Configure Ranger Plugins
How to configure Ranger Plugins, when setting up non-Ambari Ranger SSL using self-signed certificates.
- Stop the NameNode:
su -l hdfs -c "/usr/hdp/current/hadoop-client/sbin/hadoop-daemon.sh stop namenode"
. - Change to the Ranger HDFS plugin directory and create a self-signed certificate.
cd /etc/hadoop/conf keytool -genkey -keyalg RSA -alias rangerHdfsAgent -keystore ranger-plugin-keystore.jks -storepass myKeyFilePassword -validity 360 -keysize 2048 chown hdfs:hdfs ranger-plugin-keystore.jks chmod 400 ranger-plugin-keystore.jks
- When prompted, provide an identifiable string as the value for the "What is your first and last name?" question. then provide answers to the subsequent questions to create the keystore.
- When prompted for a password, press the Enter key.
NoteImportant note: In the case where multiple servers talking to ranger admin for downloading policies for the same service/repository (e.g. HBase Master and Region servers, multiple NameNodes or Hive servers in an HA environment, be sure to use the repo name or a common string across all of the nodes (such as HbasePlugin, HdfsPlugin etc). (Note this and enter the same value in Common Name For Certificate field in the edit repository page in the Policy Manager UI).
- Create a truststore for the agent and add the Admin public key as a trusted entry. When
prompted for a password, press the Enter key.
cd /etc/hadoop/conf keytool -export -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias rangeradmin -file ranger-admin-trust.cer keytool -import -file ranger-admin-trust.cer -alias rangeradmintrust -keystore ranger-plugin-truststore.jks -storepass changeit chown hdfs:hdfs ranger-plugin-truststore.jks chmod 400 ranger-plugin-truststore.jks
- Open the HDFS
install.properties
file in a text editor:vi /usr/hdp/<version>/ranger-hdfs-plugin/install.properties
. - Update
install.properties
as follows:POLICY_MGR_URL
-- Set this value in the format:https://<hostname of policy manager>:<https port>
SSL_KEYSTORE_FILE_PATH
-- The path to the location of the keystore file.SSL_KEYSTORE_PASSWORD
-- The keystore password.SSL_TRUSTSTORE_FILE_PATH
-- The truststore file path.SSL_TRUSTSTORE_PASSWORD
-- The truststore password.
- See if
JAVA_HOME
is available:echo $JAVA_HOME
. - If
JAVA_HOME
is not available , use the following command to setJAVA_HOME
(Note that Ranger requires java 1.8):export JAVA_HOME=<path for java 1.8>
. - Run the following commands to switch to the HDFS plugin install directory and run the install
agent to update the plugin with the new configuration settings.
cd /usr/hdp/<version>/ranger-hdfs-plugin/ ./enable-hdfs-plugin.sh
- Stop Ranger Admin:
ranger-admin stop
. - Add the agent's self-signed cert to the Admin's trustedCACerts.
- Start Ranger Admin.
ranger-admin start
.cd /etc/ranger/admin/conf keytool -export -keystore /etc/hadoop/conf/ranger-plugin-keystore.jks -alias rangerHdfsAgent -file ranger-hdfsAgent-trust.cer -storepass myKeyFilePassword keytool -import -file ranger-hdfsAgent-trust.cer -alias rangerHdfsAgentTrust -keystore <Truststore file used by Ranger Admin - can be the JDK cacerts> -storepass changeit
- Log into the Ranger Policy Manager UI as the admin user. Click the Edit button of your repository (in this case, hadoopdev) and provide the CN name of the keystore as the value for Common Name For Certificate, then save your changes.
- Start the NameNode.
su -l hdfs -c "/usr/hdp/current/hadoop-client/sbin/hadoop-daemon.sh start namenode"
. - In the Policy Manager UI, select Audit > Plugins. You should see an entry for your repo name with HTTP Response Code 200.