Additional Steps for Apache Ranger

After installing Cloudera Manager and adding a cluster, there are additional steps required to complete the installation of Apache Ranger.

Enable Plugins

The Ranger plugins for HDFS and Solr may not be enabled by default. Ranger plugins enable Cloudera Manager stack components – such as HDFS and Solr – to connect to Ranger and access its authorization and audit services. Verify that the HDFS and Solr plugins are enabled after you install and start the Ranger service.
  1. To enable the HDFS plugin:
    1. Login to Cloudera Manager.
    2. Go to the HDFS Service status page.
    3. Click the Configuration tab.
    4. Search for the Enable Ranger Authorization configuration property.
    5. If the Enable Ranger Authorization property is not selected, select it and save the changes.
    6. Go to the Ranger Service status page and click Actions > Setup Ranger Plugin Service.
    7. Restart the HDFS service.
  2. To enable the Ranger Solr plugin:
    1. Login to Cloudera Manager.
    2. Go to the Solr Service status page.
    3. Click the Configuration tab.
    4. Search for the Enable Ranger Authorization configuration property.
    5. If the Enable Ranger Authorization property is not selected, select it and save the changes.
    6. Restart the Solr service.

Add Solr WebUI Users

Add the username of any users to the Ranger Solr policy who should have access to the Solr Web UI in the Ranger Policy for Solr. The user should have full access privileges.

Update the Time-to-live configuration for Ranger Audits

  1. Download the Ranger audits configurations to your SolrServer or Solr gateway host, by running the following command on the host:
    solrctl instancedir --get ranger_audits /tmp/ranger_audits
    
  2. Open the following file in a text editor:
    tmp/ranger_audits/conf/solrconfig.xml
  3. Edit the TTL section in this file to change the value of the following parameter to the appropriate value (the default value is 90 days):
    <str name="fieldName">ttl</str>
    <str name="value">+90DAYS</str>
  4. Upload the new configuration by running the following command on the host:
    solrctl --jaas [***solr-jaas.conf***] instancedir --update ranger_audits /tmp/ranger_audits
    For information on creating a jaas.conf file, see Enabling Solr clients to authenticate with a secure Solr.
  5. Reload the ranger_audits collection with the Solr credentials so that the collection can pick up the modified configuration by running the following command:
    solrctl collection --reload ranger_audits
  1. Verify Ranger Configurations
    • Verify that the username of any user who needs access to the Solr Web UI has been added to the Ranger Policy for Solr, and the user has full access privileges.
    • Verify that the Time-to-live value is set appropriately by examining this file on the SolrServer or Solr gateway host:
      1. Download the configuration:
        solrctl instancedir --get ranger_audits /tmp/ranger_audits
        
      2. Open the tmp/ranger_audits/conf/solrconfig.xml file and examine the ttl parameter (identified by: <str name="fieldName">ttl</str>).
      3. If you need to change the value, edit the file and then reload the configuration by running the following command:
        solrctl collection --reload ranger_audits