Activating Ranger for Services

Adding the Ranger Service to a cluster does not enable Ranger for each of the services automatically, even though policy repositories are configured for each. The services must enable Ranger integration independently.

After activating and restarting each of the services, test the successful integration with Ranger by exercising (with good and bad credentials), each of the services. Review the logs of each service to validate there are no Ranger credential or connectivity issues.

If the service has issues connecting or authorizing with Ranger, then it downloads the policies and does not function correctly. Each service attempts to authenticate with the Ranger service based on the way it is configured. For secure kerberized environments, it is the service keytab. For unsecured environments, it is the service startup user.

In both methods, the user must be available in the Ranger users list. If the service use is not available, the service is not authorized. You can view this in the Ranger access logs as well. Add the user to the Users list. Contact Cloudera support for any assistance.

  • On your new cluster, navigate to Ranger service.
  • Click Actions drop-down and click Setup Ranger Plugin Service.
  • HDFS: In the HDFS service configuration, select Enable Ranger Authorization.
  • YARN: In the Yarn service configuration, select Ranger Service
  • Hive (Hive Metastore Integration): To enable the Hive Metastore integration with Ranger Hive Policies, select Ranger Service.
  • Hive On Tez: In the Hive On Tez service configuration, select Ranger Service.
  • HBase: In the HBase service configuration, select Ranger Service.
  • Kafka: In the Kafka service configuration, select Ranger Service.