...
- Checking HTTP Principle
kadmin.local
list_principals
exit
search for spnego.service.keytab
locate spengo keytab
kadmin.local
list_principals
exit
The list shown should contain HTTP/<internal host name>@Realm
Try to kinit using “HTTPusing “HTTP/<internal host name>@Realm” with “spnego.service.keytab”
- locate spengo keytab
- kinit -k -t <path>/spengo.service.keytab/<intername host name>@EXAMPLE.COM
- klist
- kdestroy
- Create a principle to use with Ranger Repo for logging in KMS
- Create principal
Code Block | ||
---|---|---|
| ||
kadmin.local
addprinc <principal name>
Enter the password
exit |
- Check the principal by doing kinit
Code Block |
---|
kinit <principal name>
Enter password
klist
kdestroy |
- Edit “hdfs-site.xml”
Code Block | ||
---|---|---|
| ||
Replace localhost with <internal host name>
Go to path cd/usr/hdp/<version>/hadoop/conf/
vim hdfs-site.xml
For property “dfs.encryption.key.provider.uri” ,enter the value “kms://http@<internal host name>:9292/kms”
save and quite |
Edit “core-site.xml”
Code Block |
---|
Replace localhost with <internal host name>
Go to path cd/usr/hdp/<version>/hadoop/conf/
vim core-site.xml
|
- Restart Namenode
Code Block |
---|
su -l hdfs -c "/usr/hdp/<version>/hadoop/sbin/hadoop-daemon.sh stop namenode"
su -l hdfs -c "/usr/hdp/<version>/hadoop/sbin/hadoop-daemon.sh start namenode"
|
- Restart krb5kdc
Code Block |
---|
service krb5kdc restart
|
We’ll extract our build of ranger KMS at the appropriate place (/usr/local).
Code Block |
---|
cd/usr/local
sudo tar -zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-kms.tar.gz
sudo ln -s ranger-0.5.0-kms ranger-kms
cd ranger-kms |
Note |
---|
Note that ranger KMS plugin is integrated with ranger KMS and will be installed automatically when KMS is installed |
Setting required for secure instance
- Edit following properties under ews/webapp/WEBINF/classes/conf.dist/kms-site.xml:
Code Block | ||
---|---|---|
| ||
<property>
<name>hadoop.kms.authentication.type</name>
<value>kerberos</value>
</property>
<property>
<name>hadoop.kms.authentication.kerberos.keytab</name>
<value>/etc/security/keytabs/spnego.service.keytab</value>
</property>
<property>
<name>hadoop.kms.authentication.kerberos.principal</name>
<value>*</value>
/property> |
Add following property in ews/webapp/WEBINF/classes/conf.dist/kms-site.xml : (Replace “testkms1” with appropriate user who will be used for credential authentication):
Code Block | ||
---|---|---|
| ||
<property>
<name>hadoop.kms.proxyuser.testkms1.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.testkms1.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.testkms1.users</name>
<value>*</value>
</property> |
Create link to /etc/hadoop/conf/core-site.xml under /etc/ranger/kms/conf
(ln -s /etc/hadoop/conf/core-site.xml /etc/ranger/kms/conf/core-site.xml)
Install Ranger-kms with appropriate property values
- Go to ranger-kms folder and edit install.properties (Enter appropriat values for the below given properties)
- db_root user=
- db_root password
- db_host
- db_name
- db_user
- db_password
- KMS_MASTER_KEYPASSWD
- POLICY_MGR_URL
- REPOSITORY_NAME
- XAAUDIT.DB.IS_ENABLED
- XAAUDIT.DB.FLAVOUR
- XAAUDIT.DB.HOSTNAME
- XAAUDIT.DB.DATABASE_NAME
- XAAUDIT.DB.USER_NAME
- XAAUDIT.DB.PASSWORD
- Go to ranger-kms folder and edit install.properties (Enter appropriat values for the below given properties)
- Run setup
Code Block |
---|
./setup.sh |
- start the KMS server
Code Block |
---|
rangee-kms start |
Ranger UI setup
Note |
---|
Check the user present in ranger which will be used for credential validation (for e.g (“testkms1”) if not then create that using “admin” login |
- Create KMS service
REPOSITORY_NAME: name specified in installed.properties (e.g kmsdev)
- KMS URL: kms://http@<internal host name>:9292/kms
- Username:Principle that will be used for kms (e.g.testkms1@EXAMPLE.COM)
- Password:Password for principle(e.g.testkms1 password)