Security Reference
Also available as:
PDF
loading table of contents...

Configure the Ranger HDFS Plugin for SSL

How to configure Ranger plugins, when configuring non-Ambari Ranger SSL using public CA certificates.

This section shows how to configure the non-Ambari Ranger HDFS plugin for SSL. You can use the same procedure for other Ranger components.

  1. Stop the NameNode: su -l hdfs -c "/usr/hdp/current/hadoop-client/sbin/hadoop-daemon.sh stop namenode".
  2. Open the HDFS install.properties file in a text editor: vi /usr/hdp/<version>/ranger-hdfs-plugin/install.properties.
  3. Update install.properties as follows:
    • POLICY_MGR_URL -- Set this value in the format: https://<hostname of policy manager>:<https port>
    • SSL_KEYSTORE_FILE_PATH -- The path to the location of the Public CA issued keystore file.
    • SSL_KEYSTORE_PASSWORD -- The keystore password.
    • SSL_TRUSTSTORE_FILE_PATH -- The truststore file path.
    • SSL_TRUSTSTORE_PASSWORD -- The truststore password.
  4. See if JAVA_HOME is available: echo $JAVA_HOME.
  5. If JAVA_HOME is not available , use the following command to set JAVA_HOME (Note that Ranger requires java 1.8): export JAVA_HOME=<path for java 1.8>.
  6. Run the following commands to switch to the HDFS plugin install directory and run the install agent to update the plugin with the new configuration settings.
    cd /usr/hdp/<version>/ranger-hdfs-plugin/
    ./enable-hdfs-plugin.sh
  7. Log into the Ranger Policy Manager UI as the admin user. Click the Edit button of your repository (in this case, hadoopdev) and provide the CN name of the keystore as the value for Common Name For Certificate, then save your changes.
  8. Start the NameNode: su -l hdfs -c "/usr/hdp/current/hadoop-client/sbin/hadoop-daemon.sh start namenode".
  9. In the Policy Manager UI, select Audit > Plugins. You should see an entry for your repo name with HTTP Response Code 200.