Installing Ranger RMS

Ranger Resource Mapping Server (RMS) enables automatic translation of access policies from Hive to HDFS.

Legacy CDH users used Hive policies in Apache Sentry that automatically linked Hive permissions with HDFS ACLs. This was especially convenient for external table data used by Spark or Hive.

Previously, Ranger only supported managing Hive and HDFS policies separately. Ranger RMS (Resource Mapping Server) allows you to authorize access to HDFS directories and files using policies defined for Hive tables. RMS is the service that enables Hive-HDFS ACL Sync.

Ranger RMS requires:

A CDP Private Cloud Base 7.1.4+ cluster with Apache Ranger, Hive, and HDFS.
Identify a host for Ranger RMS.

On the cluster home page, click the More Options (ellipsis) icon, then click Add Service.
Select Ranger RMS, then click Continue.
On the Assign Roles page, click Continue.

On the Review Changes page, add the following Ranger database configuration properties, then click Continue.


Property	Description
Database Type ranger_rms_database_type	The type of database used by Ranger.
Database Name ranger_rms_database_name	The name of the Ranger database.
Database Host ranger_rms_database_host	The host name of the Ranger database.
Database User ranger-rms.jpa.jdbc.user	The Ranger database user name.
Database User Password ranger-rms.jpa.jdbc.password	The Ranger database user password.
Database Port ranger_rms_database_port	The Ranger database port. Note that the database port should be changed to match the port used by the Ranger database type.

If you would like to track managed tables, select the Enable Mapping Hive Managed Tables checkbox.

On the Command Details page, select run options, then click Continue.
On the Summary page, click Finish.

important
Do not start the Ranger RMS service before completing the following additional configuration steps.
In Cloudera Manager > Hive Service > Configuration verify that the Hive Metastore Access Control and Ranger RMS Proxy User Hosts property, hadoop.proxyuser.rangerrms.hosts is set to *.

note
rangerrms user is given superuser privilege only for HiveMetaStore service, so rangerrms can access metadata information without an explicit Ranger policy allowing it necessary permissions. However, Hive operations such as drop database must be authorized in the hive-server2 by Ranger policies. You must create an appropriate Ranger policy which grants the user executing this command the required permission to do so.
On the Service Manager page, click the Edit icon for the Hadoop SQL service, then verify that hdfs has been added to the tag.download.auth.users and policy.download.auth.users configurations.

In Cloudera Manager, select HDFS > Configuration, then use the Search box to search for Advanced Configuration Snippet (Safety Valve) for ranger-hdfs-security.xml. Use the Add (+) icons to add the following properties, then click Save Changes.


Name	Value
ranger.plugin.hdfs.chained.services	cm_hive
ranger.plugin.hdfs.chained.services.cm_hive.impl	org.apache.ranger.chainedplugin.hdfs.hive.RangerHdfsHiveChainedPlugin

Click the HDFS Restart icon.
On the Stale Configurations page, click Restart Stale Services.
On the Restart Stale Services page, select the Re-deploy client configuration checkbox, then click Restart Now.
A progress indicator page appears while the services are being restarted. When the services have restarted, click Finish.