Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary:

This document details the steps involved in installing and configuring Apache Ranger. 

These instructions are for installing Ranger on CentOS/RHEL (release 6).

Prerequisites:

  • JDK 7+ needs to be installed.

  • MySQL (5.6+) or ORACLE DB (11g+) for Policy/Audit DB. 
    • DB server can be installed on the same host. Or Ranger services need to have access to DB server host
  • Maven. If not installed, please follow below steps

Building Ranger from source: 

  1. Get the ranger source 

  2. Now build the source

    • cd ranger

    • export MAVEN_OPTS="-Xmx512M"

    • yum search gcc and Install gcc (yum install gcc.x86_64)

    • mvn clean compile package assembly:assembly

  3. Verify all the tar files under target dir

    ls -ltr *tar.gz
    -rw-r--r-- 1 root root 15068844 Dec 1 04:30 ranger-0.4.0-hdfs-plugin.tar.gz
    -rw-r--r-- 1 root root 14480716 Dec 1 04:30 ranger-0.4.0-hive-plugin.tar.gz
    -rw-r--r-- 1 root root 14349626 Dec 1 04:30 ranger-0.4.0-hbase-plugin.tar.gz
    -rw-r--r-- 1 root root 17763192 Dec 1 04:30 ranger-0.4.0-knox-plugin.tar.gz
    -rw-r--r-- 1 root root 21243470 Dec 1 04:31 ranger-0.4.0-storm-plugin.tar.gz
    -rw-r--r-- 1 root root 126143540 Dec 1 04:31 ranger-0.4.0-admin.tar.gz
    -rw-r--r-- 1 root root 7677999 Dec 1 04:31 ranger-0.4.0-usersync.tar.gz

Install/Configure Ranger Admin:

  1. Lay down the binaries into appropriate places.  

    • cd /usr/local

    • sudo tar zxf ~/dev/ranger/target/ranger-0.4.0-admin.tar.gz

    • sudo ln -s ranger-0.4.0-admin ranger-admin
  2. Open install.properties in ranger root folder
  3. Verify the root password that you had picked while installing mysql.  I had chosen root so the relevant section in my install.properties file looks as follows
  4. The install process would create a couple of users in the database for storing administration and audit information, pick passwords for those too.  With my choices here’s how the relevant sections in the install.properties file look now.
  5. Ranger allows you to get different authentication modes but for now let’s just leave rest of the things in install.properties file as they are. 
  6. Once all the required properties are updated, execute the below scripts to install ranger admin service.

        Execute : ./setup.sh
        Execute : ./set_globals.sh

  7. create a valid symlink in /usr/bin/ for start/stop of ranger admin
        cd /usr/bin
        ln -sf /usr/local/ranger-admin/ews/start-ranger-admin.sh ranger-admin-start
        ln -sf /usr/local/ranger-admin/ews/stop-ranger-admin.sh ranger-admin-stop

  8. update ranger-admin service file to link to the start and stop scripts
        vim /etc/init.d/ranger-admin ( Update the Start and Stop commands to point to the created symlinks )

  9. Start the Ranger Admin
         service ranger-admin start

  10. You can verify by visiting the external URL of the server using browser, for example :
        http://<Host Address>:6080/

Install/Configure Ranger User Sync:

  1. Start by extracting out binaries at the appropriate place. 
        cd /usr/local
        sudo tar zxf ~/dev/ranger/target/ranger-0.4.0-usersync.tar.gz
        sudo ln -s ranger-0.4.0-usersync ranger-usersync
        sudo mkdir -p /var/log/ranger-usersync
        sudo chown ranger /var/log/ranger-usersync; sudo chgrp ranger /var/log/ranger-usersync
        cd ranger-usersync
  2. Now let’s edit the install.properties file. Here are the relevant lines that you should edit:
         POLICY_MGR_URL=http://localhost:6080
         SYNC_SOURCE=unix
         logdir=/var/log/ranger/usersync
  3. Now install the usersync by running the setup command
         export JAVA_HOME=/usr/lib/jvm/java-1.7.0-openjdk-amd64 ./setup.sh
  4. create a valid symlink in /usr/bin/ for start/stop of ranger usersync
         cd /usr/bin
         ln -sf /usr/local/ranger-usersync/start.sh ranger-usersync-start
         ln -sf /usr/local/ranger-admin/ews/stop.sh ranger-usersync-stop

  5. update ranger-usersync service file to link to the start and stop scripts 

         vim /etc/init.d/ranger-usersync ( Update the Start and Stop commands to point to the created symlinks )

  6. Start the Ranger Usersync
          service ranger-usersync start

  7. You can verify by looking at the users tab in Ranger Admin. Unix host users should be sync'ed to ranger.

Install/Configure Ranger HDFS Plugin:


Ranger HDFS plugin helps to centralize HDFS authorization policies. To verify that, first Apache Hadoop needs to be installed. If Hadoop is not already installed, follow below steps.

...

                      sudo useradd --home-dir /var/hadoop --create-home --shell /bin/bash --user-group hadoop
                      sudo tar xzf hadoop-2.5.2.tar.gz -C /usr/local
                      cd /usr/local
                      sudo ln -s hadoop-2.5.2 hadoop
                      sudo chown hadoop -R hadoop hadoop-2.5.2
                      sudo chgrp hadoop -R hadoop hadoop-2.5.2
                      sudo su - hadoop

Now let's follow the below steps to install/configure Ranger HDFS plugin.

    • Start by extracting binaries at the appropriate place (/usr/local).
                 cd /usr/local
                 sudo tar zxf ~/dev/ranger/target/ranger-0.4.0-hdfs-plugin.tar.gz
                 sudo ln -s ranger-0.4.0-hdfs-plugin ranger-hdfs-plugin
                 cd ranger-hdfs-plugin
    • Now let’s edit the install.properties file. Here are the relevant lines that you should edit:
                POLICY_MGR_URL=http://localhost:6080
                REPOSITORY_NAME=local_hdfs
                XAAUDIT.DB.HOSTNAME=localhost
                XAAUDIT.DB.DATABASE_NAME=ranger
                XAAUDIT.DB.USER_NAME=rangerlogger
                XAAUDIT.DB.PASSWORD=rangerlogger
    • Now enable the hdfs-plugin by running the enable-hdfs-plugin.sh command (Remember to set JAVA_HOME)
      • Create a symlink as conf dir of hadoop linking to hadoop conf dir
        • cd /usr/local/hadoop
        • ln -s /usr/local/hadoop/etc/hadoop conf
      • Export HADOOP_HOME to bashrc
        • echo “export HADOOP_HOME=/usr/local/hadoop” >> /etc/bashrc
      • Enable Ranger HDFS plugin
        • cd /usr/local/ranger-hdfs-plugin
        • ./enable-hdfs-plugin.sh
      • Copy all the jar files from ${hadoop_home}/lib
        • cp /usr/local/hadoop/lib/* /usr/local/hadoop/share/hadoop/hdfs/lib/
    • Now edit the xasecure-audit.xml file. 
      • cd /usr/local/hadoop/conf
      • change the xasecure-audit.xml file to look like the below. Make sure the JDBC properties are correct.
                   <property> <name>xasecure.audit.jpa.javax.persistence.jdbc.url</name>
                   <value>jdbc:mysql://localhost/ranger</value>
                   </property>
                   <property>
                   <name>xasecure.audit.jpa.javax.persistence.jdbc.user</name>
                   <value>rangerlogger</value>
                   </property>
                   <property> <name>xasecure.audit.jpa.javax.persistence.jdbc.password</name>
                   <value>rangerlogger</value>
                   </property>
  • Once these changes are done Restart Hadoop namenode. This should start the association of ranger-hdfs-plugin with hadoop.
  • You can verify by logging into the Ranger Admin Web interface -> Audit -> Agents
  • Now HDFS resources will be authorized via Ranger policies.

Install/Configure Ranger Hive Plugin:


Ranger Hive plugin integrates with Hive to enforce authorization policies. To verify that, first Apache Hive needs to be installed. If not already installed, follow below steps. Version 0.14 is required.

...

  • Start by extracting binaries at the appropriate place.
              cd /usr/local
              sudo tar zxf ~/dev/ranger/target/ranger-0.4.0-hive-plugin.tar.gz
              sudo ln -s ranger-0.4.0-hive-plugin ranger-hive-plugin
              cd ranger-hive-plugin
  • Now let’s edit the install.properties file. Here are the relevant lines that you should edit:
              POLICY_MGR_URL=http://localhost:6080
              REPOSITORY_NAME=hivedev
              XAAUDIT.DB.HOSTNAME=localhost
              XAAUDIT.DB.DATABASE_NAME=ranger
              XAAUDIT.DB.USER_NAME=rangerlogger
              XAAUDIT.DB.PASSWORD=rangerlogger
  • Now enable the hive-plugin by running the enable-hive-plugin.sh command (Remember to set JAVA_HOME)
              cd /usr/local/ranger-hive-plugin
              ./enable-hive-plugin.sh
  • Now edit the xasecure-audit.xml file.
    • cd /usr/local/hive/conf
    • Change the xasecure-audit.xml file. Make sure the JDBC properties are correct.
                     <property> <name>xasecure.audit.jpa.javax.persistence.jdbc.url</name>
                     <value>jdbc:mysql://localhost/ranger</value>
                     </property>
                     <property>
                     <name>xasecure.audit.jpa.javax.persistence.jdbc.user</name>
                     <value>rangerlogger</value>
                     </property>
                     <property> <name>xasecure.audit.jpa.javax.persistence.jdbc.password</name>
                     <value>rangerlogger</value>
                     </property>
  • Once these changes are done Restart hive. This should start the association of ranger-hive-plugin with hive.
  • You can verify by logging into the Ranger Admin Web interface -> Audit Tab -> Agents

Install/Configure Ranger HBase Plugin:

 
Ranger HBase plugin integrates with HBase to enforce authorization policies. To verify that, first Apache HBase needs to be installed. If not already installed, follow below steps. Ranger will work only with HBase version 0.99.2 or above.
  • Build Hbase > 0.99.2 (0.99.2RC0 is used for this document)
  • Untar the build Hbase assembly to /usr/local directory
    • cd /usr/local && cp /root/dev/hbase-trunk/hbase/hbase-assembly/target/hbase-0.99.2-bin.tar.gz .
    • tar xzf hbase-0.99.2-bin.tar.gz
    • sudo ln -s hbase-0.99.2 hbase
    • cd hbase
  • Now follow the instructions in Apache HBase site to configure in Pseudo mode. http://hbase.apache.org/book/getting_started.html

Now let's follow the below steps to install/configure Ranger HBase plugin.

  • Start by extracting binaries at the appropriate place.
              cd /usr/local
              sudo tar zxf ~/dev/ranger/target/ranger-0.4.0-hbase-plugin.tar.gz
              sudo ln -s ranger-0.4.0-hbase-plugin ranger-hbase-plugin
              cd ranger-hbase-plugin
  • Now let’s edit the install.properties file. Here are the relevant lines that you should edit:
              POLICY_MGR_URL=http://localhost:6080
              REPOSITORY_NAME=hbasedev
              XAAUDIT.DB.HOSTNAME=localhost
              XAAUDIT.DB.DATABASE_NAME=ranger
              XAAUDIT.DB.USER_NAME=rangerlogger
              XAAUDIT.DB.PASSWORD=rangerlogger
  • Now enable the hbase-plugin by running the enable-hbase-plugin.sh command (Remember to set JAVA_HOME)
              cd /usr/local/ranger-hbase-plugin
              ./enable-hbase-plugin.sh
  • Now edit the xasecure-audit.xml file.
    • cd /usr/local/hbase/conf
    • Change the xasecure-audit.xml file. Make sure the JDBC properties are correct.
                     <property> <name>xasecure.audit.jpa.javax.persistence.jdbc.url</name>
                     <value>jdbc:mysql://localhost/ranger</value>
                     </property>
                     <property>
                     <name>xasecure.audit.jpa.javax.persistence.jdbc.user</name>
                     <value>rangerlogger</value>
                     </property>
                     <property> <name>xasecure.audit.jpa.javax.persistence.jdbc.password</name>
                     <value>rangerlogger</value>
                     </property>
  • Once these changes are done Restart HBase. This should start the association of ranger-hbase-plugin with HBase.
  • You can verify by logging into the Ranger Admin Web interface -> Audit Tab -> Agents

Install/Configure Ranger Knox Plugin:


Ranger Knox plugin integrates with Knox to enforce authorization policies. To verify that, first Apache Knox needs to be installed. If not already installed, follow below steps.

...

  • Start by extracting binaries at the appropriate place.
              cd /usr/local
              sudo tar zxf ~/dev/ranger/target/ranger-0.4.0-knox-plugin.tar.gz
              sudo ln -s ranger-0.4.0-knox-plugin ranger-knox-plugin
              cd ranger-knox-plugin
  • Now let’s edit the install.properties file. Here are the relevant lines that you should edit:
              POLICY_MGR_URL=http://localhost:6080
              REPOSITORY_NAME=knoxdev
              KNOX_HOME=/usr/local/knox
              XAAUDIT.DB.HOSTNAME=localhost
              XAAUDIT.DB.DATABASE_NAME=ranger
              XAAUDIT.DB.USER_NAME=rangerlogger
              XAAUDIT.DB.PASSWORD=rangerlogger
  • Now enable the knox-plugin by running the enable-knox-plugin.sh command (Remember to set JAVA_HOME)
              cd /usr/local/ranger-knox-plugin
              ./enable-knox-plugin.sh
  • Now edit the xasecure-audit.xml file.
    • cd /usr/local/knox/conf
    • Change the xasecure-audit.xml file. Make sure the JDBC properties are correct.
                     <property> <name>xasecure.audit.jpa.javax.persistence.jdbc.url</name>
                     <value>jdbc:mysql://localhost/ranger</value>
                     </property>
                     <property>
                     <name>xasecure.audit.jpa.javax.persistence.jdbc.user</name>
                     <value>rangerlogger</value>
                     </property>
                     <property> <name>xasecure.audit.jpa.javax.persistence.jdbc.password</name>
                     <value>rangerlogger</value>
                     </property>
  • Once these changes are done Restart Knox (Gateway/LDAP). This should start the association of ranger-knox-plugin with Knox.
  • You can verify by logging into the Ranger Admin Web interface -> Audit Tab -> Agents

 

Install/Configure Ranger Storm Plugin: 

Instructions will be updated soon.

...