Configuring custom Kerberos principal for Ranger

Use the steps given here to configure a custom Kerberos principal for Ranger.

  • Ranger

    Ranger creates all plugin services and related policies with default service user names. If you customize the principal names using Cloudera Manager for any service, you must manually update all the policies and plugin service configs to use the customized principal names.

    If your Ranger RMS service uses a custom principal name (for example - rangerrmsfoo0), you must configure HMS to use rangerrmsfoo0 as a super user. To do so,

    Add the following property using the HMS configuration page in Cloudera Manager > > Hive Service Advanced Configuration Snippet (Safety Valve) for core-site.xml:
    hadoop.proxyuser.rangerrmsfoo0.hosts=*

    Update the existing Hive Metastore Access Control and Ranger RMS Proxy User Hosts property (which is meant for default principal name - rangerrms) from * to no_host_ .

    After updating all the properties above, use Cloudera Manager to Restart Stale Services.

    You can add auth-to-local rules, using Cloudera Manager > HDFS > Configuration > Additional Rules to Map Kerberos Principals to Short Names.

  • Configuring Ranger Admin role with custom principals for a template-based install.
    If you use a template to set up a cluster with customized principals, you must configure the Ranger Admin role, by adding properties and values in roleConfigGroups.