Configuring Security for Ranger
Describes how to configure security for Ranger.
Configuring Encryption
#Encryption
password_encryption_key=
password_salt=f77aLYLo
password_iteration_count=1000
password_encryption_algorithm=PBEWithHmacSHA512AndAES_128
Note that the password_encryption_key
is empty by default. If you do
not explicitly set the password_encryption_key
, Ranger generates a key
automatically. If reconfiguration using setup.sh
is needed later,
Ranger uses the generated key, and no user interaction is needed.
Configuring SSL over DB
#SSL config
db_ssl_enabled=false
db_ssl_required=false
db_ssl_verifyServerCertificate=false
#db_ssl_auth_type=1-way|2-way, where 1-way represents standard one way ssl authentication and 2-way represents mutual ssl authentication
db_ssl_auth_type=2-way
javax_net_ssl_keyStore=
javax_net_ssl_keyStorePassword=
javax_net_ssl_trustStore=
javax_net_ssl_trustStorePassword=
javax_net_ssl_trustStore_type=jks
javax_net_ssl_keyStore_type=jks
mysql_enabled_tls_protocols=TLSv1.2
Configuring SSL Security
In a secure cluster, Ranger configures SSL security by using the EEP-specific key store
by default. In a secure cluster, the Ranger Admin UI runs on
https://<hostname>:6182
.
- Public CA Certificates
- Self-Signed Certificate
Only one step is different in these configuration options. If you use a self-signed certificate, you need to create the certificate, as directed in step 2.
- If Ranger is configured and running, stop the Ranger service on each
node:
maprcli node services -name ranger-admin -action stop -nodes `hostname` maprcli node services -name ranger-usersync -action stop -nodes `hostname`
- If using the self-signed option, create the self-signed certificates. For
example, to create the Admin
keystore:
To create the Usersync trust store:keytool -genkey -keyalg RSA -alias rangeradmin -keystore ranger-admin-keystore.jks -storepass xasecure -validity 360 -keysize 2048 chmod 400 ranger-admin-keystore.jks
keytool -export -keystore ranger-admin-keystore.jks -alias rangeradmin -file ranger-admin-trust.cer chown mapr:mapr ranger-admin-trust.cer keytool -import -file ranger-admin-trust.cer -alias rangeradmintrust -keystore mytruststore.jks -storepass changeit chown mapr:mapr mytruststore.jks
- Modify the Ranger Admin
install.properties
file as follows:policymgr_external_url=https://FQDN:6182 policymgr_http_enabled=false policymgr_https_keystore_file=/path/to/ranger-admin-keystore.jks policymgr_https_keystore_keyalias=rangeradmin policymgr_https_keystore_password=xasecure
- Modify the Ranger Usersync
install.properties
file as follows:# SSL Authentication AUTH_SSL_ENABLED=true AUTH_SSL_KEYSTORE_FILE=/etc/ranger/usersync/conf/cert/unixauthservice.jks AUTH_SSL_KEYSTORE_PASSWORD=UnIx529p AUTH_SSL_TRUSTSTORE_FILE=/path/to/mytruststore.jks AUTH_SSL_TRUSTSTORE_PASSWORD=changeit
- Run the Ranger Admin setup.sh script to configure the new
options:
sudo /opt/mapr/ranger/ranger-<version>/ranger-admin/setup.sh
- Restart the services if Ranger is already configured; otherwise, you must run
configure.sh
once the full configuration is completed:maprcli node services -name ranger-admin -action start -nodes `hostname` maprcli node services -name ranger-usersync -action start -nodes `hostname`
- Add the certificates that you specified for the services into the
install.properties file of the corresponding plug-in as
follows:
SSL_KEYSTORE_FILE_PATH=/path/to/ranger-admin-keystore.jks SSL_KEYSTORE_PASSWORD=xasecure SSL_TRUSTSTORE_FILE_PATH=/path/to/mytruststore.jks SSL_TRUSTSTORE_PASSWORD=changeit
- Run the script for the
plug-in:
enable-<component>-plugin.sh
Configuring the Security Type
install.properties
file or in the
ranger-admin-site.xml
file. If you set the security type in this file . . . | Use this property name |
---|---|
install.properties |
security_type |
site.xml |
ranger.security.type |
Value | Description |
---|---|
none |
The Ranger Admin runs in non-secure mode, and no authentication is required for API calls. |
maprsasl |
The Ranger Admin uses MapR-SASL authentication. |
kerberos |
The Ranger Admin uses Kerberos authentication. |
If a value is not specified, Ranger uses the value found in
mapr-clusters.conf
.