Installing Apache Ranger KMS
Also available as:

Install Ranger KMS using Ambari (Kerberized Cluster)

To install Ranger KMS on a Kerberized cluster, complete the following steps.

  1. Go to the Ambari Web UI, http://<gateway-URL>:8080.
  2. From the Ambari dashboard, go to the Actions menu. Choose Add Service.
  3. On the next screen, check the box next to Ranger KMS:
    After clicking Add Service, shows Ranger KMS selected.
  4. Then, choose Next.
  5. (Optional) In Assign Masters, if you wish to override the default host setting, specify the Ranger KMS host address.

  6. In Customize Services, set required values (marked in red). Review other configuration settings, and determine whether you'd like to change any of the default values. (For more information about these properties, see “Ranger KMS Properties”.)
    1. Provide the required settings, marked in red.

      If do not wish to provide system Database Administrator (DBA) account details to the Ambari Ranger installer, you can use the Python script to create Ranger DB database users without exposing DBA account information to the Ambari Ranger installer. For more information, see “Set up Database Users Without Sharing DBA Credentials”.

    2. Confirm if the following properties are present in Custom kms-site. If not, add values for the following properties in the "Custom kms-site" section. These properties allow the specified system users (hive, oozie, and others) to proxy on behalf of other users when communicating with Ranger KMS. This helps individual services (such as Hive) use their own keytabs, but retain the ability to access Ranger KMS as the end user (use access policies associated with the end user).
      • hadoop.kms.proxyuser.hive.users
      • hadoop.kms.proxyuser.oozie.users
      • hadoop.kms.proxyuser.HTTP.users
      • hadoop.kms.proxyuser.ambari.users
      • hadoop.kms.proxyuser.yarn.users
      • hadoop.kms.proxyuser.hive.hosts
      • hadoop.kms.proxyuser.oozie.hosts
      • hadoop.kms.proxyuser.HTTP.hosts
      • hadoop.kms.proxyuser.ambari.hosts
      • hadoop.kms.proxyuser.yarn.hosts
    3. Add the following properties to the Custom KMS-site section of the configuration. These properties use the REPOSITORY_CONFIG_USERNAME specified in the first step in this section.

      If you are using an account other than keyadmin to access Ranger KMS, replace “keyadmin” with the configured user for the Ranger KMS repository in Ranger admin:

      • hadoop.kms.proxyuser.keyadmin.groups=*
      • hadoop.kms.proxyuser.keyadmin.hosts=*
      • hadoop.kms.proxyuser.keyadmin.users=*
    4. Confirm settings of the following values in the "advanced kms-site" group:
      • hadoop.kms.authentication.type=kerberos
      • hadoop.kms.authentication.kerberos.keytab=/etc/security/keytabs/spnego.service.keytab
      • hadoop.kms.authentication.kerberos.principal=*
  7. Then, choose Next.
  8. Review the default values on the Configure Identities screen. Determine whether you'd like to change any of the default values. Then, choose Next.
  9. In Review, make sure the configuration values are correct. Ranger KMS will be listed under Services.
  10. Then, choose Deploy.
  11. Monitor the progress of installing, starting, and testing the service. When the service installs and starts successfully, choose Next.
  12. The Summary screen displays the results. Choose Complete.
  13. Restart the Ranger and Ranger KMS services.