Configure Ranger Admin High Availability with a Load Balancer

For clusters that have multiple users and production availability requirements, you may want to configure Ranger high availability (HA) with a load-balancing proxy server to relay requests to and from Ranger.

Configure an external load balancer to use with Ranger HA.
In Cloudera Manager, select Ranger, then select Actions > Add Role Instances.
On the Add Role Instances page, click Select hosts.
On the selected hosts page, the primary Ranger Admin host is selected by default. Select your configured backup Ranger host (ranger-host2-fqdn). A Ranger Admin (RA) icon appears in the Added Roles column for the selected backup host. Click OK to continue.
The Add Role Instances page is redisplayed with the new backup host. Click Continue.
Review the settings on the Review Changes page, then click Continue.
Update the Ranger Load Balancer Address property (ranger.externalurl) with the load balancer host URL and port, then click Save Changes.

note
Do not use a trailing slash in the the load balancer host URL when updating the Ranger Load Balancer Address property.

Verify the load balancer principal is generated by CM. In Cloudera Manager > Administration > Security > Kerberos credentials, search for the load balancer hostname. You should be able to search the principal in the format : HTTP/<loadbalancer-hostname>@EXAMPLE.COM. If the load balancer principal hostname entry is not available, click Generate Missing Credentials on the same page and then search for the principal. After the load balancer principal is created by CM, restart the Ranger service after staleness.

note

If load balancer principal hostname is not showing even after generating missing credentials, use the following manual steps to create composite keytab.

Manual Steps for creating a composite keytab:
1. If Kerberos is configured on your cluster, use SSH to connect to the KDC server host.
   Use the kadmin.local command to access the Kerberos CLI, then check the list of principals
   for each domain where Ranger Admin and the load-balancer are installed.

   Note: This step assumes you are using an MIT KDC (and kadmin.local). This step will be different if you are using AD or IPA.
 
   kadmin.local
   kadmin.local: list_principals

   For example, if Ranger Admin is installed on <host1> and <host2>, and the load-balancer is installed on <host3>,
   the list returned should include the following entries:
    HTTP/ <host3>@EXAMPLE.COM
    HTTP/ <host2>@EXAMPLE.COM
    HTTP/ <host1>@EXAMPLE.COM
   
   If the HTTP principal for any of these hosts is not listed, use the following command to add the principal:
   kadmin.local: addprinc -randkey HTTP/<host3>@EXAMPLE.COM

   Note: This step will need to be performed each time the Spnego keytab is regenerated.

2. If Kerberos is configured on your cluster, complete the following steps to create a composite keytab:
   Note: These steps assume you are using an MIT KDC (and kadmin.local).
         These steps will be different if you are using AD or IPA.
 
   a. SSH into the Ranger Admin host, then create a keytabs directory.
      mkdir /etc/security/keytabs/

   b. Copy the ranger.keytab from the current running process.
      cp /var/run/cloudera-scm-agent/process/<current-ranger-process>/ranger.keytab /etc/security/keytabs/ranger.ha.keytab
      
   c. Run the following command to invoke kadmin.local.
      kadmin.local

   d. Run the following command to add the SPNEGO principal entry on the load balancer node.
      ktadd -norandkey -kt /etc/security/keytabs/ranger.ha.keytab HTTP/load-balancer-host@EXAMPLE.COM

      Note: As shown above, the domain portion of the URL must be in capital letters.
            You can use list_principals * to view a list of all of the principals. 

   e. Run the following command to add the SPNEGO principal entry on the node where the first Ranger Admin is installed.
      ktadd -norandkey -kt /etc/security/keytabs/ranger.ha.keytab HTTP/ranger-admin-host1@EXAMPLE.COM

   f. Run the following command to add the SPNEGO principal entry on the node where the second Ranger Admin is installed.
      ktadd -norandkey -kt /etc/security/keytabs/ranger.ha.keytab HTTP/ranger-admin-host2@EXAMPLE.COM

   g. Run the following command to exit kadmin.local.
      exit

   h. Run the following command to verify that the /etc/security/keytabs/ranger.ha.keytab file has entries for all required
      SPNEGO principals.
      klist -kt /etc/security/keytabs/ranger.ha.keytab

   i. On the backup (ranger-admin-host2) Ranger Admin node, run the following command to create a keytabs folder.
      mkdir /etc/security/keytabs/

   j. Copy the ranger.ha.keytab file from the primary Ranger Admin node (ranger-admin-host1) to the backup (ranger-admin-host2) Ranger Admin node.
      scp /etc/security/keytabs/ranger.ha.keytab root@ranger-host2-fqdn:/etc/security/keytabs/ranger.ha.keytab

   k. Run the following commands on all of the Ranger Admin nodes.
      chmod 440 /etc/security/keytabs/ranger.ha.keytab
      chown ranger:hadoop /etc/security/keytabs/ranger.ha.keytab

3. Update the following ranger-admin-site.xml configuration settings using the Safety Valve.
   ranger.spnego.kerberos.keytab=/etc/security/keytabs/ranger.ha.keytab
   ranger.spnego.kerberos.principal=*

Restart all other cluster services that require a restart, then click Finish.
Use a browser to check the load-balancer host URL (with port). You should see the Ranger Admin page.