Installing Ranger RMS

Ranger Resource Mapping Server (RMS) enables automatic translation of access policies from Hive to HDFS.

Legacy CDH users used Hive policies in Apache Sentry that automatically linked Hive permissions with HDFS ACLs. This was especially convenient for external table data used by Spark or Hive.

Previously, Ranger only supported managing Hive and HDFS policies separately. Ranger RMS (Resource Mapping Server) allows you to authorize access to HDFS directories and files using policies defined for Hive tables. RMS is the service that enables Hive-HDFS ACL Sync.

Ranger RMS requires:
  • A CDP Private Cloud Base 7.1.4+ cluster with Apache Ranger, Hive, and HDFS.
  • Identify a host for Ranger RMS.
  1. On the cluster home page, click the More Options (ellipsis) icon, then click Add Service.
  2. Select Ranger RMS, then click Continue.
  3. On the Assign Roles page, click Continue.
  4. On the Review Changes page,

    If you would like to track managed tables, select the Enable Mapping Hive Managed Tables checkbox.

  5. On the Command Details page, select run options, then click Continue.
  6. On the Summary page, click Finish.
  7. In Cloudera Manager > Hive Service > Configuration verify that the Hive Metastore Access Control and Ranger RMS Proxy User Hosts property, hadoop.proxyuser.rangerrms.hosts is set to *.
  8. Log in to the Ranger Admin web UI. On the Service Manager page, click the Edit icon for the Hadoop SQL service, then verify that hdfs has been added to the tag.download.auth.users and policy.download.auth.users configurations.
  9. In Cloudera Manager, select HDFS > Configuration, then use the Search box to search for Advanced Configuration Snippet (Safety Valve) for ranger-hdfs-security.xml. Use the Add (+) icons to add the following properties, then click Save Changes.
    Name Value
    ranger.plugin.hdfs.chained.services cm_hive
    ranger.plugin.hdfs.chained.services.cm_hive.impl org.apache.ranger.chainedplugin.hdfs.hive.RangerHdfsHiveChainedPlugin
    ranger.plugin.hdfs.privileged.user.names admin,dpprofiler,hue,beacon,hive,impala
    ranger.plugin.hdfs.service.names hive,impala
  10. Click the HDFS Restart icon.
  11. On the Stale Configurations page, click Restart Stale Services.
  12. On the Restart Stale Services page, select the Re-deploy client configuration checkbox, then click Restart Now.
  13. A progress indicator page appears while the services are being restarted. When the services have restarted, click Finish.