search

Apache Ranger™ and Ranger KMS

This manual is an installation guide for Apache Ranger™ and Ranger KMS.

circle-exclamation

This procedure applies to the GHDP environment.

hashtag
Prerequisites

Install the prerequisites for the Ranger build.

hashtag
Maven

  1. Download the latest version of Maven at Downloading Apache Mavenarrow-up-right or:

    cd /usr/local
wget https://dlcdn.apache.org/maven/maven-3/3.8.6/binaries/apache-maven-3.8.6-bin.tar.gz
tar -xvf apache-maven-<Version>-bin.tar.gz

  2. Edit the file that loads the GHDP environment variables:

    vim /etc/profile.d/hadoop_setup.sh
    ...
# MAVEN (to Ranger)
export M2_VERSION=$(ls -A /usr/local/ | grep apache-maven- | grep -v .gz | awk -F '-' '{print $3}')
export M2_HOME=/usr/local/apache-maven-$M2_VERSION
export M2=$M2_HOME/bin
...

  3. Verify that the installation was successful:

    mvn -version

hashtag
Other requirements

Install the other required items:

hashtag
Ranger Build

  1. Download the source of the most up-to-date Ranger that suits your OS and Java version, from the official Ranger sitearrow-up-right or:

  2. Run the build of Ranger using Maven:

  3. If an insecure access error occurs due to an expired certificate on some repository link, run the build as follows:

  4. Finish the build procedure with the following command:

  5. At the end, a folder called target with all Ranger components will be generated.

hashtag
Solr Installation

circle-info

Refer to the Official Solr Sitearrow-up-right for the best Solr version for your system.

  1. Go to the build Ranger previous topic.

  2. Inside that folder, go to the Solr installer folder, where it will be pre-configured for Ranger use:

  3. Create the Solr folder according to the chosen version:

  4. Edit the file install.properties:

  5. Run the script setup.sh and check the start procedures as indicated by the installation log:

  6. Start Solr:

hashtag
Ranger Admin installation and configuration

  1. Create the Ranger Admin folder:

  2. Go to the folder targetgenerated in the buildprocedure, and unzip the file ranger-2.3.0-admin.tar.gz:

  3. Copy all files inside the unzipped folder to the ranger-admin.

  4. In the database, create the user rangerdba as follows:

  5. If not installed, install the mysql-connector-java and verify that the file mysql-connector-java.jar is in the correct folder:

  6. Create the logs folder for Ranger Admin:

  7. In the Ranger Admin folder, edit the file install.properties:

  8. Run the setup:

  9. Add permissions for the Ranger folders and logs and add the user ranger to the group hadoop.

  10. To start Ranger Admin use the command:

  11. Access the link and enter the user admin and the pre-configured password.

circle-info

In this context, the pre-configured password will always be Griaule.123.

hashtag
Ranger UserSync Installation

  1. In the Ranger build folder, create a folder for Ranger UserSync called ranger-usersyncand unzip the tar.gz related to the application and copy all files to the created folder:

  2. Create the logs and grant the user ranger access to the folders /usr/gdp/hadoop/ranger/ and /var/log/hadoop/ranger/:

  3. In the ranger-usersyncfolder, edit the file install.properties as follows:

  4. Change the path default of the application from /etc/ranger address to /usr/gdp/hadoop/ranger/2.3.0/ranger-usersync/ranger:

  5. Run the script setup.sh:

  6. Change the configuration to enable UserSync synchronization:

  7. After the installation with result successfully, start the service using the script ranger-usersync-services.sh:

hashtag
Plugin Installation

circle-info

The plugins are not required for the operation of Ranger KMS. They are only features available for auditing Hadoop resources.

hashtag
HDFS Plugin

circle-exclamation

The HDFS Plugin must be installed on all the NameNodes.

  1. Create the folder ranger-hdfs-plugin according to the GHDP structure:

  2. In the Ranger build of Ranger, unzip the file ranger-2.3.0-hdfs-plugin.tar.gz and copy all files to the folder created previously:

  3. In the plugin folder, edit the file install.properties:

  4. If there is more than one NameNode, create the same folder structure and copy all content to the other NameNodes with scp:

    This procedure must be performed before enabling the plugin.

  5. Enable the plugin running the script enable-hdfs-plugin.sh:

  6. Connect to the Ranger Admin UI. On the main screen, under HDFS, click the + button and fill the fields with the following information:

    • Service Name: hadoopdev

    • Display Name: hadoopdev

    • Username: hadoop (UNIX User)

    • Password: <password created for the hadoop user on UNIX>

    • NameNode URL: hdfs://localhost:50070

    • Authentication Type: Simple

  7. Keep the rest of the settings unchanged and click the Add button.

  8. Restart the cluster.

hashtag
HBase Plugin

circle-exclamation

The HBase Plugin must be installed on all hosts with Master and Regional.

  1. Create the folder ranger-hbase-plugin according to the GHDP structure.

  2. In the Ranger build of Ranger, unzip the file ranger-2.3.0-hbase-plugin.tar.gz and copy all files to the folder created previously:

  3. In the plugin folder, edit the file install.properties:

  4. Create the same folder structure and copy all content to the Master and Regional:

    This procedure must be performed before enabling the plugin.

  5. Create a user hbase and enable the plugin running the script enable-hbase-plugin.sh:

  6. Connect to the Ranger Admin UI. On the main screen, under HDFS, click the + button and fill the fields with the following information:

    • Service Name: hadoopdev

    • Display Name: hadoopdev

    • Username: hbase (UNIX User)

    • Password: <password created for the hbase user on UNIX>

    • hadoop.security.authentication: Simple

    • hbase.security.authentication: Simple

    • hbase.zookeeper.property.clientPort: 2181

    • hbase.zookeeper.quorum: ,,

    • zookeeper.znode.parent: /hbase-unsecure

  7. Keep the rest of the settings unchanged and click the Add button.

  8. Restart the cluster.

hashtag
Kafka Plugin

circle-exclamation

The Kafka Plugin must be installed on all hosts that have the component installed.

  1. Create the folder ranger-kafka-plugin according to the GHDP structure:

  2. In the Ranger build of Ranger, unzip the file ranger-2.3.0-kafka-plugin.tar.gz and copy all files to the folder created previously:

  3. In the plugin folder, edit the file install.properties:

  4. Create the same folder structure and copy all content to the other nodes:

    This procedure must be performed before enabling the plugin.

  5. Create a user kafka and enable the plugin running the script enable-kafka-plugin.sh:

  6. Connect to the Ranger Admin UI. On the main screen, under HDFS, click the + button and fill the fields with the following information:

    • Service Name: hadoopdev

    • Display Name: hadoopdev

    • Username: hbase (UNIX User)

    • Password: <password created for the hbase user on UNIX>

    • hadoop.security.authentication: Simple

    • hbase.security.authentication: Simple

    • hbase.zookeeper.property.clientPort: 2181

    • hbase.zookeeper.quorum: ,,

    • zookeeper.znode.parent: /hbase-unsecure

  7. Keep the rest of the settings unchanged and click the Add button.

  8. Restart the cluster.

hashtag
Ranger KMS Installation and Configuration

hashtag
Ranger KMS Installation

  1. Create the folder ranger-kms according to the GHDP structure:

  2. On the MySQL server, create a user rangerkms for database management by the application:

  3. In the Ranger build of Ranger, unzip Ranger KMS and copy all files to the folder created previously:

  4. Create the logs for Ranger KMS:

  5. Using a password generator, create a password with the following parameters and store it in a safe place (it will be used in the next step):

    • 16 characters

    • Uppercase letters

    • Lowercase letters

    • Special characters.

  6. In the Ranger KMS folder, edit the file install.properties adding configuration for Java Key Store (stores the master key in a file on the server itself):

    Use the 16-character password generated in the previous step as KMS_MASTER_KEY_PASSWD. For example: $ZH1$Q8&ExUaTku8.

hashtag
Ranger KMS Configuration with Luna Cloud HSM

  1. Before performing the setup of Ranger KMS, it is necessary to add the LunaProvider in the java.security. To do this, edit the file java.security, which is located in the folder <JDK_installation_directory>/jre/lib/security, adding two lines at the end: one with the LunaProvider in the provider list sequence, security.provider.10=com.safenetinc.luna.provider.LunaProvider, and one with the setting for Luna to work, com.safenetinc.luna.provider.createExtractableKeys=true:

  2. Copy the files LunaProvider.jar and libLunaAPI.so to the folder <JDK_installation_directory/jre/lib/ext.

  3. Using a password generator, create a password with the following parameters and store it in a safe place (it will be used in the next step):

    • 16 characters

    • Uppercase letters

    • Lowercase letters

    • Special characters.

  4. Edit the file install.properties to the setup of Ranger KMS with Luna Cloud HSM:

    Use the 16-character password generated in the previous step as KMS_MASTER_KEY_PASSWD. For example: $ZH1$Q8&ExUaTku8.

  5. In all the nodes, so that the datanodes can access the KMS, edit the file core-site.xml changing the value of the property hadoop.security.key.provider.path address to kms://http@localhost:9292/kms:

  6. Restart HDFS.

  7. Grant the user kms permissions for the folders:

  8. Run the script of setup, wait for the installation to finish with the message successfully and start Ranger KMS:

  9. If everything went successfully, it will be possible to access the Ranger KMS dashboard through the Ranger Admin address using the user keyadmin and the password defined in the Ranger Admin installation procedure.

    • Link: http://<my_ip>:6080/

    • User: keyadmin

    • Password: <defined in install.properties during Ranger Admin setup>

  10. Log into the Ranger Admin UI with the user admin, go to Settings > Users/Groups/Roles. On the Users tab, click the Add New User button and create the users:

    • hive

    • hdfs

    • om

    • hbase

  11. Then, log out and log in as keyadmin to access the Ranger KMS UI dashboard in the KMS Service. Click the + button to create the repository kmsdev, according to the specifications below:

    • Service Name: kmsdev

    • KMS URL: kms://http@:9292/kms

    • Username: keyadmin

    • Password: <password set in the Ranger Admin installation procedure>

  12. On the same screen, in Audit Filter, click the + button to add an ACL with the following specifications:

    • Access Result: ALLOWED

    • Permissions: Select All

    • Users: keyadmin

  13. Click Add. Then, click to edit the repository kmsdev and click the Test Connection button to confirm if the entire procedure ran correctly.

  14. Restart Ranger KMS:

  15. If you are using Luna Cloud HSM, verify whether the master keywas created. To do this, run the lunacm:

    Or:

  16. Log in with the role crypto officer:

  17. List the partition contents to check if the master key was created successfully:

    Example output with the master key created:

circle-check

The Ranger KMS configuration file, dbks-site.xml, is located at:

hashtag
Enable Load Balancer in Ranger KMS

  1. On a second server, perform the entire Ranger KMS installation.

circle-exclamation

If you are using Luna Cloud HSM, follow the instructions in the Luna Cloud HSM installation guide contained in the topics 1.1. Client download and 1.2. Client installation on the server to perform the client installation. It is not necessary to perform the procedures to activate slot, start partition, or start the roles contained in later topics of the guide. Then, strictly follow the instructions for installation and configuration of the HSM with Ranger, but taking the precautions described below.

  1. On the step 5 of the configuration, in which it is necessary to change the file core-site.xml so that the datanodes can access the KMS, proceed as follows: open the file, find the property hadoop.security.key.provider.path and change its value of kms://http@localhost:9292/kms address to kms://http@host1;host2:9292/kms:

    Before:

    After:

  2. Restart HDFS:

  3. Continue with the completion of the Ranger KMS configuration, starting from step 6.

hashtag
Ranger Uninstallation

To uninstall Ranger, run the following commands:

Last updated

Was this helpful?