Configuring custom Kerberos principal for Ranger

Use the steps given here to configure a custom Kerberos principal for Ranger.

Ranger
Ranger creates all plugin services and related policies with default service user names. If you customize the principal names using Cloudera Manager for any service, you must manually update all the policies and plugin service configs to use the customized principal names.

note
If using Ranger KMS / Ranger KMS KTS service in a custom principal environment, you must update the Hadoop KMS Blacklist Decrypt EEK property to have custom hdfs principal value in Ranger KMS / Ranger KTS service.

If your Ranger RMS service uses a custom principal name (for example - rangerrmsfoo0), you must configure HMS to use rangerrmsfoo0 as a super user. To do so,
Add the following property using the HMS configuration page in Cloudera Manager > > Hive Service Advanced Configuration Snippet (Safety Valve) for core-site.xml:
```
hadoop.proxyuser.rangerrmsfoo0.hosts=*
```
Update the existing Hive Metastore Access Control and Ranger RMS Proxy User Hosts property (which is meant for default principal name - rangerrms) from * to no_host_ .
After updating all the properties above, use Cloudera Manager to Restart Stale Services.

note
If you manage the auth-to-local rules, use auth-to-local rule mapping to map custom principals to default service user names.

important
Default audit filter is configured in serviceDef with default service user. Audit filter is created at the time of service creation with default service user. Audit filter contains service user across components and not just restricted to a service for which it is been created. Hence you must update custom service user while using the Custom Kerberos Principal cluster.

You can add auth-to-local rules, using Cloudera Manager > HDFS > Configuration > Additional Rules to Map Kerberos Principals to Short Names.
note
You must configure Ranger Admin to add Audit Filters:
If you set up custom service principals for a cluster, you must

Update the ranger.accesslogs.exclude.users.list property to use the custom principal names and then restart Ranger Admin.

Manually update the required users in the audit-filters in each plugin service config.
in order to ensure accurate audit logging.
Configuring Ranger Admin role with custom principals for a template-based install.
If you use a template to set up a cluster with customized principals, you must configure the Ranger Admin role, by adding properties and values in roleConfigGroups.