Cloudera Docs

Import Key Trustee KMS ACLs to Ranger KMS policies

This topic is intended to provide pre-upgrade checks about auth_to_local rules when importing Key trsutee KMS ACLs to Ranger KMS policies.

The "cm_kms" plugin repository for the Ranger KMS service is not present in the Ranger Admin UI for the "keyadmin" user.The role assigned to the "rangerkms" user is a non-admin role. Non-admin roles are not allowed to create, read, update, delete the policies in cm_kms plugin repository. By default, we set auth_to_local rules to convert rangerkms principal to user name 'keyadmin' and assign KeyAdmin role in ranger.

  1. If custom rules are set in the CDH cluster, add the following two rules to HDFS auth_to_local configuration, prior to upgrade.
    1. RULE:[2:$1@$0](rangeradmin@SUPPORT.COM)s/(.*)@SUPPORT.COM/ranger/
    2. RULE:[2:$1@$0](rangerkms@SUPPORT.COM)s/(.*)@SUPPORT.COM/keyadmin/
  2. If above rules are not added prior to the upgrade, log in to Ranger Admin UI as KeyAdmin user, and add KeyAdmin role to 'rangerkms' user.  :
    1. Go to Ranger UI > Security > Users/Groups/Roles > "rangerkms" > Assign "Key Admin" role.