Cloudera Docs

Configure Ranger Admin HA without SSL

Set up the load-balancer and enable Ranger Admin.

  1. Use SSH to connect to the cluster node where you will set up the load balancer. In this procedure, we use the IP address load-balancer-host-fqdn.
  2. Use the following command to switch to the /usr/local directory: 
    cd /usr/local
  3. Download the latest httpd file and its dependencies (apr and apr-util) from https://httpd.apache.org/download.cgi. For example: 
    wget https://archive.apache.org/dist/httpd/httpd-2.4.43.tar.gz
wget https://archive.apache.org/dist/apr/apr-1.7.0.tar.gz 
wget https://archive.apache.org/dist/apr/apr-util-1.6.1.tar.gz
  4. Extract the contents of these files: 
    tar -xvf httpd-2.4.43.tar.gz
tar -xvf apr-1.7.0.tar.gz 
tar -xvf apr-util-1.6.1.tar.gz
  5. Run the following commands to move apr and apr-util to the srclib directory under httpd: 
    mv apr-1.7.0/ apr
mv apr httpd-2.4.43/srclib/ 
mv apr-util-1.6.1/ apr-util
mv apr-util httpd-2.4.43/srclib/
  6. Install PCRE (Perl-Compatible Regular Expressions Library): 
    yum install pcre pcre-devel
  7. Install gcc (ANSI-C Compiler and Build System): 
    yum install gcc
  8. Install expat: 
    yum install expat-devel
  9. Run the following commands to configure the source tree: 
    cd /usr/local/httpd-2.4.43
./configure
  10. Run the following command to make the build: 
    make
  11. Run the install: 
    make install
  12. Run the following commands to start the Apache server: 
    cd /usr/local/apache2/bin
./apachectl start
  13. To confirm that httpd is running, run the following command: 
    curl localhost

    This should return: 

    <html><body><h1>It works!</h1></body></html>
  14. Run the following commands to create a backup conf file. 
    cd /usr/local/apache2/conf
cp httpd.conf ~/httpd.conf.backup
  15. Edit the httpd.conf file: 
    vi /usr/local/apache2/conf/httpd.conf

    Make the following updates:

    • If you are not running the load-balancer on the default port 80, change the default listening port in line Listen 80 to match the port setting.

    • Un-comment the following module entries (remove the # symbol at the beginning of each line):

      LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so

    • Update the ServerAdmin email address, or comment out that line.

      #ServerAdmin you@example.com

    • At the end of the httpd.conf file, add the following line to read the custom configuration file:

      Include conf/ranger-cluster.conf
  16. Create a custom conf file: 
    vi ranger-cluster.conf

    Make the following updates:

    • Add the following lines, then change the <VirtualHost *:88> port to match the default port you set in the httpd.conf file in the previous step.

      #
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.

#Listen 80
<VirtualHost *:88>
        ProxyRequests off
        ProxyPreserveHost on

        Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED

        <Proxy balancer://rangercluster>
                BalancerMember http://ranger-host1-fqdn:6080 loadfactor=1 route=1
                BalancerMember http://ranger-host2-fqdn:6080 loadfactor=1 route=2

                Order Deny,Allow
                Deny from none
                Allow from all

                ProxySet lbmethod=byrequests scolonpathdelim=On stickysession=ROUTEID maxattempts=1 failonstatus=500,501,502,503 nofailover=Off
        </Proxy>

        # balancer-manager
        # This tool is built into the mod_proxy_balancer
        # module and will allow you to do some simple
        # modifications to the balanced group via a gui
        # web interface.
        <Location /balancer-manager>
                SetHandler balancer-manager
                Order deny,allow
                Allow from all
        </Location>


       ProxyPass /balancer-manager !
       ProxyPass / balancer://rangercluster/
       ProxyPassReverse / balancer://rangercluster/

</VirtualHost>
  17. Run the following commands to restart the httpd server: 
    cd /usr/local/apache2/bin
./apachectl restart
  18. In Cloudera Manager, select Ranger, then select Actions > Add Role Instances.
  19. On the Add Role Instances page, click Select hosts.
  20. On the selected hosts page, the primary Ranger Admin host is selected by default. Select the backup Ranger host you specified previously (ranger-host2-fqdn) . A Ranger Admin (RA) icon appears in the Added Roles column for the selected backup host. Click OK to continue.
  21. The Add Role Instances page is redisplayed with the new backup host. Click Continue.
  22. Review the settings on the Review Changes page, then click Continue.
  23. Update the Ranger Load Balancer Address property (ranger.externalurl) with the load balancer host URL and port (load-balancer-host-fqdn:80), then click Save Changes.
  24. If Kerberos is configured on your cluster, complete the following steps to create a composite keytab.
    1. SSH into the Ranger Admin host, then create a keytabs directory. 
      mkdir /etc/security/keytabs/
    2. Copy the ranger.keytab from the current running process. 
      cp /var/run/cloudera-scm-agent/process/<current-ranger-process>/ranger.keytab /etc/security/keytabs/ranger.ha.keytab
    3. Run the following command to invoke kadmin.local. 
      kadmin.local
    4. Run the following command to add the SPNEGO principal entry on the load balancer node. 
      ktadd -norandkey -kt /etc/security/keytabs/ranger.ha.keytab HTTP/load-balancer-host@EXAMPLE.COM
    5. Run the following command to add the SPNEGO principal entry on the node where the first Ranger Admin is installed. 
      ktadd -norandkey -kt /etc/security/keytabs/ranger.ha.keytab HTTP/ranger-admin-host1@EXAMPLE.COM
    6. Run the following command to add the SPNEGO principal entry on the node where the second Ranger Admin is installed. 
      ktadd -norandkey -kt /etc/security/keytabs/ranger.ha.keytab HTTP/ranger-admin-host2@EXAMPLE.COM
    7. Run the following command to exit kadmin.local. 
      exit
    8. Run the following command to verify that the /etc/security/keytabs/ranger.ha.keytab file has entries for all of the required SPNEGO principals. 
      klist -kt /etc/security/keytabs/ranger.ha.keytab
    9. On the backup (ranger-admin-host2) Ranger Admin node, run the following command to create a keytabs folder. 
      mkdir /etc/security/keytabs/
    10. Copy the ranger.ha.keytab file from the primary Ranger Admin node (ranger-admin-host1) to the backup (ranger-admin-host2) Ranger Admin node. 
      scp /etc/security/keytabs/ranger.ha.keytab root@ranger-host2-fqdn:/etc/security/keytabs/ranger.ha.keytab
    11. Run the following commands on all of the Ranger Admin nodes. 
      chmod 440 /etc/security/keytabs/ranger.ha.keytab
chown ranger:hadoop /etc/security/keytabs/ranger.ha.keytab
  25. Update the following ranger-admin-site.xml configuration setting using the Safety Valve. 
    ranger.ha.spnego.kerberos.keytab=/etc/security/keytabs/ranger.ha.keytab
  26. Restart all cluster services that require a restart, then click Finish.
  27. Use a browser to check the load-balancer host URL (with port) as specified in the BalanceMember entries in the ranger-cluster.conf file. You should see the Ranger Admin page.