Configure Ranger Admin High Availability with a Load Balancer

For clusters that have multiple users and production availability requirements, you may want to configure Ranger high availability (HA) with a load-balancing proxy server to relay requests to and from Ranger.

Configure an external load balancer to use with Ranger HA.
In Cloudera Manager, select Ranger, then select Actions > Add Role Instances.
On the Add Role Instances page, click Select hosts.
On the selected hosts page, the primary Ranger Admin host is selected by default. Select your configured backup Ranger host (ranger-host2-fqdn). A Ranger Admin (RA) icon appears in the Added Roles column for the selected backup host. Click OK to continue.
The Add Role Instances page is redisplayed with the new backup host. Click Continue.
Review the settings on the Review Changes page, then click Continue.
Update the Ranger Load Balancer Address property (ranger.externalurl) with the load balancer host URL and port, then click Save Changes.

note
Do not use a trailing slash in the the load balancer host URL when updating the Ranger Load Balancer Address property.
If Kerberos is configured on your cluster, use SSH to connect to the KDC server host. Use the kadmin.local command to access the Kerberos CLI, then check the list of principals for each domain where Ranger Admin and the load-balancer are installed.
note
This step assumes you are using an MIT KDC (and kadmin.local). This step will be different if you are using AD or IPA.
```
kadmin.local
kadmin.local: list_principals
```
For example, if Ranger Admin is installed on <host1> and <host2>, and the load-balancer is installed on <host3>, the list returned should include the following entries:
```
HTTP/ <host3>@EXAMPLE.COM
HTTP/ <host2>@EXAMPLE.COM
HTTP/ <host1>@EXAMPLE.COM
```
If the HTTP principal for any of these hosts is not listed, use the following command to add the principal:
```
kadmin.local: addprinc -randkey HTTP/<host3>@EXAMPLE.COM
```
note

This step will need to be performed each time the Spnego keytab is regenerated.
If Kerberos is configured on your cluster, complete the following steps to create a composite keytab.

note
These steps assume you are using an MIT KDC (and kadmin.local). These steps will be different if you are using AD or IPA.
1. SSH into the Ranger Admin host, then create a keytabs directory.
```
mkdir /etc/security/keytabs/
```
2. Copy the ranger.keytab from the current running process.
```
cp /var/run/cloudera-scm-agent/process/<current-ranger-process>/ranger.keytab /etc/security/keytabs/ranger.ha.keytab
```
3. Run the following command to invoke kadmin.local.
```
kadmin.local
```
4. Run the following command to add the SPNEGO principal entry on the load balancer node.
```
ktadd -norandkey -kt /etc/security/keytabs/ranger.ha.keytab HTTP/load-balancer-host@EXAMPLE.COM
```
  note
  
  As shown above, the domain portion of the URL must be in capital letters. You can use list_principals * to view a list of all of the principals.
5. Run the following command to add the SPNEGO principal entry on the node where the first Ranger Admin is installed.
```
ktadd -norandkey -kt /etc/security/keytabs/ranger.ha.keytab HTTP/ranger-admin-host1@EXAMPLE.COM
```
6. Run the following command to add the SPNEGO principal entry on the node where the second Ranger Admin is installed.
```
ktadd -norandkey -kt /etc/security/keytabs/ranger.ha.keytab HTTP/ranger-admin-host2@EXAMPLE.COM
```
7. Run the following command to exit kadmin.local.
```
exit
```
8. Run the following command to verify that the /etc/security/keytabs/ranger.ha.keytab file has entries for all of the required SPNEGO principals.
```
klist -kt /etc/security/keytabs/ranger.ha.keytab
```
9. On the backup (ranger-admin-host2) Ranger Admin node, run the following command to create a keytabs folder.
```
mkdir /etc/security/keytabs/
```
10. Copy the ranger.ha.keytab file from the primary Ranger Admin node (ranger-admin-host1) to the backup (ranger-admin-host2) Ranger Admin node.
```
scp /etc/security/keytabs/ranger.ha.keytab root@ranger-host2-fqdn:/etc/security/keytabs/ranger.ha.keytab
```
11. Run the following commands on all of the Ranger Admin nodes.
```
chmod 440 /etc/security/keytabs/ranger.ha.keytab
chown ranger:hadoop /etc/security/keytabs/ranger.ha.keytab
```

Update the following ranger-admin-site.xml configuration settings using the Safety Valve.

ranger.spnego.kerberos.keytab=/etc/security/keytabs/ranger.ha.keytab
ranger.spnego.kerberos.principal=*

Restart all cluster services that require a restart, then click Finish.
Use a browser to check the load-balancer host URL (with port). You should see the Ranger Admin page.