# Apache Rangerâ„¢ and Ranger KMS This manual is an installation guide for Apache Rangerâ„¢ and Ranger KMS. {% hint style="warning" %} This procedure applies to the GHDP environment. {% endhint %} ## Prerequisites Install the prerequisites for the [Ranger build](#builddoranger). ### Maven 1. Download the latest version of Maven at [Downloading Apache Maven](https://maven.apache.org/download.cgi) or: ```sh cd /usr/local wget https://dlcdn.apache.org/maven/maven-3/3.8.6/binaries/apache-maven-3.8.6-bin.tar.gz tar -xvf apache-maven--bin.tar.gz ``` 2. Edit the file that loads the GHDP environment variables: ```sh vim /etc/profile.d/hadoop_setup.sh ``` ```sh ... # MAVEN (to Ranger) export M2_VERSION=$(ls -A /usr/local/ | grep apache-maven- | grep -v .gz | awk -F '-' '{print $3}') export M2_HOME=/usr/local/apache-maven-$M2_VERSION export M2=$M2_HOME/bin ... ``` 3. Verify that the installation was successful: ```sh mvn -version ``` ### Other requirements Install the other required items: ```sh yum -y install git yum -y install gcc yum -y install g++ yum install bzip2 -y yum -y install java-1.8.0-openjdk-devel yum -y install python3 ``` ## Ranger Build 1. Download the *source* of the most up-to-date Ranger that suits your OS and Java version, from the [official Ranger site](https://ranger.apache.org/download.html) or: ```sh wget https://dlcdn.apache.org/ranger/2.3.0/apache-ranger-2.3.0.tar.gz tar -xvf apache-ranger-2.3.0.tar.gz cd ./apache-ranger-2.3.0 ``` 2. Run the *build* of Ranger using Maven: ```sh mvn clean compile package install ``` 3. If an insecure access error occurs due to an expired certificate on some repository link, run the *build* as follows: ```sh mvn clean compile package install -Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true -Dmaven.wagon.http.ssl.ignore.validity.dates=true ``` 4. Finish the *build* procedure with the following command: ```sh mvn eclipse:eclipse ``` 5. At the end, a folder called `target` with all Ranger components will be generated. ```sh cd ./target ls -l total 1328820 drwxr-xr-x. 2 root root 4096 Dec 15 14:34 antrun -rw-r--r--. 1 root root 87 Dec 15 14:34 checkstyle-cachefile -rw-r--r--. 1 root root 9216 Dec 15 14:34 checkstyle-checker.xml -rw-r--r--. 1 root root 20369 Dec 15 14:34 checkstyle-header.txt -rw-r--r--. 1 root root 81 Dec 15 14:34 checkstyle-result.xml -rw-r--r--. 1 root root 1144 Dec 15 14:34 checkstyle-suppressions.xml drwxr-xr-x. 3 root root 4096 Dec 15 14:34 maven-shared-archive-resources -rw-r--r--. 1 root root 518758611 Dec 15 14:34 ranger-2.3.0-admin.tar.gz -rw-r--r--. 1 root root 41566842 Dec 15 14:34 ranger-2.3.0-atlas-plugin.tar.gz -rw-r--r--. 1 root root 36041635 Dec 15 14:34 ranger-2.3.0-elasticsearch-plugin.tar.gz -rw-r--r--. 1 root root 36975553 Dec 15 14:34 ranger-2.3.0-hbase-plugin.tar.gz -rw-r--r--. 1 root root 35537921 Dec 15 14:34 ranger-2.3.0-hdfs-plugin.tar.gz -rw-r--r--. 1 root root 35327622 Dec 15 14:34 ranger-2.3.0-hive-plugin.tar.gz -rw-r--r--. 1 root root 54580246 Dec 15 14:34 ranger-2.3.0-kafka-plugin.tar.gz drwxr-xr-x. 7 root root 4096 Dec 15 14:34 ranger-2.3.0-kms -rw-r--r--. 1 root root 195191513 Dec 15 14:34 ranger-2.3.0-kms.tar.gz -rw-r--r--. 1 root root 49243221 Dec 15 14:34 ranger-2.3.0-knox-plugin.tar.gz -rw-r--r--. 1 root root 34477047 Dec 15 14:34 ranger-2.3.0-kylin-plugin.tar.gz -rw-r--r--. 1 root root 34007 Dec 15 14:34 ranger-2.3.0-migration-util.tar.gz -rw-r--r--. 1 root root 41233187 Dec 15 14:34 ranger-2.3.0-ozone-plugin.tar.gz -rw-r--r--. 1 root root 55205632 Dec 15 14:34 ranger-2.3.0-presto-plugin.tar.gz -rw-r--r--. 1 root root 15803444 Dec 15 14:34 ranger-2.3.0-ranger-tools.tar.gz -rw-r--r--. 1 root root 905882 Dec 15 14:34 ranger-2.3.0-schema-registry-plugin.jar -rw-r--r--. 1 root root 37302 Dec 15 14:34 ranger-2.3.0-solr_audit_conf.tar.gz -rw-r--r--. 1 root root 40595 Dec 15 14:34 ranger-2.3.0-solr_audit_conf.zip -rw-r--r--. 1 root root 36130187 Dec 15 14:34 ranger-2.3.0-solr-plugin.tar.gz -rw-r--r--. 1 root root 34715214 Dec 15 14:34 ranger-2.3.0-sqoop-plugin.tar.gz -rw-r--r--. 1 root root 6315989 Dec 15 14:34 ranger-2.3.0-src.tar.gz -rw-r--r--. 1 root root 49575156 Dec 15 14:34 ranger-2.3.0-storm-plugin.tar.gz -rw-r--r--. 1 root root 30112906 Dec 15 14:34 ranger-2.3.0-tagsync.tar.gz -rw-r--r--. 1 root root 19205167 Dec 15 14:34 ranger-2.3.0-usersync.tar.gz -rw-r--r--. 1 root root 33381584 Dec 15 14:34 ranger-2.3.0-yarn-plugin.tar.gz -rw-r--r--. 1 root root 196038 Dec 15 14:34 rat.txt -rw-r--r--. 1 root root 5 Dec 15 14:34 version ``` ## Solr Installation {% hint style="info" %} Refer to the [Official Solr Site](https://solr.apache.org/downloads.html) for the best Solr version for your system. {% endhint %} 1. Go to the *build* Ranger [previous topic](#builddoranger).\
2. Inside that folder, go to the Solr installer folder, where it will be pre-configured for Ranger use: ```sh cd ~/apache-ranger-2.3.0 cd ./security-admin/contrib/solr_for_audit_setup/ ``` 3. Create the Solr folder according to the chosen version: ```sh mkdir -p /usr/gdp/hadoop/solr/8.11.2/ ``` 4. Edit the file `install.properties`: ```sh vim install.properties ``` ```properties ... SOLR_INSTALL=true SOLR_DOWNLOAD_URL=https://dlcdn.apache.org/lucene/solr/8.11.2/solr-8.11.2.tgz SOLR_LOG_FOLDER=/var/log/hadoop/solr/ranger_audits ... :wq ``` ```sh sed -i 's/\/opt\/solr/\/usr\/gdp\/hadoop\/solr\/8.11.2/g' install.properties ``` 5. Run the script `setup.sh` and check the *start* procedures as indicated by the *installation* log: ```sh chmod +x setup.sh ./setup.sh less /usr/gdp/hadoop/solr/8.11.2/ranger_audit_server/install_notes.txt ``` 6. Start Solr: ```sh /usr/gdp/hadoop/solr/8.11.2/ranger_audit_server/scripts/start_solr.sh ``` ## Ranger Admin installation and configuration 1. Create the Ranger Admin folder: ```sh mkdir -p /usr/gdp/hadoop/ranger/2.3.0/ranger-admin ``` 2. Go to the folder `target`generated in the [build](#builddoranger)procedure, and unzip the file `ranger-2.3.0-admin.tar.gz`: ```sh cd ./apache-ranger-2.3.0/target tar -xvf ranger-2.3.0-admin.tar.gz ``` 3. Copy all files inside the unzipped folder to the `ranger-admin`. ```sh cd ranger-2.3.0-admin cp -R * /usr/gdp/hadoop/ranger/2.3.0/ranger-admin/ ``` 4. In the database, create the user `rangerdba` as follows: ```sh mysql -uroot -p ``` ```sql SET GLOBAL validate_password_policy=LOW; CREATE USER 'rangerdba'@'localhost' IDENTIFIED BY 'rangerdba'; GRANT ALL PRIVILEGES ON *.* TO 'rangerdba'@'localhost'; CREATE USER 'rangerdba'@'%' IDENTIFIED BY 'rangerdba'; GRANT ALL PRIVILEGES ON *.* TO 'rangerdba'@'%'; GRANT ALL PRIVILEGES ON *.* TO 'rangerdba'@'localhost' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON *.* TO 'rangerdba'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES; ``` 5. If not installed, install the `mysql-connector-java` and verify that the file `mysql-connector-java.jar` is in the correct folder: ```sh yum install mysql-connector-java ls /usr/share/java/mysql-connector-java.jar ``` 6. Create the *logs* folder for Ranger Admin: ```sh mkdir -p /var/log/hadoop/ranger/ranger-admin ``` 7. In the Ranger Admin folder, edit the file `install.properties`: ```sh cd /usr/gdp/hadoop/ranger/2.3.0/ranger-admin/ vim install.properties ``` ```properties ... db_root_user=rangerdba db_root_password=rangerdba db_host=localhost db_name=ranger db_user=rangerdba db_password=rangerdba rangerAdmin_password=Griaule.123 rangerTagsync_password=Griaule.123 rangerUsersync_password=Griaule.123 keyadmin_password=Griaule.123 audit_solr_urls=http://localhost:6083/solr/ranger_audits policymgr_supportedcomponents=hbase,hdfs,kafka,kms authentication_method=UNIX remoteLoginEnabled=true authServiceHostName=localhost authServicePort=5151 hadoop_conf=/etc/hadoop/hdfs/conf/ RANGER_ADMIN_LOG_DIR=/var/log/hadoop/ranger/ranger-admin ... ``` 8. Run the *setup*: ```sh ./setup.sh ``` 9. Add permissions for the Ranger folders and *logs* and add the user `ranger` to the group `hadoop`. ```sh chown -R ranger: /usr/gdp/hadoop/ranger/ chown -R ranger: /var/log/hadoop/ranger/ usermod -a -G hadoop ranger ``` 10. To start Ranger Admin use the command: ```sh ranger-admin start ``` 11. Access the link and enter the user `admin` and the pre-configured password. ```html http://:6080/ ``` {% hint style="info" %} In this context, the pre-configured password will always be `Griaule.123`. {% endhint %} ## Ranger UserSync Installation 1. In the Ranger *build* folder, create a folder for Ranger UserSync called `ranger-usersync`and unzip the `tar.gz` related to the application and copy all files to the created folder: ```sh mkdir -p /usr/gdp/hadoop/ranger/2.3.0/ranger-usersync tar -xvf ranger-2.3.0-usersync.tar.gz cd ranger-2.3.0-usersync cp -R * /usr/gdp/hadoop/ranger/2.3.0/ranger-usersync ``` 2. Create the *logs* and grant the user `ranger` access to the folders `/usr/gdp/hadoop/ranger/` and `/var/log/hadoop/ranger/`: ```sh mkdir -p /var/log/hadoop/ranger/ranger-usersync chown -R ranger: /usr/gdp/hadoop/ranger/ chown -R ranger: /var/log/hadoop/ranger/ ``` 3. In the `ranger-usersync`folder, edit the file `install.properties` as follows: ```sh cd /usr/gdp/hadoop/ranger/2.3.0/ranger-usersync vim install.properties ``` ```properties ... POLICY_MGR_URL = http://:6080 SYNC_SOURCE = unix SYNC_INTERVAL = 5 rangerUsersync_password=Griaule.123 # same password that was set for it in ranger-admin hadoop_conf=/etc/hadoop/hdfs/conf logdir=/var/log/hadoop/ranger/ranger-usersync ... ``` 4. Change the *path* default of the application from `/etc/ranger` address to `/usr/gdp/hadoop/ranger/2.3.0/ranger-usersync/ranger`: ```sh sed -i 's/\/etc\/ranger/\/usr\/gdp\/hadoop\/ranger\/2.3.0\/ranger-usersync\/ranger/g' install.properties ``` 5. Run the script `setup.sh`: ```sh ./setup.sh ``` 6. Change the configuration to enable UserSync synchronization: ```sh vim /usr/gdp/hadoop/ranger/2.3.0/ranger-usersync/conf/ranger-ugsync-site.xml ``` ```xml ranger.usersync.enabled true ``` 7. After the installation with result **successfully**, start the service using the script `ranger-usersync-services.sh`: ```sh # Start: ./ranger-usersync-services.sh start # Stop: ./ranger-usersync-services.sh stop ``` ## Plugin Installation {% hint style="info" %} The plugins **are not** required for the operation of Ranger KMS. They are only features available for auditing Hadoop resources. {% endhint %} ### HDFS Plugin {% hint style="warning" %} The HDFS Plugin must be installed on **all** the *NameNodes*. {% endhint %} 1. Create the folder `ranger-hdfs-plugin` according to the GHDP structure: ```sh mkdir -p /usr/gdp/hadoop/ranger/2.3.0/ranger-hdfs-plugin ``` 2. In the Ranger *build* of Ranger, unzip the file `ranger-2.3.0-hdfs-plugin.tar.gz` and copy all files to the folder created previously: ```sh cd ./apache-ranger-2.3.0/target/ tar -xvf ranger-2.3.0-hdfs-plugin.tar.gz cd ranger-2.3.0-hdfs-plugin cp -R * /usr/gdp/hadoop/ranger/2.3.0/ranger-hdfs-plugin ``` 3. In the plugin folder, edit the file `install.properties`: ```sh cd /usr/gdp/hadoop/ranger/2.3.0/ranger-hdfs-plugin vim install.properties ``` ```properties ... POLICY_MGR_URL=http://:6080 REPOSITORY_NAME=hadoopdev COMPONENT_INSTALL_DIR_NAME=/usr/gdp/hadoop/hdfs/3.2.4/ XAAUDIT.SOLR.ENABLE = true XAAUDIT.SOLR.URL = http://:6083/solr/ranger_audits XAAUDIT.SOLR.USER = NONE XAAUDIT.SOLR.PASSWORD = NONE XAAUDIT.SOLR.ZOOKEEPER = NONE XAAUDIT.SOLR.FILE_SPOOL_DIR = /var/log/hadoop/hdfs/audit/solr/spool ... ``` 4. If there is more than one *NameNode*, create the same folder structure and copy all content to the other *NameNodes* with `scp`: > This procedure must be performed **before** enabling the *plugin*. ```sh # NameNode2 mkdir -p /usr/gdp/hadoop/ranger/2.3.0/ranger-hdfs-plugin # NameNode1 scp -r * root@localhost:/usr/gdp/hadoop/ranger/2.3.0/ranger-hdfs-plugin/ # NameNode2 cd /usr/gdp/hadoop/ranger/2.3.0/ranger-hdfs-plugin ls -l ``` 5. Enable the *plugin* running the script `enable-hdfs-plugin.sh`: ```sh ./enable-hdfs-plugin.sh ``` 6. Connect to the **Ranger Admin UI**. On the main screen, under HDFS, click the + button and fill the fields with the following information: * *Service Name*: `hadoopdev` * *Display Name*: `hadoopdev` * *Username*: `hadoop` (UNIX User) * *Password*: `` * *NameNode URL*: `hdfs://localhost:50070` * *Authentication Type*: `Simple`\
7. Keep the rest of the settings unchanged and click the Add button.\
8. Restart the *cluster*. ### HBase Plugin {% hint style="warning" %} The HBase Plugin must be installed on **all** hosts with *Master* and *Regional*. {% endhint %} 1. Create the folder `ranger-hbase-plugin` according to the GHDP structure. ```sh mkdir -p /usr/gdp/hadoop/ranger/2.3.0/ranger-hbase-plugin ``` 2. In the Ranger *build* of Ranger, unzip the file `ranger-2.3.0-hbase-plugin.tar.gz` and copy all files to the folder created previously: ```sh cd ./apache-ranger-2.3.0/target/ tar -xvf ranger-2.3.0-hbase-plugin.tar.gz cd ranger-2.3.0-hbase-plugin cp -R * /usr/gdp/hadoop/ranger/2.3.0/ranger-hbase-plugin ``` 3. In the plugin folder, edit the file `install.properties`: ```sh vim install.properties ``` ```properties ... POLICY_MGR_URL=http://localhost:6080 REPOSITORY_NAME=hbasedev COMPONENT_INSTALL_DIR_NAME=/usr/gdp/hadoop/hbase/2.5.1 XAAUDIT.SOLR.ENABLE=true XAAUDIT.SOLR.URL=http://localhost:6083/solr/ranger_audits XAAUDIT.SOLR.USER=NONE XAAUDIT.SOLR.PASSWORD=NONE XAAUDIT.SOLR.ZOOKEEPER=NONE XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hadoop/hbase/audit/solr/spool XAAUDIT.SOLR.IS_ENABLED=true XAAUDIT.SOLR.MAX_QUEUE_SIZE=1 XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000 XAAUDIT.SOLR.SOLR_URL=http://localhost:6083/solr/ranger_audits ... ``` 4. Create the same folder structure and copy all content to the *Master* and *Regional*: > This procedure must be performed **before** enabling the *plugin*. ```sh # node2 & node3 mkdir -p /usr/gdp/hadoop/ranger/2.3.0/ranger-hbase-plugin # node1 scp -r * root@localhost:/usr/gdp/hadoop/ranger/2.3.0/ranger-hbase-plugin/ scp -r * root@localhost:/usr/gdp/hadoop/ranger/2.3.0/ranger-hbase-plugin/ # node2 & node3 cd /usr/gdp/hadoop/ranger/2.3.0/ranger-hbase-plugin ls -l ``` 5. Create a user `hbase` and enable the *plugin* running the script `enable-hbase-plugin.sh`: ```sh useradd hbase passwd hbase ./enable-hbase-plugin.sh ``` 6. Connect to the **Ranger Admin UI**. On the main screen, under HDFS, click the + button and fill the fields with the following information: * *Service Name*: `hadoopdev` * *Display Name*: `hadoopdev` * *Username*: `hbase` (UNIX User) * *Password*: `` * *hadoop.security.authentication*: `Simple` * *hbase.security.authentication*: `Simple` * *hbase.zookeeper.property.clientPort*: `2181` * *hbase.zookeeper.quorum*: `,,` * *zookeeper.znode.parent*: `/hbase-unsecure`\
7. Keep the rest of the settings unchanged and click the Add button.\
8. Restart the *cluster*. ### Kafka Plugin {% hint style="warning" %} The Kafka Plugin must be installed on **all** hosts that have the component installed. {% endhint %} 1. Create the folder `ranger-kafka-plugin` according to the GHDP structure: ```sh mkdir -p /usr/gdp/hadoop/ranger/2.3.0/ranger-kafka-plugin ``` 2. In the Ranger *build* of Ranger, unzip the file `ranger-2.3.0-kafka-plugin.tar.gz` and copy all files to the folder created previously: ```sh cd ./apache-ranger-2.3.0/target/ tar -xvf ranger-2.3.0-kafka-plugin.tar.gz cd ranger-2.3.0-kafka-plugin cp -R * /usr/gdp/hadoop/ranger/2.3.0/ranger-kafka-plugin ``` 3. In the plugin folder, edit the file `install.properties`: ```sh vim install.properties ``` ```properties ... COMPONENT_INSTALL_DIR_NAME=/usr/gdp/hadoop/kafka/3.3.1/ POLICY_MGR_URL=http://localhost:6080 REPOSITORY_NAME=kafkadev XAAUDIT.SOLR.ENABLE=true XAAUDIT.SOLR.URL=http://localhost:6083/solr/ranger_audits XAAUDIT.SOLR.USER=NONE XAAUDIT.SOLR.PASSWORD=NONE XAAUDIT.SOLR.ZOOKEEPER=NONE XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hadoop/kafka/audit/solr/spool XAAUDIT.SOLR.IS_ENABLED=true XAAUDIT.SOLR.MAX_QUEUE_SIZE=1 XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000 XAAUDIT.SOLR.SOLR_URL=http://localhost:6083/solr/ranger_audits ... ``` 4. Create the same folder structure and copy all content to the other *nodes*: > This procedure must be performed **before** enabling the *plugin*. ```sh # node2 & node3 mkdir -p /usr/gdp/hadoop/ranger/2.3.0/ranger-kafka-plugin # node1 scp -r * root@localhost:/usr/gdp/hadoop/ranger/2.3.0/ranger-kafka-plugin scp -r * root@localhost:/usr/gdp/hadoop/ranger/2.3.0/ranger-kafka-plugin # node2 & node3 cd /usr/gdp/hadoop/ranger/2.3.0/ranger-kafka-plugin ls -l ``` 5. Create a user `kafka` and enable the *plugin* running the script `enable-kafka-plugin.sh`: ```sh useradd kafka passwd kafka ./enable-kafka-plugin.sh ``` 6. Connect to the **Ranger Admin UI**. On the main screen, under HDFS, click the + button and fill the fields with the following information: * *Service Name*: `hadoopdev` * *Display Name*: `hadoopdev` * *Username*: `hbase` (UNIX User) * *Password*: `` * *hadoop.security.authentication*: `Simple` * *hbase.security.authentication*: `Simple` * *hbase.zookeeper.property.clientPort*: `2181` * *hbase.zookeeper.quorum*: `,,` * *zookeeper.znode.parent*: `/hbase-unsecure`\
7. Keep the rest of the settings unchanged and click the Add button.\
8. Restart the *cluster*. ## Ranger KMS Installation and Configuration ### Ranger KMS Installation 1. Create the folder `ranger-kms` according to the GHDP structure: ```sh mkdir -p /usr/gdp/hadoop/ranger/2.3.0/ranger-kms ``` 2. On the MySQL server, create a user `rangerkms` for database management by the application: ```sh mysql -uroot -p ``` ```sql CREATE USER 'rangerkms'@'localhost' IDENTIFIED BY 'rangerkms'; GRANT ALL PRIVILEGES ON *.* TO 'rangerkms'@'localhost'; CREATE USER 'rangerkms'@'%' IDENTIFIED BY 'rangerkms'; GRANT ALL PRIVILEGES ON *.* TO 'rangerkms'@'%'; GRANT ALL PRIVILEGES ON *.* TO 'rangerkms'@'localhost' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON *.* TO 'rangerkms'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES; ``` 3. In the Ranger *build* of Ranger, unzip Ranger KMS and copy all files to the folder created previously: ```sh cd ./apache-ranger-2.3.0/target/ tar -xvf ranger-2.3.0-kms.tar.gz cd ranger-2.3.0-kms cp -R * /usr/gdp/hadoop/ranger/2.3.0/ranger-kms/ ``` 4. Create the *logs* for Ranger KMS: ```sh mkdir -p /var/log/hadoop/ranger/ranger-kms/ ``` 5. Using a password generator, create a password with the following parameters and store it in a safe place (it will be used in the next step): * 16 characters * Uppercase letters * Lowercase letters * Special characters.\
6. In the Ranger KMS folder, edit the file `install.properties` adding configuration for Java Key Store (stores the master key in a file on the server itself): > Use the 16-character password generated in the previous step as `KMS_MASTER_KEY_PASSWD`. For example: `$ZH1$Q8&ExUaTku8`. ```sh cd /usr/gdp/hadoop/ranger/2.3.0/ranger-kms/ vim install.properties ``` ```properties ... db_root_user=rangerkms db_root_password=rangerkms db_host=localhost db_name=rangerkms db_user=rangerkms db_password=rangerkms COMPONENT_INSTALL_DIR_NAME=/usr/gdp/hadoop/ranger/2.3.0/ranger-kms KMS_MASTER_KEY_PASSWD=<16-character password generated previously> hadoop_conf=/etc/hadoop/hdfs/conf POLICY_MGR_URL=http://localhost:6080 REPOSITORY_NAME=kmsdev XAAUDIT.SOLR.ENABLE=true XAAUDIT.SOLR.URL=http://localhost:6083/solr/ranger_audits XAAUDIT.SOLR.USER=NONE XAAUDIT.SOLR.PASSWORD=NONE XAAUDIT.SOLR.ZOOKEEPER=NONE XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hadoop/ranger/ranger-kms/audit/solr/spool XAAUDIT.SOLR.IS_ENABLED=true XAAUDIT.SOLR.MAX_QUEUE_SIZE=1 XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000 XAAUDIT.SOLR.SOLR_URL=http://localhost:6083/solr/ranger_audits RANGER_KMS_LOG_DIR=/var/log/hadoop/ranger/ranger-kms ... ``` ### Ranger KMS Configuration with Luna Cloud HSM 1. Before performing the *setup* of Ranger KMS, it is necessary to add the *LunaProvider* in the `java.security`. To do this, edit the file `java.security`, which is located in the folder `/jre/lib/security`, adding two lines at the end: one with the *LunaProvider* in the provider list sequence, `security.provider.10=com.safenetinc.luna.provider.LunaProvider`, and one with the setting for Luna to work, `com.safenetinc.luna.provider.createExtractableKeys=true`: ```sh vim /usr/lib/java/jre/lib/security/java.security ``` ```properties # # List of providers and their preference orders (see above): # security.provider.1=sun.security.provider.Sun security.provider.2=sun.security.rsa.SunRsaSign security.provider.3=sun.security.ec.SunEC security.provider.4=com.sun.net.ssl.internal.ssl.Provider security.provider.5=com.sun.crypto.provider.SunJCE security.provider.6=sun.security.jgss.SunProvider security.provider.7=com.sun.security.sasl.Provider security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.9=sun.security.smartcardio.SunPCSC security.provider.10=com.safenetinc.luna.provider.LunaProvider com.safenetinc.luna.provider.createExtractableKeys=true ``` 2. Copy the files `LunaProvider.jar` and `libLunaAPI.so` to the folder ` 4. Edit the file `install.properties` to the *setup* of Ranger KMS with Luna Cloud HSM: > Use the 16-character password generated in the previous step as `KMS_MASTER_KEY_PASSWD`. For example: `$ZH1$Q8&ExUaTku8`. ```sh cd /usr/gdp/hadoop/ranger/2.3.0/ranger-kms/ vim install.properties ``` ```properties ... db_root_user=rangerkms db_root_password=rangerkms db_host=localhost db_name=rangerkms db_user=rangerkms db_password=rangerkms COMPONENT_INSTALL_DIR_NAME=/usr/gdp/hadoop/ranger/2.3.0/ranger-kms KMS_MASTER_KEY_PASSWD=<16-character password generated previously> hadoop_conf=/etc/hadoop/hdfs/conf #------------------------- Ranger KMS HSM CONFIG ------------------------------ HSM_TYPE=LunaProvider HSM_ENABLED=true HSM_PARTITION_NAME=rangerkms HSM_PARTITION_PASSWORD=Griaule.123 POLICY_MGR_URL=http://localhost:6080 REPOSITORY_NAME=kmsdev XAAUDIT.SOLR.ENABLE=true XAAUDIT.SOLR.URL=http://localhost:6083/solr/ranger_audits XAAUDIT.SOLR.USER=NONE XAAUDIT.SOLR.PASSWORD=NONE XAAUDIT.SOLR.ZOOKEEPER=NONE XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hadoop/ranger/ranger-kms/audit/solr/spool XAAUDIT.SOLR.IS_ENABLED=true XAAUDIT.SOLR.MAX_QUEUE_SIZE=1 XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000 XAAUDIT.SOLR.SOLR_URL=http://localhost:6083/solr/ranger_audits RANGER_KMS_LOG_DIR=/var/log/hadoop/ranger/ranger-kms ... ``` 5. In all the *nodes*, so that the *datanodes* can access the KMS, edit the file `core-site.xml` changing the *value* of the property `hadoop.security.key.provider.path` address to `kms://http@localhost:9292/kms`: ```sh vim /etc/hadoop/hdfs/conf/core-site.xml ``` ```xml hadoop.security.key.provider.path kms://http@localhost:9292/kms ``` 6. Restart HDFS. ```sh dfsstop dfsstart ``` 7. Grant the user `kms` permissions for the folders: ```sh chown -R kms: /var/log/hadoop/ranger/ranger-kms/ chown -R kms: /usr/gdp/hadoop/ranger/2.3.0/ranger-kms/ ``` 8. Run the *script* of *setup*, wait for the installation to finish with the message **successfully** and start Ranger KMS: ```sh ./setup.sh # Start: ranger-kms start # Stop: ranger-kms stop ``` 9. If everything went successfully, it will be possible to access the Ranger KMS dashboard through the Ranger Admin address using the user `keyadmin` and the password defined in the [Ranger Admin installation procedure](#instalacaorangeradmin). * *Link*: `http://:6080/` * *User*: `keyadmin` * *Password*: ``\
10. Log into the Ranger Admin UI with the user `admin`, go to Settings > Users/Groups/Roles. On the Users tab, click the Add New User button and create the users: * `hive` * `hdfs` * `om` * `hbase`\
11. Then, log out and log in as `keyadmin` to access the Ranger KMS UI dashboard in the KMS Service. Click the + button to create the repository `kmsdev`, according to the specifications below: * *Service Name*: `kmsdev` * *KMS URL*: `kms://http@:9292/kms` * *Username*: `keyadmin` * *Password*: ``\
12. On the same screen, in Audit Filter, click the + button to add an ACL with the following specifications: * *Access Result*: `ALLOWED` * *Permissions*: `Select All` * *Users*: `keyadmin`\
13. Click Add. Then, click to edit the repository `kmsdev` and click the Test Connection button to confirm if the entire procedure ran correctly.\
14. Restart Ranger KMS: ```sh ranger-kms stop ranger-kms start ``` 15. If you are using Luna Cloud HSM, verify whether the *master key*was created. To do this, run the `lunacm`: ```sh lunacm ``` Or: ```sh cd /usr/safenet/lunaclient/ ./bin/64/lunacm ``` 16. Log in with the role *crypto officer*: ```sh role login -name crypto officer ``` 17. List the partition contents to check if the *master key* was created successfully: ```sh partition contents ``` Example output with the *master key* created: ``` lunacm:>partition contents The 'Crypto Officer' is currently logged in. Looking for objects accessible to the 'Crypto Officer'. Object list: Label: RangerKMSKey Handle: 1 Object Type: Symmetric Key Usage Limit: none Object UID: 9f1d00002d000001706c0800 Number of objects: 1 Command Result : No Error ``` {% hint style="success" %} The Ranger KMS configuration file, `dbks-site.xml`, is located at: ```sh /usr/gdp/hadoop/ranger/2.3.0/ranger-kms/ews/webapp/WEB-INF/classes/conf/dbks-site.xml ``` {% endhint %} ## Enable Load Balancer in Ranger KMS 1. On a second server, perform the entire [Ranger KMS installation](#instalacaorangerkms). {% hint style="warning" %} If you are using Luna Cloud HSM, follow the instructions in the [Luna Cloud HSM installation guide](https://docs.griaule.com/gbs/en/lunacloudhsm#lunacloudhsm-installguide-pt) contained in the topics [1.1. Client download](https://docs.griaule.com/gbs/en/lunacloudhsm#lunacloudhsm-downloaddoclient) and [1.2. Client installation on the server](https://docs.griaule.com/gbs/en/lunacloudhsm#lunacloudhsm-instalacaodoclientnoservidor) to perform the client installation. It is not necessary to perform the procedures to activate slot, start partition, or start the roles contained in later topics of the guide. Then, strictly follow the instructions for [installation](#instalacaorangerkms) and [configuration](#configuracaorangerkms) of the HSM with Ranger, but taking the precautions described below. {% endhint %} 2. On the **step 5** of the [configuration](#configuracaorangerkms), in which it is necessary to change the file `core-site.xml` so that the *datanodes* can access the KMS, proceed as follows: open the file, find the property `hadoop.security.key.provider.path` and change its *value* of `kms://http@localhost:9292/kms` address to `kms://http@host1;host2:9292/kms`:\
```sh vim /etc/hadoop/hdfs/conf/core-site.xml ``` Before: ```xml hadoop.security.key.provider.path kms://http@localhost:9292/kms ``` After: ```xml hadoop.security.key.provider.path kms://http@host1;host2:9292/kms ``` 3. Restart HDFS: ```sh dfsstop dfsstart ``` 4. Continue with the completion of the [Ranger KMS configuration](#configuracaorangerkms), starting from step 6. ## Ranger Uninstallation To uninstall Ranger, run the following commands: ```bash rm -rf /var/log/ranger /var/log/hadoop/ranger /usr/gdp/hadoop/solr/ /usr/gdp/hadoop/ranger/ /etc/ranger/ /var/log/hadoop/solr/ /var/lib/mysql/ranger/ rm -f /usr/gdp/hadoop/*/*/.ranger* rm -f /usr/gdp/hadoop/*/*/*/.ranger* rm -f /usr/gdp/hadoop/*/*/*/*/.ranger* rm -f /usr/gdp/hadoop/hdfs/3.2.4/etc/hadoop/ranger* rm -f /usr/gdp/hadoop/hdfs/3.2.4/share/hadoop/hdfs/lib/ranger* rm -f /usr/bin/ranger* rm -f /etc/rc.d/init.d/ranger* rm -f /etc/rc.d/rc2.d/*ranger* rm -f /etc/rc.d/rc3.d/*ranger* ``` ```sql mysql -uroot -p show schemas; drop database ranger; drop database rangerkms; ```