Installing Ranger RMS

Ranger Resource Mapping Server (RMS) enables automatic translation of access policies from Hive to HDFS.

Legacy CDH users used Hive policies in Apache Sentry that automatically linked Hive permissions with HDFS ACLs. This was especially convenient for external table data used by Spark or Hive.

Previously, Ranger only supported managing Hive and HDFS policies separately. Ranger RMS (Resource Mapping Server) allows you to authorize access to HDFS directories and files using policies defined for Hive tables. RMS is the service that enables Hive-HDFS ACL Sync.

Ranger RMS requires:
  • A CDP Private Cloud Base 7.1.4+ cluster with Apache Ranger, Hive, and HDFS.
  • That you install Ranger RMS on the host where Hive_Gateway is available.
  1. On the cluster home page, click the More Options (ellipsis) icon, then click Add Service.
  2. Select Ranger RMS, then click Continue.
  3. On Assign Roles, click View by Host.
  4. On View by Host, verfiy that host on which you install Ranger RMS has the required Hive Gateway role assigned, then click Close.
    Figure 1. Verifying Hive Gateway role on a host
    Verifying Hive Gateway role on a host
  5. On Assign Roles, click Continue.
  6. On the Review Changes page,

    If you would like to track managed tables, select the Enable Mapping Hive Managed Tables checkbox.

  7. On the Command Details page, select run options, then click Continue.
  8. On the Summary page, click Finish.
  9. In Cloudera Manager > Hive Service > Configuration verify that the Hive Metastore Access Control and Ranger RMS Proxy User Hosts property, hadoop.proxyuser.rangerrms.hosts is set to *.
  10. Log in to the Ranger Admin web UI. On the Service Manager page, click the Edit icon for the Hadoop SQL service, then verify that hdfs has been added to the tag.download.auth.users and policy.download.auth.users configurations.
  11. Configure Ranger policies with rangerrms user access before starting RMS and running the first sync from the Hive Metastore (HMS).
    For example, you must give the rangerrms ID select access to hive tables. This is configured under the policy "all - database, table".
    Figure 2. Granting RMS user Select access to Hive tables
    Granting RMS user Select access to Hive tables
  12. In Cloudera Manager, select HDFS > Configuration, then use the Search box to search for Advanced Configuration Snippet (Safety Valve) for ranger-hdfs-security.xml. Use the Add (+) icons to add the following properties, then click Save Changes.
    Name Value
    ranger.plugin.hdfs.chained.services cm_hive
    ranger.plugin.hdfs.chained.services.cm_hive.impl org.apache.ranger.chainedplugin.hdfs.hive.RangerHdfsHiveChainedPlugin
    ranger.plugin.hdfs.privileged.user.names admin,dpprofiler,hue,beacon,hive,impala
    ranger.plugin.hdfs.service.names hive,impala
  13. Click the HDFS Restart icon.
  14. On the Stale Configurations page, click Restart Stale Services.
  15. On the Restart Stale Services page, select the Re-deploy client configuration checkbox, then click Restart Now.
  16. A progress indicator page appears while the services are being restarted. When the services have restarted, click Finish.