Import Key Trustee KMS ACLs to Ranger KMS policies
This topic is intended to provide pre-upgrade checks about auth_to_local rules when importing Key trsutee KMS ACLs to Ranger KMS policies.
The "cm_kms" plugin repository for the Ranger KMS service is not present in the Ranger Admin UI for the "keyadmin" user.The role assigned to the "rangerkms" user is a non-admin role. Non-admin roles are not allowed to create, read, update, delete the policies in cm_kms plugin repository. By default, we set auth_to_local rules to convert rangerkms principal to user name 'keyadmin' and assign KeyAdmin role in ranger.
-
If custom rules are set in the CDH cluster, add the following two rules to HDFS
auth_to_local configuration, prior to upgrade.
- RULE:[2:$1@$0](rangeradmin@SUPPORT.COM)s/(.*)@SUPPORT.COM/ranger/
- RULE:[2:$1@$0](rangerkms@SUPPORT.COM)s/(.*)@SUPPORT.COM/keyadmin/
-
If above rules are not added prior to the upgrade, log in to Ranger Admin UI as
KeyAdmin user, and add KeyAdmin role to 'rangerkms' user. :
- Go to > "rangerkms" > Assign "Key Admin" role.