Installing Ranger RMS

Ranger Resource Mapping Server (RMS) enables automatic translation of access policies from Hive to HDFS.

Legacy CDH users used Hive policies in Apache Sentry that automatically linked Hive permissions with HDFS ACLs. This was especially convenient for external table data used by Spark or Hive.

Previously, Ranger only supported managing Hive and HDFS policies separately. Ranger RMS (Resource Mapping Server) allows you to authorize access to HDFS directories and files using policies defined for Hive tables. RMS is the service that enables Hive-HDFS ACL Sync.

Ranger RMS requires:
  • A CDP Private Cloud Base 7.1.4+ cluster with Apache Ranger, Hive, and HDFS.
  • Identify a host for Ranger RMS.
  1. On the cluster home page, click the More Options (ellipsis) icon, then click Add Service.
  2. Select Ranger RMS, then click Continue.
  3. On the Assign Roles page, click Continue.
  4. On the Review Changes page, add the following Ranger database configuration properties, then click Continue.
    Property Description

    Database Type

    ranger_rms_database_type

    The type of database used by Ranger.

    Database Name

    ranger_rms_database_name

    The name of the Ranger database.

    Database Host

    ranger_rms_database_host

    The host name of the Ranger database. If a non-default port is assigned, use host:port notation.

    Database User

    ranger-rms.jpa.jdbc.user

    The Ranger database user name.

    Database User Password

    ranger-rms.jpa.jdbc.password
    The Ranger database user password.

    Database Port

    ranger_rms_database_port
    The Ranger database port. Note that the database port should be changed to match the port used by the Ranger database type.

    If you would like to track managed tables, select the Enable Mapping Hive Managed Tables checkbox.

  5. On the Command Details page, select run options, then click Continue.
  6. On the Summary page, click Finish.
  7. Configure the rangerrms user as a super-user in the Hive Metastore (HMS) to allow access to HMS metadata.

    Add the hadoop.proxyuser.<RMSUSER>.hosts configuration in the HMS generated core-site.xml file when the RANGER_RMS_SERVER role is present.

  8. On the Service Manager page, click the Edit icon for the Hadoop SQL service, then verify that hdfs has been added to the tag.download.auth.users and policy.download.auth.users configurations.
  9. In Cloudera Manager, select HDFS > Configuration, then use the Search box to search for Advanced Configuration Snippet (Safety Valve) for ranger-hdfs-security.xml. Use the Add (+) icons to add the following properties, then click Save Changes.
    Name Value
    ranger.plugin.hdfs.chained.services cm_hive
    ranger.plugin.hdfs.chained.services.cm_hive.impl org.apache.ranger.chainedplugin.hdfs.hive.RangerHdfsHiveChainedPlugin
  10. Click the HDFS Restart icon.
  11. On the Stale Configurations page, click Restart Stale Services.
  12. On the Restart Stale Services page, select the Re-deploy client configuration checkbox, then click Restart Now.
  13. A progress indicator page appears while the services are being restarted. When the services have restarted, click Finish.