This document details the steps involved in Installing latest version of Apache Incubator Ranger independently on RHEL / Ubuntu / SUSE / Debian OS.
Installation of Ranger includes the following. Plan to install and configure in the same order.
Ranger Admin Portal - This is the UI portal and RESTful server for managing policies, users and groups. It also contains the UI interface for Audit queries and adhoc reports.
Ranger UserSync - This is a standalone server with dual purpose. It is used to synchronize the users/groups from Unix system or LDAP into RangerAdmin. This standalone process can be also used as an authentication server for RangerAdmin to use the linux user/password for login into RangerAdmin.
Ranger KMS - This service provides key management for Hadoop HDFS Encryption (TDE). It is highly scalable and provides access control and auditing. This service is optional and only needed if you are planning to use HDFS TDE.
Component Plugins - Ranger provides authorization and auditing for the following Apache projects. Apache Ranger version 0.5.x is compatible with only the component versions mentioned below. You need to install and enable the plugins for only does components you want enable Ranger Authorization and Auditing.
Component name | Version | Reference |
---|---|---|
HDFS | 2.7.0 | https://hadoop.apache.org/releases.html |
HIVE | 1.2.0 | https://hive.apache.org/downloads.html |
HBase | 1.1.0.1 | http://hbase.apache.org/ |
Knox | 0.6.0 | http://knox.apache.org/ |
Solr | 5.2.1 | http://lucene.apache.org/solr/ |
Storm | 0.10.0beta1 | https://storm.apache.org/downloads.html |
YARN | 2.7.0 | http://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YARN.html |
Dependent Services: Refer to Prerequisites section
Product | Vendors | Purpose |
---|---|---|
JDK | OpenJDK 1.7 SunJDK 1.7 | Run RangerAdmin and RangerKMS |
RDBMS | MySQL 5.7+ Oracle - latest Postgres - latest SQL Server - latest |
|
Solr | Apache Solr - 5.2.1+ |
|
HDFS | Apache HDFS - 2.7+ |
|
Kerberos | MIT Microsoft AD | Even though not mandatory for installing and using Ranger, it is strongly recommended to enable Kerberos in your Hadoop. This ensures all requests are authenticated, which is very important for authorization and auditing. Without Kerberos, users would you be able to impersonate other users and workaround any authorization policies |
Since Apache Ranger is still an incubating project, binary distribution is still not available. To install Apache Ranger, you will need to build from source. The below instructions is to build on RHEL or CentOS 6+ Linux server.
You need to login as root or will need "sudo" access to install some of the build tools.
Required to build the project
cd /usr/local # Download maven latest distribution tar from apache maven site # https://maven.apache.org/download.cgi tar -xvf apache-maven-<Version>-bin.tar.gz export M2_HOME=/usr/local/apache-maven-<Version> export M2=$M2_HOME/bin export PATH=$M2:$PATH #Now to test your install of Maven, enter the following command mvn -version |
Required to download the source code from Apache Ranger git repository
yum install git |
This is optional and required if you are using your Linux /etc/passwd to authenticate to login into Ranger Admin. It is not required if you are using RangerAdmin local user/password or LDAP for authentication.
yum install gcc |
Ranger support MySQL, Oracle, MS SQL and PostGress RDBMS. Please refer to official installation from the vendor site. This section gives quick instructions about how to install MySQL. For full detail please refer to http://dev.mysql.com/doc/mysql-yum-repo-quick-guide/en.
If you using RedHat or CentOS, find out the version of your distribution
$ cat /etc/issue CentOS release 6.6 (Final) Kernel \r on an \m |
Go to the this site http://dev.mysql.com/downloads/repo/yum and download the release package for your platform.
sudo rpm -Uvh platform-and-version-specific-package-name.rpm #Example sudo rpm -Uvh mysql-community-release-el6-5.noarch.rpm yum repolist all | grep mysql yum repolist enabled | grep mysql mysql-connectors-community MySQL Connectors Community 14 mysql-tools-community MySQL Tools Community 25 mysql56-community MySQL 5.6 Community Server 180 #By default 5.6 is enabled. If you want to install 5.7, then please refer to the document to enable it sudo yum install mysql-community-server service mysqld start /usr/bin/mysql_secure_installation |
You will also need to download the MySQL JDBC. Download it from the this site http://dev.mysql.com/downloads/connector/j and unzip/untar it. You should copy the .jar to a common location where everyone can access it. E.g. /usr/share/java
mkdir ~/dev cd ~/dev git clone https://github.com/apache/incubator-ranger.git cd incubator-ranger git checkout ranger-0.5 |
cd ~/dev/incubator-ranger export MAVEN_OPTS="-Xmx512M" export JAVA_HOME=<Java Installation Directory> #e.g. export JAVA_HOME=/usr/lib/jvm/java #Make sure your java version is 1.7.x $JAVA_HOME/bin/java -version java version "1.7.0_79" OpenJDK Runtime Environment (rhel-2.5.5.3.el6_6-x86_64 u79-b14) OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode) export PATH=$JAVA_HOME/bin:$PATH mvn clean compile package assembly:assembly install ls target/*.tar.gz ranger-0.5.0-admin.tar.gz ranger-0.5.0-kms.tar.gz ranger-0.5.0-storm-plugin.tar.gz ranger-0.5.0-hbase-plugin.tar.gz ranger-0.5.0-knox-plugin.tar.gz ranger-0.5.0-usersync.tar.gz ranger-0.5.0-hdfs-plugin.tar.gz ranger-0.5.0-migration-util.tar.gz ranger-0.5.0-yarn-plugin.tar.gz ranger-0.5.0-hive-plugin.tar.gz ranger-0.5.0-solr-plugin.tar.gz ranger-0.5.0-kafka-plugin.tar.gz ranger-0.5.0-src.tar.gz |
Verify all the tar files under the target directory:
cd /usr/local sudo tar zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-admin.tar.gz sudo ln -s ranger-0.5.0-admin ranger-admin cd /usr/local/ranger-admin |
Ranger stores audit logs in Solr. The RangerAdmin UI depends on Solr for running adhoc queries on audit logs. Please refer to the following link to Install and Configure Solr for Ranger Audits
2. Update the install.properties
2.1 Configure database properties. For MySQL, you will need to use the root password that you had picked while installing mysql.
db_root_user=root db_root_password=root db_host=localhost |
c.The install process would create a couple of users in the database for storing administration and audit information, pick passwords for those too. With my choices here’s how the relevant sections in the install.properties file looks like.
# DB UserId used for the XASecure schema db_name=ranger db_user=rangeradmin db_password=rangeradmin # DB UserId for storing auditlog infromation audit_db_name=ranger audit_db_user=rangerlogger audit_db_password=rangerlogger |
d. Ranger allows you to get fancier with security and authentication mode but for now let’s just leave rest of the things in this file as they are.
e. Once all the required properties are updated run the setup.sh script
./setup.sh |
f. The setup script will setup the db user/tables using the properties in install.properties and also lay down the binaries and setup initd scripts.
g. Once installed Ranger Admin service can be started by issuing the following command
ranger-admin start |
h. The ranger-admin script supports the following options:
Start the Ranger Admin service : ranger-admin start Stop the Ranger Admin service : ranger-admin stop Restart the Ranger Admin service : ranger-admin restart |
i.You can verify by visiting the external URL of the server using browser, for example:
http://<Host_Address>:6080 |
Configuring Ranger Admin Authentication Modes
Ranger Admin supports three Authentication methods namely : Active Directory, LDAP and Unix.
To enable active directory authentication on Ranger Admin, you need to configure following properties in install.properties
PROPERY | VALUE | DESCRIPTION |
---|---|---|
authentication_method | ACTIVE_DIRECTORY | The authentication method to use. |
xa_ldap_ad_domain | E.g. : “example.com” | |
xa_ldap_ad_url | E.g. : “ldap://127.0.0.1:389” | Ldap server URL. |
xa_ldap_ad_base_dn | E.g. : “DC=example,DC=com” | The Distinguished Name (DN) of the starting point for directory server searches. |
xa_ldap_ad_bind_dn | E.g. : | Full distinguished name (DN), including common name (CN), of an Active Directory user account that has privileges to search for users. This user account must have at least domain user privileges. |
xa_ldap_ad_bind_password | Password for the account that can search for users. | |
xa_ldap_ad_referral | Possible values are “ignore ”, “follow ” and “throw ”. Default value is “follow”. | When searching a directory, the server might return several search results, in addition to a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level. When property is set to "follow", the AD service provider processes all the normal entries first, before following the continuation references. When this property is set to "throw", all of normal entries are returned in the enumeration first, before the ReferralException is thrown. By contrast, a "referral" error response is processed immediately when property is set to "follow" or "throw". |
PROPERTY | VALUE | DESCRIPTION |
---|---|---|
authentication_method | LDAP | |
xa_ldap_url | E.g. : "ldap://127.0.0.1:389" | Ldap server URL |
xa_ldap_userDNpattern | E.g. : "uid={0},ou=users,dc=example,dc=com" | User DN pattern is expanded when a user is being logged in. For example, if the user ‘ldapadmin’ attempted to log in, the LDAP Server would attempt to bind against the DN ‘uid=ldapadmin,ou=users,dc=example,dc=com’ using the password the user provided |
xa_ldap_groupSearchBase | E.g. : "dc=example,dc=com" | Defines the part of the directory tree under which group searches should be performed. |
xa_ldap_groupSearchFilter | E.g. : "(member=cn={0},ou=users,dc=example,dc=com)" | The filter which is used to search for group membership. The default is uniqueMember={0}, corresponding to the groupOfUniqueNames LDAP class. In case of Ranger authentication, the substituted parameter is the full distinguished name of the user. The parameter {0} can be used if you want to filter on the login name. |
xa_ldap_groupRoleAttribute | E.g. : "cn" | The attribute which contains the name of the authority defined by the group entry. |
xa_ldap_base_dn | E.g. : " dc=example,dc=com" | The Distinguished Name (DN) of the starting point for directory server searches. |
xa_ldap_bind_dn | E.g. : "cn=ldapadmin,ou=users,dc=example,dc=com" | Full distinguished name (DN), including common name (CN), of an LDAP user account that has privileges to search for users. |
xa_ldap_bind_password | Password for the account that can search for users. | |
xa_ldap_referral | Default value is “follow”. Possible values are “ignore ”, “follow ” and “throw ”. | When searching a directory, the server might return several search results, in addition to a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level. When property is setto "follow", the AD service provider processes all the normal entries first, before following the continuation references. When this property is set to "throw", all of normal entries are returned in the enumeration first, before the ReferralException is thrown. By contrast, a "referral" error response is processed immediately when property is set to "follow" or "throw". |
PROPERTY | VALUE | DESCRIPTION |
---|---|---|
authentication_method | UNIX | |
remoteLoginEnabled | true | |
authServiceHostName | E.g. : localhost | An Address of host where unixauth service is running |
authentication_method | 5151 | Port number on which unixauth service is running. default is 5151 |
Configuring Ranger Admin HA Mode
cd /usr/local sudo tar zxvf ~/dev/ incubator-ranger/target/ranger-0.5.0-usersync.tar.gz sudo ln -s ranger-0.5.0-usersync ranger-usersync sudo mkdir -p /var/log/ranger-usersync sudo chown ranger /var/log/ranger-usersync sudo chgrp ranger /var/log/ranger-usersync |
Edit the install.properties file and fill out relevant information.
POLICY_MGR_URL = http://localhost:6080 SYNC_SOURCE = unix logdir = /var/log/ranger/usersync |
export JAVA_HOME=<pathToJavaHome> ./setup.sh After installing ranger usersync, follow the same steps to start/stop services of usersync work. ./ranger-usersync-services.sh start |
h. The ranger-usersync script supports the following options:
Start the Ranger Usersync service : ranger-usersync start Stop the Ranger Usersync service : ranger-usersync stop Restart the Ranger Usersync service : ranger-usersync restart |
Configuring Ranger UserSync process to use LDAP/AD server
PROPERTY | DESCRIPTION | COMMENTS |
---|---|---|
SYNC_LDAP_USER_OBJECT_CLASS | Object class to identify user entries. | Please customize the value to suit your deployment. |
SYNC_LDAP_USER_SEARCH_FILTER | Optional additional filter constraining the users selected for syncing. | Please customize the value to suit your deployment. |
SYNC_LDAP_USER_NAME_ATTRIBUTE | Attribute from user entry that would be treated as user name | Please customize the value to suit your deployment. |
SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE | Attribute from user entry whose values would be treated as group values to be pushed into Policy Manager database. You could provide multiple attribute names separated by comma. | Please customize the value to suit your deployment. |
SYNC_LDAP_USERNAME_CASE_CONVERSION | UserSync Case Conversion Flags. | Possible values: none, lower, upper |
SYNC_LDAP_GROUPNAME_CASE_CONVERSION | UserSync Case Conversion Flags. | Possible values: none, lower, upper |
SYNC_GROUP_SEARCH_ENABLED | Do we want to do ldapsearch to find groups instead of relying on user entry attributes. valid values: true, false | Any value other than true would be treated as false |
SYNC_GROUP_USER_MAP_SYNC_ENABLED | Do we want to do ldapsearch to find groups instead of relying on user entry attributes and sync memberships of those groups valid values: true, false. any value other than true would be treated as false. | |
SYNC_GROUP_SEARCH_BASE | Search base for groups. overrides value specified in SYNC_LDAP_SEARCH_BASE,SYNC_LDAP_USER_SEARCH_BASE. | |
SYNC_GROUP_SEARCH_SCOPE | Search scope for the groups, only base, one and sub are supported values | Any value other than true would be treated as false |
SYNC_GROUP_OBJECT_CLASS | Object class to identify group entries. Default value: groupofnames | Any value other than true would be treated as false |
SYNC_LDAP_GROUP_SEARCH_FILTER | Optional additional filter constraining the groups selected for syncing. Default value is empty. | Please customize the value to suit your deployment. |
SYNC_GROUP_NAME_ATTRIBUTE | Attribute from group entry that would be treated as group name. | Please customize the value to suit your deployment. |
PSYNC_GROUP_MEMBER_ATTRIBUTE_NAME | Attribute from group entry that is list of members. Default value: member. | |
SYNC_PAGED_RESULTS_SIZE | Page size for paged results control. Search results would be returned page by page with the specified number of entries per page default value: 500 | |
SYNC_PAGED_RESULTS_ENABLED | Do we want to use paged results control during ldapsearch for user entries. Valid values: true, false. default value: true Any value other than true would be treated as false. If the value is false, typically AD would not return more than 1000 entries. | Please customize the value to suit your deployment. |
SYNC_SOURCE | Sync source, “ldap” should be used for both LDAP or AD user syncing. | |
SYNC_LDAP_URL | URL of source ldap server. Must specify a value if SYNC_SOURCE is "ldap" | |
SYNC_LDAP_BIND_DN | Ldap bind dn used to connect to ldap and query for users and groups. Must specify a value if SYNC_SOURCE is ldap. | |
SYNC_LDAP_BIND_PASSWORD | Ldap bind password for the bind dn specified above. Please ensure read access to this file is limited to root, to protect the password. Must specify a value if SYNC_SOURCE is ldap unless anonymous search is allowed by the directory on users and group. | |
SYNC_LDAP_SEARCH_BASE | Search base for users and groups | |
SYNC_LDAP_USER_SEARCH_BASE | Search base for users, overrides value specified in SYNC_LDAP_SEARCH_BASE. Must specify a value if SYNC_SOURCE is ldap and SYNC_LDAP_SEARCH_BASE is empty. | |
SYNC_LDAP_USER_SEARCH_SCOPE | Search scope for the users, supported values : base, one and sub. |
Table: LDAP/AD Properties with sample values
PROPERTIES NAME | SAMPLE VALUES FOR LDAP USER-SYNC | SAMPLE VALUES FOR AD USER-SYNC |
---|---|---|
SYNC_LDAP_URL | ldap://127.0.0.1:389 | ldap://127.0.0.1:389 |
SYNC_LDAP_BIND_DN | cn=ldapadmin,ou=users,dc=example,dc=com | cn=adadmin,cn=Users,dc=exa |
SYNC_LDAP_BIND_PASSWORD | secret | secret |
SYNC_LDAP_SEARCH_BASE | dc=example,dc=com | dc=example,dc=com |
SYNC_LDAP_USER_SEARCH_BASE | ou=users,dc=example,dc=com | dc=example,dc=com |
SYNC_LDAP_USER_SEARCH_SCOPE | sub | sub |
SYNC_LDAP_USER_OBJECT_CLASS | person | person |
SYNC_LDAP_USER_SEARCH_FILTER | (objectcategory=person) | |
SYNC_LDAP_USER_NAME_ATTRIBUTE | uid or cn | sAMAccountName |
SYNC_LDAP_USER_GROUP_NAME_AT | memberof,ismemberof | memberof,ismemberof |
SYNC_LDAP_USERNAME_CASE_CONV | lower | lower |
SYNC_LDAP_GROUPNAME_CASE_CON | lower | lower |
SYNC_GROUP_SEARCH_ENABLED | false | false |
SYNC_GROUP_USER_MAP_SYNC_ENA | false | false |
SYNC_GROUP_SEARCH_BASE | ou=groups,dc=example,dc=com | dc=example,dc=com |
SYNC_GROUP_SEARCH_SCOPE | sub | sub |
SYNC_GROUP_OBJECT_CLASS | groupofnames | groupofnames |
SYNC_LDAP_GROUP_SEARCH_FILTER | ||
SYNC_GROUP_NAME_ATTRIBUTE | cn | cn |
SYNC_GROUP_MEMBER_ATTRIBUTE_ | member | member |
SYNC_PAGED_RESULTS_ENABLED | true | true |
SYNC_PAGED_RESULTS_SIZE | 500 | 500 |
Now let’s download and install Apache Hadoop by following the excellent instructions available on the hadoop site itself. Please follow the steps given in pseudo distributed mode.
These instructions were written for version 2.7.0. So grab that tar (hadoop-2.7.0.tar.gz) and checksum file (hadoop-2.7.0.tar.gz.mds).
sudo yum install java-1.7.0-openjdk-devel |
/usr/local/hadoop |
sudo useradd --home-dir /var/hadoop --create-home --shell /bin/bash --user-group hadoop |
If you get the group exists error, try the following command: |
sudo useradd --home-dir /var/hadoop --create-home --shell /bin/bash hadoop -g hadoop |
sudo useradd hdfs |
a. We’ll start by extracting our Ranger plugin build at the appropriate place (/usr/local).
cd /usr/local sudo tar zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-hdfs-plugin.tar.gz sudo ln -s ranger-0.5.0-hdfs-plugin ranger-hdfs-plugin cd ranger-hdfs-plugin |
b. Now let’s edit the install.properties file. Here are the relevant lines that you should edit
PROPERTY | VALUE |
---|---|
POLICY_MGR_URL | http://localhost:6080 |
REPOSITORY_NAME | hadoopdev |
XAAUDIT.DB.IS_ENABLED | true |
XAAUDIT.DB.FLAVOUR | MYSQL |
XAAUDIT.DB.HOSTNAME | localhost |
XAAUDIT.DB.DATABASE_NAME | ranger_audit |
XAAUDIT.DB.USER_NAME | rangerlogger |
XAAUDIT.DB.PASSWORD | rangerlogger |
c. Now enable the hdfs-plugin by running the enable-hdfs-plugin.sh command (Remember to set JAVA_HOME before running the command)
Hadoop conf and hadoop lib folder are not found at expected locations as per the script because of which, Ranger hdfs plugin installation might fail. To resolve this issue create a symlink as conf dir of hadoop linking to hadoop conf dir. For e.g: |
cd /usr/local/hadoop ln -s /usr/local/hadoop/etc/hadoop/ /usr/local/hadoop/conf |
echo "export HADOOP_HOME=/usr/local/hadoop" >> /etc/bashrc cd /usr/local/ranger-hdfs-plugin ./enable-hdfs-plugin.sh |
cp /usr/local/hadoop/lib/*.jar /usr/local/hadoop/share/hadoop/hdfs/lib/ |
chown root:hadoop /usr/local/hadoop/logs chmod g+w /usr/local/hadoop/logs |
d. Once these changes are done restart Hadoop NameNode and Secondary NameNode.
su -l hdfs -c "/usr/local/hadoop/sbin/hadoop-daemon.sh stop namenode" su -l hdfs -c "/usr/local/hadoop/sbin/hadoop-daemon.sh stop secondarynamenode" su -l hdfs -c "/usr/local/hadoop/sbin/hadoop-daemon.sh stop datanode" |
su -l hdfs -c "/usr/local/hadoop/sbin/hadoop-daemon.sh start namenode" su -l hdfs -c "/usr/local/hadoop/sbin/hadoop-daemon.sh start secondarynamenode" su -l hdfs -c "/usr/local/hadoop/sbin/hadoop-daemon.sh start secondarynamenode" |
e. This will make necessary changes to Hadoop config files to enable Ranger. One can verify the communication between Ranger Admin and Ranger Plugin as below :
You can verify the plugin is communicating to Ranger admin by going to Audit -> plugins tab and checking for status code 200 under the HDFS repo.
Make sure the REPOSITORY_NAME service exists in Ranger Admin. If not, the hdfs-plugin will not be able to communicate with Ranger admin. |
Let’s download and install apache hive by following the excellent instructions available on the apache hive site itself
sudo tar xzvf ~/dev/apache-hive-1.2.0-bin.tar.gz -C /usr/local cd /usr/local sudo ln -s apache-hive-1.2.0-bin hive useradd hive cd hive #Export HIVE_HOME to bashrc echo "export HIVE_HOME=/usr/local/hive" >> /etc/bashrc |
HiveServer2 doesn’t start unless HADOOP_VERSION is exported to bashrc |
cd /usr/local sudo tar zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-hive-plugin.tar.gz sudo ln -s ranger-0.5.0-hive-plugin ranger-hive-plugin cd ranger-hive-plugin |
PROPERTY | VALUE |
---|---|
POLICY_MGR_URL | http://localhost:6080 |
REPOSITORY_NAME | hivedev |
XAAUDIT.DB.IS_ENABLED | true |
XAAUDIT.DB.FLAVOUR=MYSQL | MYSQL |
XAAUDIT.DB.HOSTNAME | localhost |
XAAUDIT.DB.DATABASE_NAME | ranger_audit |
XAAUDIT.DB.USER_NAME | rangerlogger |
XAAUDIT.DB.PASSWORD | rangerlogger |
cd /usr/local/ranger-hive-plugin ./enable-hive-plugin.sh |
This will make necessary changes to Hadoop config files to enable Ranger. One can verify the communication between Ranger Admin and Ranger Plugin as below :
You can verify the plugin is communicating to Ranger admin by going to Audit -> plugins tab and checking for status code 200 under the HIVE repo.
Make sure the REPOSITORY_NAME service exists in Ranger Admin. If not, the hive-plugin will not be able to communicate with Ranger admin. |
If /var/log/hive directory does not exist then create one and give required rights to user hive. |
mkdir /var/log/hive chown -R hive:hive /var/log/hive |
chown -R hive:hadoop /usr/local/apache-hive-1.2.0-bin/conf/hiveserver2-site.xml chown -R hive:hadoop /usr/local/apache-hive-1.2.0-bin/conf/hive-log4j.properties chown -R hive:hadoop /usr/local/apache-hive-1.2.0-bin/conf/hive-site.xml |
su -l hive -c "env HADOOP_HOME=/usr/local/hadoop JAVA_HOME=<pathToJava> nohup hive --service metastore > /var/log/hive/hive.out 2> /var/log/hive/hive.log &” |
su -l hive -c "env HADOOP_HOME=/usr/local/hadoop JAVA_HOME=<pathToJava> nohup /usr/local/hive/bin/hiveserver2 hiveconf hive.metastore.uris=\" \" > /var/log/hive/hiveServer2.out 2>/var/log/hive/hiveServer2.log &” |
ps aux | awk '{print $1,$2}' | grep hive | awk '{print $2}' | xargs kill >/dev/null 2>&1 |
/usr/local/hive/bin/beeline -u "jdbc:hive2://localhost:10000" -n hive -p hive |
hiveserver2site.xml
<configuration> <property> <name>hive.security.authorization.enabled</name> <value>true</value> </property> <property> <name>hive.security.authorization.manager</name> <value>org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory</value> </property> <property> <name>hive.security.authenticator.manager</name> <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value> </property> <property> <name>hive.conf.restricted.list</name> <value>hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager</value> </property> </configuration> |
hivesite.xml
<property> <name>hive.exec.scratchdir</name> <value>/tmp/hive</value> </property> <property> <name>hive.exec.local.scratchdir</name> <value>/tmp/hive</value> </property> <property> <name>hive.downloaded.resources.dir</name> <value>/tmp/hive_resources</value> </property> <property> <name>hive.scratch.dir.permission</name> <value>733</value> </property> <property> <name>javax.jdo.option.ConnectionPassword</name> <value>hive</value> </property> <property> <name>javax.jdo.option.ConnectionUserName</name> <value>hive</value> </property> <property> <name>javax.jdo.option.ConnectionURL</name> </property> <property> <name>hive.hwi.listen.host</name> <value>localhost</value> </property> <property> <name>javax.jdo.option.ConnectionURL</name> <value>jdbc:mysql://localhost:3306/hive?createDatabaseIfNotExist=true</value> </property> |
You can verify the plugin is communicating to Ranger admin in Audit->plugins tab
Make sure the REPOSITORY_NAME service exists in Ranger Admin. If not, the hive-plugin will not be able to communicate with Ranger admin. |
Let’s download and install Apache HBase by following the excellent instructions available on the Apache Hbase site itself.
sudo tar xzvf ~/dev/hbase-1.1.0.1-bin.tar.gz -C /usr/local cd /usr/local sudo ln -s hbase-1.1.0.1 hbase useradd hbase cd hbase #Export HBASE_HOME to bashrc echo "export HBASE_HOME=/usr/local/hbase" >> /etc/bashrc |
cd /usr/local sudo tar zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-hbase-plugin.tar.gz sudo ln -s ranger-0.5.0-hbase-plugin ranger-hbase-plugin cd ranger-hbase-plugin |
PROPERTY | VALUE |
---|---|
POLICY_MGR_URL | http://localhost:6080 |
REPOSITORY_NAME | hbasedev |
XAAUDIT.DB.IS_ENABLED | true |
XAAUDIT.DB.FLAVOUR | MYSQL |
XAAUDIT.DB.HOSTNAME | localhost |
XAAUDIT.DB.DATABASE_NAME | ranger_audit |
XAAUDIT.DB.USER_NAME | rangerlogger |
XAAUDIT.DB.PASSWORD | rangerlogger |
cd /usr/local/ranger-hbase-plugin ./enable-hbase-plugin.sh |
This will make necessary changes to HBase config files to enable Ranger. Once these changes are done restart HBase Master and HBase Regionserver.
One can verify the communication between Ranger Admin and Ranger Plugin as below :
You can verify the plugin is communicating to Ranger admin by going to Audit -> plugins tab and checking for status code 200 under the HBASE repo.
Make sure the REPOSITORY_NAME service exists in Ranger Admin. If not, the hbase-plugin will not be able to communicate with Ranger admin. |
/usr/local/hbase/bin/hbase-daemon.sh stop master /usr/local/hbase/bin/hbase-daemon.sh stop regionserver |
Let’s download and install Apache Knox from Apache Knox Mirrors.
sudo tar -zxvf ~/dev/knox-0.6.0.tar.gz -C /usr/local cd /usr/local sudo ln -s knox-0.6.0 knox cd knox |
cd /usr/local tar -zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-knox-plugin.tar.gz sudo ln -s ranger-0.5.0-knox-plugin ranger-knox-plugin cd ranger-knox-plugin |
PROPERY | VALUE |
---|---|
POLICY_MGR_URL | http://localhost:6080 |
REPOSITORY_NAME | knoxdev |
KNOX_HOME | /usr/local/knox |
XAAUDIT.DB.IS_ENABLED | true |
XAAUDIT.DB.HOSTNAME | localhost |
XAAUDIT.DB.DATABASE_NAME | ranger |
XAAUDIT.DB.USER_NAME | rangerlogger |
XAAUDIT.DB.PASSWORD | rangerlogger |
cd /usr/local/ranger-knox-plugin ./enable-knox-plugin.sh |
This will make necessary changes to HBase config files to enable Ranger. Once these changes are done restart Knox Gateway and optionally Knox LDAP.
One can verify the communication between Ranger Admin and Ranger Plugin as below :
You can verify the plugin is communicating to Ranger admin by going to Audit -> plugins tab and checking for status code 200 under the KNOX repo.
Make sure the REPOSITORY_NAME service exists in Ranger Admin. If not, the knox-plugin will not be able to communicate with Ranger admin. |
If you get permission denied error during knox start please provide required privileges to knox user. For example : |
chown -R knox:knox /usr/local/knox/data chown -R knox:knox /usr/local/knox/logs chown -R knox:knox /usr/local/knox/pids chown -R knox:hadoop /usr/local/knox/pids/* |
When Knox is listening on its SSL port with self signed certificate, you have to import SSL certificate of Knox into truststore used by Ranger Admin. This can be achieved by following the step:
cd /usr/local/ranger-admin cp $JAVA_HOME/jre/lib/security/cacerts cacertswithknox |
keytool -import -trustcacerts -file <knox.crt created above> -alias knox -keystore cacertswithknox password: changeit |
Follow these steps to configure Ranger for Solr
You can refer here for instructions.
cd /tmp tar -zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-solr-plugin.tar.gz cd ranger-0.5.0-solr-plugin |
PROPERTY | Sample values | Description |
---|---|---|
POLICY_MGR_URL | URL to the RangerAdmin | |
REPOSITORY_NAME | solrdev | This is the service name used during creation of creation of the Solr service in Ranger |
XAAUDIT.SOLR.ENABLE | true | This enables audit to Solr |
XAAUDIT.SOLR.URL | http://$AUDIT_SOLR_HOST:6083/solr/ranger_audits | This is the URL to the Solr instance used for storing audits. |
./enable-solr-plugin.sh |
Solr needs to be configured to use Ranger Authorization implementation. For that, run the following command on one of the Solr host
$SOLR_INSTALL_HOME/server/scripts/cloud-scripts/zkcli.sh -zkhost $ZK_HOST:2181 -cmd put /solr/security.json '{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"},"authorization":{"class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}}' |
In addition, please do following on all the Solr hosts
mkdir -p /var/log/solr/audit/solr/spool chown solr /var/log/solr/audit/solr/spool mkdir -p /var/log/solr/audit/hdfs/spool chown solr /var/log/solr/audit/hdfs/spool |
sudo tar -zxvf ~/dev/apache-storm-0.10.0-beta1.tar.gz -C /usr/local cd /usr/local sudo ln -s apache-storm-0.10.0-beta1 storm cd storm |
cd /usr/local tar -zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-storm-plugin.tar.gz sudo ln -s ranger-0.5.0-storm-plugin ranger-storm-plugin cd ranger-storm-plugin |
PROPERTY | VALUE |
---|---|
POLICY_MGR_URL | http://localhost:6080 |
REPOSITORY_NAME | stormdev |
XAAUDIT.DB.IS_ENABLED | true |
XAAUDIT.DB.HOSTNAME | localhost |
XAAUDIT.DB.DATABASE_NAME | ranger |
XAAUDIT.DB.USER_NAME | rangerlogger |
XAAUDIT.DB.PASSWORD | rangerlogger |
cd /usr/local/ranger-storm-plugin ./enable-storm-plugin.sh |
If stormdev service is not created in Ranger Admin then storm-plugin will not able to communicate with Ranger Admin. |
Installing Apache Yarn
You can run a MapReduce job on YARN in a pseudodistributed mode by setting a few parameters and running ResourceManager daemon and NodeManager daemon in addition
The following instructions assume that hadoop installations steps mentioned in Installing Apache Hadoop are already executed.
cd /usr/local sudo tar zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-yarn-plugin.tar.gz sudo ln -s ranger-0.5.0-yarn-plugin ranger-yarn-plugin cd ranger-yarn-plugin |
PROPERTY | VALUE |
---|---|
POLICY_MGR_URL | http://localhost:6080 |
REPOSITORY_NAME | yarndev |
XAAUDIT.DB.IS_ENABLED | true |
XAAUDIT.DB.FLAVOUR | MYSQL |
XAAUDIT.DB.HOSTNAME | localhost |
XAAUDIT.DB.DATABASE_NAME | ranger_audit |
XAAUDIT.DB.USER_NAME | rangerlogger |
XAAUDIT.DB.PASSWORD | rangerlogger |
cd /usr/local/ranger-yarn-plugin ./ enable-yarn-plugin.sh |
cp /usr/local/ranger-yarn-plugin/lib/*.jar /usr/local/hadoop/share/hadoop/yarn/lib/ |
mkdir /var/log/yarn chown -R yarn:yarn /var/log/yarn |
su yarn -c "/usr/local/hadoop/sbin/yarn-daemon.sh start resourcemanager" ps -ef | grep -i resourcemanager |
su yarn -c "/usr/local/hadoop/sbin/yarn-daemon.sh start nodemanager" ps -ef | grep -i nodemanager |
su yarn -c "/usr/local/hadoop/sbin/yarn-daemon.sh stop resourcemanager" ps -ef | grep -i resourcemanager |
su yarn -c "/usr/local/hadoop/sbin/yarn-daemon.sh stop nodemanager" ps -ef | grep -i nodemanager |
This should start the association of ranger-yarn-plugin with hadoop.
If yarndev service is not created in Ranger Admin then yarn-plugin will not able to communicate with Ranger Admin. |
Prerequisites: (Need to done for all host on which Ranger KMS needs to be installed) |
unzip UnlimitedJCEPolicyJDK7.zip into $JDK_HOME/jre/lib/security unzip jce_policy-8.zip into $JDK_HOME/jre/lib/security |
STEPS FOR RANGER KMS
cd /usr/local sudo tar -zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-kms.tar.gz sudo ln -s ranger-0.5.0-kms ranger-kms cd ranger-kms |
PROPERTY | VALUE |
---|---|
POLICY_MGR_URL | http://localhost:6080 |
REPOSITORY_NAME | kmsdev |
KMS_MASTER_KEY_PASSWD | enter master key password |
XAAUDIT.DB.IS_ENABLED | true |
XAAUDIT.DB.FLAVOUR | MYSQL |
XAAUDIT.DB.HOSTNAME | localhost |
XAAUDIT.DB.DATABASE_NAME | ranger_audit |
XAAUDIT.DB.USER_NAME | rangerlogger |
XAAUDIT.DB.PASSWORD | rangerlogger |
DB_FLAVOUR | MySQL/ ORACLE/ Postgres/ SQL Server |
SQL_CONNECTOR_JAR | <Location of jar file> |
db_root_user | root |
db_root_password | <password> |
db_host | localhost |
db_name | rangerkms |
db_user | rangerkms |
db_password | <password> |
su -l hdfs -c "/usr/local/hadoop/sbin/hadoop-daemon.sh stop namenode" su -l hdfs -c "/usr/local/hadoop/sbin/hadoop-daemon.sh start namenode" |
./setup.sh |
ranger-kms start |
You can verify the plugin is communicating to Ranger admin in Audit->plugins tab.
If kmsdev service is not created in Ranger Admin then kms-plugin will not able to connect to Ranger admin. |
PROPERTY | VALUE |
---|---|
REPOSITORY_NAME | Name specified in installed.properties (e.g |
KMS URL | kms://http@<internal host name>:9292/kms |
Username | <username> (for e.g keyadmin) |
Password | <password> |
Check Test connection
To enable Audit to HDFS for a plugin do the below
HDFS audit logging is for archive purposes. For seeing audit report in the Ranger Admin UI, recommended option is Solr. |
PROPERTIES | VALUE |
---|---|
audit_store | solr |
audit_solr_urls | http://solr_host:6083/solr/ranger_audits |
audit_solr_user | ranger_solr |
audit_solr_password | NONE |
2. Restart Ranger
Set following properties in install.properties of plugin to start logging audit to Solr : for eg Hbase
PROPERTY | VALUE |
---|---|
XAAUDIT.SOLR.IS_ENABLED | true |
XAAUDIT.SOLR.ENABLE | true |
XAAUDIT.SOLR.URL | http://solr_host:6083/solr/ranger_audits |
XAAUDIT.SOLR.USER | ranger_solr |
XAAUDIT.SOLR.PASSWORD | NONE |
XAAUDIT.SOLR.FILE_SPOOL_DIR | var/log/hadoop/hdfs/audit/solr/spool |
yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation |
yum install rng-tools -y |
sed 's/""/"-r\/dev\/urandom"/' -i /etc/sysconfig/rngd |
/etc/init.d/rngd start |
vi /etc/krb5.conf |
[realms] EXAMPLE.COM = { kdc = my.kdc.server admin_server =my.kdc.server } |
kdb5_util create -s |
/etc/rc.d/init.d/krb5kdc restart /etc/rc.d/init.d/kadmin restart |
yum install krb5-workstation |
Each service and sub-service in Hadoop must have its own principal. A principal name in a given realm consists of a primary name and an instance name, which in this case is the FQDN of the host that runs that service. As services do not login with a password to acquire their tickets, their principal's authentication credentials are stored in a keytab file, which is extracted from the Kerberos database and stored locally with the service principal on the service component host.First you must create the principal, using mandatory naming conventions.Then you must create the keytab file with that principal's information and copy the file to the keytab directory on the appropriate service host.
/usr/sbin/kadmin.local |
$kadmin.local addprinc -randkey $primary_name/$fully.qualified.domain.name@EXAMPLE.COM |
The -randkey option is used to generate the password.Note that in the example each service principal's primary name has appended to it the instance name, the FQDN of the host on which it runs. This provides a unique principal name for services that run on multiple hosts, like DataNodes and NodeManagers. The addition of the host name serves to distinguish, for example, a request from DataNode A from a request from DataNode B. This is important for two reasons:If the Kerberos credentials for one DataNode are compromised, it does not automatically lead to all DataNodes being compromisedIf multiple DataNodes have exactly the same principal and are simultaneously connecting to the NameNode, and if the Kerberos authenticator being sent happens to have same timestamps, then the authentication would be rejected as a replay request. |
$kadmin.local xst -norandkey -k $keytab_file_name $primary_name/fully.qualified.domain.name@EXAMPLE.COM |
mkdir -p /etc/security/keytabs/ chown root:hadoop /etc/security/keytabs chmod 750 /etc/security/keytabs |
vi /etc/krb5.conf [logging] default =FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm =EXAMPLE.COM dns_lookup_realm =false dns_lookup_kdc =false ticket_lifetime =24h renew_lifetime = 7d forwardable = true udp_preference_limit = 1 [realms] EXAMPLE.COM = { kdc =mylocalhost:88 admin_server=mylocalhost:749 default_domain =hadoop.com } [domain_realm] .example.com =EXAMPLE.COM example.com =EXAMPLE.COM .openstacklocal =EXAMPLE.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable =true krb4_convert= false } |
vi /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 v4_mode = nopreauth [realms] EXAMPLE.COM = { acl_file =/var/kerberos/krb5kdc/kadm5.acl dict_file =/usr/share/dict/words admin_keytab =/var/kerberos/krb5kdc/kadm5.keytab supported_enctypes =des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normaldes-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 } |
cd /usr/local
tar -xvf zookeeper.tar.gz
useradd hadoop
useradd zookeeper
tickTime=4000 initLimit=20 syncLimit=10 dataDir=/usr/local/zookeeper/data clientPort=2181 server.1=mylocalhost:2888:3888 authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider jaasLoginRenew=3600000 kerberos.removeHostFromPrincipal=true kerberos.removeRealmFromPrincipal=true |
export ZOOKEEPER_USER=zookeeper export HADOOP_GROUP=hadoop export ZOOKEEPER_DATA_DIR=/usr/local/zookeeper/data export ZOOKEEPER_LOG_DIR=/usr/local/zookeeper/logs export ZOOPIDFILE=/usr/local/zookeeper/conf/zookeeper_server.pid export ZOOKEEPER_CONF_DIR=/usr/local/zookeeper/conf export CLIENT_JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper/conf/zookeeper_client_jaas.conf" exportSERVER_JVMFLAGS="-Xmx1024m -Djava.security.auth.login.config=/usr/local/zookeeper/conf/zookeeper_jaas.conf" |
kadmin.local addprinc -randkey zookeeper/mylocalhost@EXAMPLE.COM xst -k -norandkey /etc/security/keytabs/zookeeper.service.keytab zookeeper/mylocalhost |
addprinc -randkey HTTP/mylocalhost@EXAMPLE.COM xst -norandkey -k /etc/security/keytabs/spnego.service.keytab HTTP/mylocalhost |
su - zookeeper -c "/usr/local/zookeeper/bin/zkServer.sh start" |
storm.zookeeper.servers:-"mylocalhost" nimbus.host:"mylocalhost" drpc.servers:-"mylocalhost" storm.local.dir:"/usr/local/storm/local" storm.log.dir:"/usr/local/storm/logs" logviewer.port:8081 storm.messaging.transport:"backtype.storm.messaging.netty.Context" storm.messaging.netty.buffer_size:16384 storm.messaging.netty.max_retries:10 storm.messaging.netty.min_wait_ms:1000 storm.messaging.netty.max_wait_ms:5000 nimbus.childopts:"-Djava.security.auth.login.config=/usr/local/storm/conf/storm_jaas.conf" ui.childopts:"-Djava.security.auth.login.config=/usr/local/storm/conf/storm_jaas.conf" supervisor.childopts:"-Djava.security.auth.login.config=/usr/local/storm/conf/storm_jaas.conf" storm.thrift.transport:"backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin" java.security.auth.login.config:"/usr/local/storm/conf/storm_jaas.conf" storm.zookeeper.superACL:"sasl:stormclient@EXAMPLE.COM" nimbus.authorizer:"backtype.storm.security.auth.authorizer.SimpleACLAuthorizer" storm.principal.tolocal:"backtype.storm.security.auth.KerberosPrincipalToLocal" nimbus.admins:-"stormclient" nimbus.supervisor.users:- "stormclient" ui.filter:"org.apache.hadoop.security.authentication.server.AuthenticationFilter" ui.filter.params: "type":"kerberos" "kerberos.principal":"HTTP/mylocalhost@EXAMPLE.COM" "kerberos.keytab":"/etc/security/keytabs/spnego.service.keytab" "kerberos.name.rules":"DEFAULT" |
StormServer { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/security/keytabs/nimbus.service.keytab" storeKey=true useTicketCache=false principal="nimbus/mylocalhost@EXAMPLE.COM"; }; StormClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/tmp/stormclient.headless.keytab" storeKey=true useTicketCache=false serviceName="nimbus" debug=true principal="stormclient@EXAMPLE.COM"; }; Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/tmp/stormclient.headless.keytab" storeKey=true useTicketCache=false serviceName="zookeeper" debug=true principal="stormclient@EXAMPLE.COM"; }; |
StormClient { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=false useTicketCache=true serviceName="nimbus";}; |
addprinc storm xst -k /tmp/storm.headless.keytab storm |
addprinc -randkey nimbus/mylocalhost@EXAMPLE.COM xst -norandkey -k /etc/security/keytabs/nimbus.service.keytab nimbus/mylocalhost |
addprinc stormclient xst -k /tmp/stormclient.headless.keytab stormclient |
su -l storm -c "kinit -k -t /tmp/storm.headless.keytab stormclient@EXAMPLE.COM" su -l storm -c “klist” |
Prerequisites Required
kadmin.local
list_principals
exit
search for spnego.service.keytab
locate spengo keytab
kadmin.local
list_principals
exit
The list shown should contain HTTP/<internal host name>@Realm
Try to using “HTTP/<internal host name>@Realm” with “spnego.service.keytab”
kadmin.local addprinc <principal name> Enter the password exit |
kinit <principal name> Enter password klist kdestroy |
Replace localhost with <internal host name> Go to path cd/usr/hdp/<version>/hadoop/conf/ vim hdfs-site.xml For property “dfs.encryption.key.provider.uri” ,enter the value “kms://http@<internal host name>:9292/kms” save and quite |
Edit “core-site.xml”
Replace localhost with <internal host name> Go to path cd/usr/hdp/<version>/hadoop/conf/ vim core-site.xml |
su -l hdfs -c "/usr/hdp/<version>/hadoop/sbin/hadoop-daemon.sh stop namenode" su -l hdfs -c "/usr/hdp/<version>/hadoop/sbin/hadoop-daemon.sh start namenode" |
service krb5kdc restart |
We’ll extract our build of ranger KMS at the appropriate place (/usr/local).
cd/usr/local sudo tar -zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-kms.tar.gz sudo ln -s ranger-0.5.0-kms ranger-kms cd ranger-kms |
Note that ranger KMS plugin is integrated with ranger KMS and will be installed automatically when KMS is installed |
Setting required for secure instance
<property> <name>hadoop.kms.authentication.type</name> <value>kerberos</value> </property> <property> <name>hadoop.kms.authentication.kerberos.keytab</name> <value>/etc/security/keytabs/spnego.service.keytab</value> </property> <property> <name>hadoop.kms.authentication.kerberos.principal</name> <value>*</value> /property> |
Add following property in ews/webapp/WEBINF/classes/conf.dist/kms-site.xml : (Replace “testkms1” with appropriate user who will be used for credential authentication):
<property> <name>hadoop.kms.proxyuser.testkms1.groups</name> <value>*</value> </property> <property> <name>hadoop.kms.proxyuser.testkms1.hosts</name> <value>*</value> </property> <property> <name>hadoop.kms.proxyuser.testkms1.users</name> <value>*</value> </property> |
Create link to /etc/hadoop/conf/core-site.xml under /etc/ranger/kms/conf
(ln -s /etc/hadoop/conf/core-site.xml /etc/ranger/kms/conf/core-site.xml)
Install Ranger-kms with appropriate property values
./setup.sh |
rangee-kms start |
Check the user present in ranger which will be used for credential validation (for e.g (“testkms1”) if not then create that using “admin” login |
REPOSITORY_NAME: name specified in installed.properties (e.g kmsdev)
Please check the logged in user (for e.g “keyadmin”) has the permission for KMS operation You can navigate to KMS Tab and do all the operation related to the KMS.