Additional Steps for Apache Ranger

After installing Cloudera Manager and adding a cluster, there are additional steps required to complete the installation of Apache Ranger.

Enable Plugins

The Ranger plugins for HDFS and Solr may not be enabled by default. Ranger plugins enable Cloudera Manager stack components – such as HDFS and Solr – to connect to Ranger and access its authorization and audit services. Verify that the HDFS and Solr plugins are enabled after you install and start the Ranger service.
  1. To enable the HDFS plugin:
    1. Login to Cloudera Manager.
    2. Go to the HDFS Service status page.
    3. Click the Configuration tab.
    4. Search for the Enable Ranger Authorization configuration property.
    5. If the Enable Ranger Authorization property is not selected, select it and save the changes.
    6. Go to the Ranger Service status page and click Actions > Setup Ranger Plugin Service.
    7. Restart the HDFS service.
  2. To enable the Ranger Solr plugin:
    1. Login to Cloudera Manager.
    2. Go to the Solr Service status page.
    3. Click the Configuration tab.
    4. Search for the Enable Ranger Authorization configuration property.
    5. If the Enable Ranger Authorization property is not selected, select it and save the changes.
    6. Restart the Solr service.

Add Solr WebUI Users

Add the username of any users to the Ranger Solr policy who should have access to the Solr Web UI in the Ranger Policy for Solr. The user should have full access privileges.

Update the Time-to-live configuration for Ranger Audits

  1. Download the Ranger audits configurations to your SolrServer or Solr gateway host, by running the following command on the host:
    solrctl instancedir --get ranger_audits /tmp/ranger_audits
    
  2. Open the following file in a text editor:
    tmp/ranger_audits/conf/solrconfig.xml
  3. Edit the TTL section in this file to change the value of the following parameter to the appropriate value (the default value is 90 days):
    <str name="fieldName">ttl</str>
    <str name="value">+90DAYS</str>
  4. Upload the new configuration by running the following command on the host:
    solrctl instancedir --update ranger_audits /tmp/ranger_audits
    If this command fails, obtain and kinit the Solr credentials, and then re-run the command.
  5. Reload the Ranger_audits collection with the Solr credentials so that the collection can pick up the modified configuration by running the following command:
    solrctl collection --reload ranger_audits
  1. Verify Ranger Configurations
    • Verify that the username of any users who should have access to the Solr Web UI to the Ranger policy for Solr has been added to the Ranger Policy for Sol. The user should have full access privileges.
    • Verify that the Time-to-live value is set appropriately by examining this file on the SolrServer or Solr gateway host:
      1. Download the configuration:
        solrctl instancedir --get ranger_audits /tmp/ranger_audits
        
      2. Open the tmp/ranger_audits/conf/solrconfig.xml file and examine the ttl parameter (identified by: <str name="fieldName">ttl</str>).
      3. If you need to change the value, edit the file and then reload the configuration by running the following command:
        solrctl collection --reload ranger_audits