Cloudera Docs

Customizing Kerberos principals

How to configure custom service principals in Cloudera Manager.

  • Ensure you use different Kerberos principals for different services to make it easier to track the HDFS directories being accessed by each service.
  • If you are using ShellBasedUnixGroupsMapping to obtain user-group mappings, ensure you have the UNIX accounts for the principals present on all hosts of the cluster.
  • Ranger

    Ranger creates all plugin services and related policies with default service user names. If you customize the principal names using Cloudera Manager for any service, you must manually update all the policies and plugin service configs to use the customized principal names.

    By default, Ranger audit directory ownership is /ranger/audit/atlas - owner: atlasfoo0. If the Ranger Audit directory is not accessible by custom service principal, then you must change ranger audit directory ownership. To do so, add Ranger hdfs policy for atlas service principal on resource <auditdir>/atlas . For example, /ranger/audit/atlas .

    Use one of the 3 following options to ensure that Ranger AuthZ works correctly:

    Option 1: You can manually add/update the plugin service configurations and default policies so that Ranger plugin services provide authorization correctly, as policies define.

    For example, to customize the HadoopSQL policy:
    1. In the Ranger Admin Web UI > Service Manager > HadoopSQL, click Edit.
    2. Add the custom principal name used by each of the following services:
      • tag.download.auth.users
      • policy.download.auth.users

      • policy.grantrevoke.auth.users

    3. Update each default policy, by replacing the default prefix "all-*" with a custom principal name.

      Each service then uses the customized principal name instead of the default service user name.

    Option 2: If you have not added new policies or modified existing default policies, you can rename existing plugin service user mapping properties.
    1. In Ranger Web UI, add custom plugin service user mapping properties in the Ranger Admin safety-valve for ranger-admin-site.xml to have custom principal values. For example, if default HDFS service principal is hdfs, the custom principal value should be hdfsfoo0 and so on.
      Table 1. Ranger Plugin Service Names and Principals
      Ranger Plugin Service

      Property key

      Property value

      HDFS ranger.plugins.hdfs.serviceuser hdfsfoo0
      HBASE ranger.plugins.hbase.serviceuser hbasefoo0
      HIVE ranger.plugins.hive.serviceuser

      hivefoo0
      YARN ranger.plugins.yarn.serviceuser yarnfoo0
      KAFKA ranger.plugins.kafka.serviceuser kafkafoo0
      KNOX ranger.plugins.knox.serviceuser knoxfoo
      IMPALA ranger.plugins.impala.serviceuser impalafoo0
      CRUISE CONTROL ranger.plugins.cruise_control.serviceuser cruisecontrolfoo0
      STREAMS REPLICATION MANAGER ranger.plugins.streams_replication_manager.serviceuser streamsreprgrfoo0
      STREAMS MESSAGING MANAGER ranger.plugins.streams_messaging_manager.serviceuser streamsmgrfoo0
      SOLR ranger.plugins.solr.serviceuser solrfoo0
      SCHEMAREGISTRY ranger.plugins.schemaregistry.serviceuser schemaregistryfoo0
      OZONE ranger.plugins.ozone.serviceuser ozonefoo0
      NIFI ranger.plugins.nifi.serviceuser nififoo0
      NIFI REGISTRY ranger.plugins.nifiregistry.serviceuser nifiregistryfoo0
      RANGER TAGSYNC (Role in Ranger service) ranger.plugins.tagsync.serviceuser rangertagsyncfoo0
    2. In Cloudera Manager > Ranger > Actions run Setup Plugin Services.

      This will create all Ranger plugin services with policies that give permissions to customized principals.

    If your Knox service uses a custom service principal (for example., knoxfoo0), you must update the Ranger Knox proxy properties in ranger-admin-site.xml safety valve,
    <property>
     <name>ranger.proxyuser.knoxfoo0.users</name>
     <value>*</value>
</property>
<property>
     <name>ranger.proxyuser.knoxfoo0.groups</name>
     <value>*</value>
</property>
<property>
     <name>ranger.proxyuser.knoxfoo0.hosts</name>
     <value>*</value>
</property>

    The existing Ranger Knox Proxy properties shown on the Cloudera Manager UI in Ranger are meant for default service principal - knox. You must update them with the following values:

    ranger_proxyuser_knox_hosts = _no_host_
ranger_proxyuser_knox_groups = _no_group_
ranger_proxyuser_knox_users = _no_user_
    If the Ranger KMS or Ranger KMS with KTS service is used in an environment in which custom kerberos principals are configured,
    1. In Advanced Configuration Snippet (Safety Valve) for conf/kms-site.xml add the following configuration properties:
      • hadoop.kms.proxyuser.<custom-principal-name>.groups
      • hadoop.kms.proxyuser.<custom-principal-name>.hosts
      with a * value to the Advanced Configuration Snippet (Safety Valve) for conf/kms-site.xml for the custom kerberos principal names of the following services:
      • Hue
      • HDFS
      • HttpFS
      • Zeppelin
      • Livy
      • YARN
      • MapRed
      • Hive
      • Oozie
    2. Set the existing Proxy User Groups and Proxy User Hosts configuration properties with a _no_group_ and _no_host_ value respectively for the default kerberos principal names of the services in the preceding list, using the following steps:
      1. In Cloudera Manager, go to Clusters > Ranger KMS > Configuration.
      2. Enter kms-site.xml in Search to find Advanced Configuration Snippet (Safety Valve) for conf/kms-site.xml.
      3. In Advanced Configuration Snippet (Safety Valve) for conf/kms-site.xml add the following configuration properties:
        • hadoop.kms.proxyuser.<custom-principal-name>.groups
        • hadoop.kms.proxyuser.<custom-principal-name>.hosts

          with a * value for the custom kerberos principal names of the services to the following services:

        • Hue
        • HDFS
        • HttpFS
        • Zeppelin
        • Livy
        • YARN
        • MapRed
        • Hive
        • Oozie
      4. Enter Proxy User in Search to find Proxy User Groups and Proxy User Hosts.
      5. Set a _no_group_ or _no_host_ value respectively for each of the existing Proxy User Groups and Proxy User Hosts properties for the default kerberos principal names of the services mentioned above.
      6. Click Save Changes.
      7. Restart the Ranger KMS or Ranger KMS with KTS service.

    If your Ranger RMS service uses a custom principal name (for example - rangerrmsfoo0), you must configure HMS to use rangerrmsfoo0 as a super user. To do so,

    Add the following property using the HMS configuration page in Cloudera Manager > > Hive Service Advanced Configuration Snippet (Safety Valve) for core-site.xml: 
    hadoop.proxyuser.rangerrmsfoo0.hosts=*

    Update the existing Hive Metastore Access Control and Ranger RMS Proxy User Hosts property (which is meant for default principal name - rangerrms) from * to no_host_ .

    After updating all the properties above, use Cloudera Manager to Restart Stale Services.

    Option 3: Use auth-to-local rule mapping to map custom principals to default service user names.

    You can add auth-to-local rules, using Cloudera Manager > HDFS > Configuration > Additional Rules to Map Kerberos Principals to Short Names.

  • Configuring Ranger Admin role with custom principals for a template-based install.
    If you use a template to set up a cluster with customized principals, you must configure the Ranger Admin role, by adding properties and values in roleConfigGroups.
    1. Update existing Ranger knox proxy configs for the default knox principal.
      {
  "name": "ranger_proxyuser_knox_users",
  "value": "_no_user_"
},
{
  "name": "ranger_proxyuser_knox_groups",
  "value": "_no_group_"
},
{
  "name": "ranger_proxyuser_knox_hosts",
  "value": "_no_host_"
}
    2. Update conf/ranger-admin-site.xml_role_safety_valve to have the Ranger knox proxy configs override for knox custom principal name, for example: knoxfoo0.
      {
  "name":  "conf/ranger-admin-site.xml_role_safety_valve",
  "value": "<property>
              <name>ranger.proxyuser.knoxfoo0.users</name>
              <value>*</value>
            </property>
            <property>
              <name>ranger.proxyuser.knoxfoo0.groups</name>
              <value>*</value>
            </property>
            <property>
              <name>ranger.proxyuser.knoxfoo0.hosts</name>
              <value>*</value>
            </property>"
}
    3. Add ranger.plugins.<service>.serviceuser configs override in conf/ranger-admin-site.xml_role_safety_valve to have the custom principal name used by each Ranger plugin supported services.
      For example, if Hdfs service is using hdfsfoo0 principal then the config will be ranger.plugins.hdfs.serviceuser=hdfsfoo0. This will help to create default policies for custom principal name into Ranger Admin.
      {
  "name":  "conf/ranger-admin-site.xml_role_safety_valve",
  "value": "<property>
              <name>ranger.plugins.hdfs.serviceuser</name>
              <value>hdfsfoo0</value>
            </property>
            <property>
              <name>ranger.plugins.hive.serviceuser</name>
              <value>hivefoo0</value>
            </property>
            <property>
              <name>ranger.plugins.hbase.serviceuser</name>
              <value>hbasefoo0</value>
            </property>
            <property>
              <name>ranger.plugins.yarn.serviceuser</name>
              <value>yarnfoo0</value>
            </property>
            <property>
              <name>ranger.plugins.knox.serviceuser</name>
              <value>knoxfoo0</value>
            </property>
            <property>
              <name>ranger.plugins.kafka.serviceuser</name>
              <value>kafkafoo0</value>
            </property>
            <property>
              <name>ranger.plugins.atlas.serviceuser</name>
              <value>atlas</value>
            </property>
            <property>
              <name>ranger.plugins.impala.serviceuser</name>
              <value>impalafoo0</value>
            </property>
            <property>
              <name>ranger.plugins.cruise_control.serviceuser</name>
              <value>cruisecontrolfoo0</value>
            </property>
            <property>
              <name>ranger.plugins.schemaregistry.serviceuser</name>
              <value>schemaregistryfoo0</value>
            </property>
            <property>
              <name>ranger.plugins.streams_messaging_manager.serviceuser</name>
              <value>streamsmsgmgrfoo0</value>
            </property>
            <property>
              <name>ranger.plugins.streams_replication_manager.serviceuser</name>
              <value>streamsrepmgrfoo0</value>
            </property>
            <property>
              <name>ranger.plugins.solr.serviceuser</name>
              <value>solrfoo0</value>
            </property>"
}
    4. If installing RANGER_KMS service, you must add the configurations that specify custom principal names of Hdfs, Hbase, Hive services into conf/ranger-admin-site.xml_role_safety_valve. This helps to create default policies for these service principal names for Ranger KMS service (cm_kms) into Ranger Admin.
      {
  "name":  "conf/ranger-admin-site.xml_role_safety_valve",
  "value": "<property>
              <name>ranger.kms.service.user.hdfs</name>
              <value>hdfsfoo0</value>
            </property>
            <property>
              <name>ranger.kms.service.user.hive</name>
              <value>hivefoo0</value>
            </property>
            <property>
              <name>ranger.kms.service.user.hbase</name>
              <value>hbasefoo0</value>
            </property>"
}