when setting up non-Ambari Ranger SSL using self-signed certificates.

The following steps describe how to configure the Ranger HDFS plugin for SSL with a self-signed certificate in a non-Ambari cluster. You can use the same procedure for other Ranger components.
  1. Stop the NameNode: su -l hdfs -c "/usr/hdp/current/hadoop-client/sbin/ stop namenode".
  2. Change to the Ranger HDFS plugin directory and create a self-signed certificate.
    cd /etc/hadoop/conf
    keytool -genkey -keyalg RSA -alias rangerHdfsAgent -keystore ranger-plugin-keystore.jks -storepass myKeyFilePassword -validity 360 -keysize 2048
    chown hdfs:hdfs ranger-plugin-keystore.jks
    chmod 400 ranger-plugin-keystore.jks
    1. When prompted, provide an identifiable string as the value for the "What is your first and last name?" question. then provide answers to the subsequent questions to create the keystore.
    2. When prompted for a password, press the Enter key.

    Important note: In the case where multiple servers talking to ranger admin for downloading policies for the same service/repository (e.g. HBase Master and Region servers, multiple NameNodes or Hive servers in an HA environment, be sure to use the repo name or a common string across all of the nodes (such as HbasePlugin, HdfsPlugin etc). (Note this and enter the same value in Common Name For Certificate field in the edit repository page in the Policy Manager UI).

  3. Create a truststore for the agent and add the Admin public key as a trusted entry. When prompted for a password, press the Enter key.
    cd /etc/hadoop/conf
    keytool -export -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias rangeradmin -file ranger-admin-trust.cer
    keytool -import -file ranger-admin-trust.cer -alias rangeradmintrust -keystore ranger-plugin-truststore.jks -storepass changeit
    chown hdfs:hdfs ranger-plugin-truststore.jks
    chmod 400 ranger-plugin-truststore.jks
  4. Open the HDFS file in a text editor: vi /usr/hdp/<version>/ranger-hdfs-plugin/
  5. Update as follows:
    • POLICY_MGR_URL -- Set this value in the format: https://<hostname of policy manager>:<https port>
    • SSL_KEYSTORE_FILE_PATH -- The path to the location of the keystore file.
    • SSL_KEYSTORE_PASSWORD -- The keystore password.
    • SSL_TRUSTSTORE_FILE_PATH -- The truststore file path.
    • SSL_TRUSTSTORE_PASSWORD -- The truststore password.
  6. See if JAVA_HOME is available: echo $JAVA_HOME.
  7. If JAVA_HOME is not available , use the following command to set JAVA_HOME (Note that Ranger requires java 1.8): export JAVA_HOME=<path for java 1.8>.
  8. Run the following commands to switch to the HDFS plugin install directory and run the install agent to update the plugin with the new configuration settings.
    cd /usr/hdp/<version>/ranger-hdfs-plugin/
  9. Stop Ranger Admin: ranger-admin stop.
  10. Add the agent's self-signed cert to the Admin's trustedCACerts.
  11. Start Ranger Admin.ranger-admin start.
    cd /etc/ranger/admin/conf
    keytool -export -keystore /etc/hadoop/conf/ranger-plugin-keystore.jks -alias rangerHdfsAgent -file ranger-hdfsAgent-trust.cer -storepass myKeyFilePassword
    keytool -import -file ranger-hdfsAgent-trust.cer -alias rangerHdfsAgentTrust -keystore <Truststore file used by Ranger Admin - can be the JDK cacerts> -storepass changeit
  12. Log into the Ranger Policy Manager UI as the admin user. Click the Edit button of your repository (in this case, hadoopdev) and provide the CN name of the keystore as the value for Common Name For Certificate, then save your changes.
  13. Start the -l hdfs -c "/usr/hdp/current/hadoop-client/sbin/ start namenode".
  14. In the Policy Manager UI, select Audit > Plugins. You should see an entry for your repo name with HTTP Response Code 200.