Customizing Kerberos principals

How to configure custom service principals in Cloudera Manager.

Ensure you use different Kerberos principals for different services to make it easier to track the HDFS directories being accessed by each service.
If you are using ShellBasedUnixGroupsMapping to obtain user-group mappings, ensure you have the UNIX accounts for the principals present on all hosts of the cluster.

Ranger
Ranger creates all plugin services and related policies with default service user names. If you customize the principal names using Cloudera Manager for any service, you must manually update all the policies and plugin service configs to use the customized principal names.
note
If using Ranger KMS / Ranger KMS KTS service in a custom principal environment, you must add the following properties in Ranger Admin safety-valve for ranger-admin-site.xml:

ranger.kms.service.user.hive = <custom-hive-principal>

ranger.kms.service.user.hdfs = <custom-hdfs-principal>

ranger.kms.service.user.hbase = <custom-hbase-principal>
note
Also, if using Ranger KMS / Ranger KMS KTS service in a custom principal environment, you must update the Hadoop KMS Blacklist Decrypt EEK property to have custom hdfs principal value in Ranger KMS / Ranger KTS service.
If your Knox service uses a custom service principal (for example., knoxfoo0), you must update the Ranger Knox proxy properties in ranger-admin-site.xml safety valve,
```
<property>
     <name>ranger.proxyuser.knoxfoo0.users</name>
     <value>*</value>
</property>
<property>
     <name>ranger.proxyuser.knoxfoo0.groups</name>
     <value>*</value>
</property>
<property>
     <name>ranger.proxyuser.knoxfoo0.hosts</name>
     <value>*</value>
</property>
```
The existing Ranger Knox Proxy properties shown on the Cloudera Manager UI in Ranger are meant for default service principal - knox. You must update them with the following values:

note
Ideally, these should be non-existent on the cluster.
```
ranger_proxyuser_knox_hosts = _no_host_
ranger_proxyuser_knox_groups = _no_group_
ranger_proxyuser_knox_users = _no_user_
```
If the Ranger KMS or Ranger KMS with KTS service is used in an environment in which custom kerberos principals are configured, then perform the following steps:
1. In Cloudera Manager, go to Clusters > Ranger KMS > Configuration.
2. Enter kms-site.xml in Search to find Advanced Configuration Snippet (Safety Valve) for conf/kms-site.xml.
3. In Advanced Configuration Snippet (Safety Valve) for conf/kms-site.xml add the following configuration properties:
  - hadoop.kms.proxyuser.<custom-principal-name>.groups
  - hadoop.kms.proxyuser.<custom-principal-name>.hosts
    with a * value for the custom kerberos principal names of the services to the following services:
  - Hue
  - HDFS
  - HttpFS
  - Zeppelin
  - Livy
  - YARN
  - MapRed
  - Hive
  - Oozie
4. Enter Proxy User in Search to find Proxy User Groups and Proxy User Hosts.
5. Set a _no_group_ or _no_host_ value respectively for each of the existing Proxy User Groups and Proxy User Hosts properties for the default kerberos principal names of the services mentioned above.
6. Click Save Changes.
7. Restart the Ranger KMS or Ranger KMS with KTS service.
If your Ranger RMS service uses a custom principal name (for example - rangerrmsfoo0), you must configure HMS to use rangerrmsfoo0 as a super user. To do so,
Add the following property using the HMS configuration page in Cloudera Manager > > Hive Service Advanced Configuration Snippet (Safety Valve) for core-site.xml:
```
hadoop.proxyuser.rangerrmsfoo0.hosts=*
```
Update the existing Hive Metastore Access Control and Ranger RMS Proxy User Hosts property (which is meant for default principal name - rangerrms) from * to no_host_ .
After updating all the properties above, use Cloudera Manager to Restart Stale Services.

note
If you manage the auth-to-local rules, use auth-to-local rule mapping to map custom principals to default service user names.

You can add auth-to-local rules, using Cloudera Manager > HDFS > Configuration > Additional Rules to Map Kerberos Principals to Short Names.
note
You must configure Ranger Admin to add Audit Filters:
If you set up custom service principals for a cluster, you must

Update the ranger.accesslogs.exclude.users.list property to use the custom principal names and then restart Ranger Admin.

Manually update the required users in the audit-filters in each plugin service config.
in order to ensure accurate audit logging.

Configuring Ranger Admin role with custom principals for a template-based install.

If you use a template to set up a cluster with customized principals, you must configure the Ranger Admin role, by adding properties and values in roleConfigGroups.

Update existing Ranger knox proxy configs for the default knox principal.

{
  "name": "ranger_proxyuser_knox_users",
  "value": "_no_user_"
},
{
  "name": "ranger_proxyuser_knox_groups",
  "value": "_no_group_"
},
{
  "name": "ranger_proxyuser_knox_hosts",
  "value": "_no_host_"
}

Update conf/ranger-admin-site.xml_role_safety_valve to have the Ranger knox proxy configs override for knox custom principal name, for example: knoxfoo0.

{
  "name":  "conf/ranger-admin-site.xml_role_safety_valve",
  "value": "<property>
              <name>ranger.proxyuser.knoxfoo0.users</name>
              <value>*</value>
            </property>
            <property>
              <name>ranger.proxyuser.knoxfoo0.groups</name>
              <value>*</value>
            </property>
            <property>
              <name>ranger.proxyuser.knoxfoo0.hosts</name>
              <value>*</value>
            </property>"
}

Add ranger.plugins.<service>.serviceuser configs override in conf/ranger-admin-site.xml_role_safety_valve to have the custom principal name used by each Ranger plugin supported services.

For example, if Hdfs service is using hdfsfoo0 principal then the config will be ranger.plugins.hdfs.serviceuser=hdfsfoo0. This will help to create default policies for custom principal name into Ranger Admin.

{
  "name":  "conf/ranger-admin-site.xml_role_safety_valve",
  "value": "<property>
              <name>ranger.plugins.hdfs.serviceuser</name>
              <value>hdfsfoo0</value>
            </property>
            <property>
              <name>ranger.plugins.hive.serviceuser</name>
              <value>hivefoo0</value>
            </property>
            <property>
              <name>ranger.plugins.hbase.serviceuser</name>
              <value>hbasefoo0</value>
            </property>
            <property>
              <name>ranger.plugins.yarn.serviceuser</name>
              <value>yarnfoo0</value>
            </property>
            <property>
              <name>ranger.plugins.knox.serviceuser</name>
              <value>knoxfoo0</value>
            </property>
            <property>
              <name>ranger.plugins.kafka.serviceuser</name>
              <value>kafkafoo0</value>
            </property>
            <property>
              <name>ranger.plugins.atlas.serviceuser</name>
              <value>atlas</value>
            </property>
            <property>
              <name>ranger.plugins.impala.serviceuser</name>
              <value>impalafoo0</value>
            </property>
            <property>
              <name>ranger.plugins.cruise_control.serviceuser</name>
              <value>cruisecontrolfoo0</value>
            </property>
            <property>
              <name>ranger.plugins.schemaregistry.serviceuser</name>
              <value>schemaregistryfoo0</value>
            </property>
            <property>
              <name>ranger.plugins.streams_messaging_manager.serviceuser</name>
              <value>streamsmsgmgrfoo0</value>
            </property>
            <property>
              <name>ranger.plugins.streams_replication_manager.serviceuser</name>
              <value>streamsrepmgrfoo0</value>
            </property>
            <property>
              <name>ranger.plugins.solr.serviceuser</name>
              <value>solrfoo0</value>
            </property>"
}

If installing RANGER_KMS service, you must add the configurations that specify custom principal names of Hdfs, Hbase, Hive services into conf/ranger-admin-site.xml_role_safety_valve. This helps to create default policies for these service principal names for Ranger KMS service (cm_kms) into Ranger Admin.

{
  "name":  "conf/ranger-admin-site.xml_role_safety_valve",
  "value": "<property>
              <name>ranger.kms.service.user.hdfs</name>
              <value>hdfsfoo0</value>
            </property>
            <property>
              <name>ranger.kms.service.user.hive</name>
              <value>hivefoo0</value>
            </property>
            <property>
              <name>ranger.kms.service.user.hbase</name>
              <value>hbasefoo0</value>
            </property>"
}