Installing Ranger RMS

Ranger Resource Mapping Server (RMS) enables automatic translation of access policies from Hive to HDFS.

Legacy CDH users used Hive policies in Apache Sentry that automatically linked Hive permissions with HDFS ACLs. This was especially convenient for external table data used by Spark or Hive.

Previously, Ranger only supported managing Hive and HDFS policies separately. Ranger RMS (Resource Mapping Server) allows you to authorize access to HDFS directories and files using policies defined for Hive tables. RMS is the service that enables Hive-HDFS ACL Sync.

You must have installed:

A CDP Private Cloud Base 7.1.4 or higher version cluster with Apache Ranger, Hive, and HDFS.
Ranger RMS on the host where Hive_Gateway is available.

On the cluster home page, click , then click Add Service.
Select Ranger RMS, then click Continue.
On Assign Roles, click View by Host.
On View by Host, verfiy that the host on which you install Ranger RMS has the required Hive Gateway role assigned, then click Close.

Figure 1. Verifying Hive Gateway role on a host
On Assign Roles, click Continue.
On Review Changes,

note

Ranger RMS uses the same database settings that are used in Ranger.

Ranger RMS should be installed in the same database instance as Ranger.

If Ranger service is using SSL-enabled database, make sure to have the database certificate / keystore / truststore file used by Ranger to connect to the SSL-enabled database present on the node where Ranger RMS is installed.

To track managed tables, select the Enable Mapping Hive Managed Tables option.

note
If you are adding Ranger RMS in a cluster with SSL enabled, the Enable TLS/SSL for Ranger RMS Server option should be selected by default.
On the Command Details page, select run options, then click Continue.
On the Summary page, click Finish.

important
Do not start the Ranger RMS service before completing the following additional configuration steps. Ranger RMS restarts when you restart stale services after completing configuration changes.
In Cloudera Manager > Hive Service > Configuration verify that the Hive Metastore Access Control and Ranger RMS Proxy User Hosts property, hadoop.proxyuser.rangerrms.hosts is set to *.

note
rangerrms user is given superuser privilege only for the HiveMetaStore service, so rangerrms can access metadata information without an explicit Ranger policy allowing it necessary permissions. However, Hive operations such as drop database must be authorized in the hive-server2 by Ranger policies. You must create an appropriate Ranger policy which grants the user executing this command the required permission to do so.
Log in to the Ranger Admin web UI. On the Service Manager page, click Edit for the Hadoop SQL service, then verify that hdfs has been added to the tag.download.auth.users and policy.download.auth.users configurations.
Configure Ranger policies with rangerrms user access before starting RMS and running the first sync from the Hive Metastore (HMS).
For example, you must give the rangerrms ID select access to Hive tables. This is configured under the policy "all - database, table".

Figure 2. Granting RMS user Select access to Hive tables

In Cloudera Manager, select HDFS > Configuration, then search for Advanced Configuration Snippet (Safety Valve) for ranger-hdfs-security.xml. Use the Add (+) icons to add the following properties, then click Save Changes.


Name	Value
ranger.plugin.hdfs.chained.services	cm_hive
ranger.plugin.hdfs.chained.services.cm_hive.impl	org.apache.ranger.chainedplugin.hdfs.hive.RangerHdfsHiveChainedPlugin
ranger.plugin.hdfs.privileged.user.names	admin,dpprofiler,hue,beacon,hive,impala
ranger.plugin.hdfs.service.names	hive,impala

Click HDFS Restart.
On the Stale Configurations page, click Restart Stale Services.
On the Restart Stale Services page, select the Re-deploy client configuration option, then click Restart Now.
Click Finish after the services restart.