...
Code Block |
---|
|
mkdir ~/dev
cd ~/dev
git clone https://github.com/apache/incubator-ranger.git
cd incubator-ranger
git checkout ranger-0.5
# If you are interested in brining ranger-0.5.0 release source code to work with
# you should execute the following command to get the source associated with ranger-0.5.0 release
#
# git checkout tags/ranger-0.5.0-rc3
# |
Build the source
Code Block |
---|
|
cd ~/dev/incubator-ranger
export MAVEN_OPTS="-Xmx512M"
export JAVA_HOME=<Java Installation Directory>
#e.g. export JAVA_HOME=/usr/lib/jvm/java
#Make sure your java version is 1.7.x
$JAVA_HOME/bin/java -version
java version "1.7.0_79"
OpenJDK Runtime Environment (rhel-2.5.5.3.el6_6-x86_64 u79-b14)
OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode)
export PATH=$JAVA_HOME/bin:$PATH
mvn clean compile package assembly:assembly install
ls target/*.tar.gz
ranger-0.5.0-admin.tar.gz ranger-0.5.0-kms.tar.gz ranger-0.5.0-storm-plugin.tar.gz ranger-0.5.0-hbase-plugin.tar.gz ranger-0.5.0-knox-plugin.tar.gz ranger-0.5.0-usersync.tar.gz ranger-0.5.0-hdfs-plugin.tar.gz ranger-0.5.0-migration-util.tar.gz ranger-0.5.0-yarn-plugin.tar.gz ranger-0.5.0-hive-plugin.tar.gz ranger-0.5.0-solr-plugin.tar.gz ranger-0.5.0-kafka-plugin.tar.gz ranger-0.5.0-src.tar.gz
|
...
- Add parameter -Djavax.net.ssl.trustStore=<path to the cacertswithknox> to the java call in the script.
Installing Apache Storm (0.10.0)
Enabling Ranger Solr Plugin
Follow these steps to configure Ranger for Solr
- Install and configure Apache Solr in SolrCloud mode
- Create Solr Service/Repo in Ranger Admin and add default policies
- Install and Enable Solr Plugin by updating install.properties and calling ./enable-solr-plugin.sh
- Add security.json with Ranger Authorizer configuration
Install and configure Apache Solr in SolrCloud mode
You can refer here for instructions.
Solr Service in Ranger Admin
- Login to Ranger Admin
- Give a service name. e.g. solrdev (Note this service name. You need to use this in the install.properties)
- For Username and Password, give "ranger" and "ranger". Please note this is not used yet
- For Solr URL, give the URL to the Solr instances. E.g. http://$HOST1:8983/solr,http://$HOST2:8983/solr
- Test Connection might not work. Please ignore it for now
- Click on "Add" and save the repository
- Go to the new service and update the default ( * ) policy to add user "solr" to it. This should be the same user as in the JAAS file used by Solr server process. Check -Djava.security.auth.login.config for the JAAS file used by Solr. This policy is needed because Solr process within the cloud talk with each other for replication and other house keeping requests.
Install and Enable Solr Plugin
- Extract Ranger Solr plugin to a temporary location
Code Block |
---|
|
cd /tmp
tar -zxvf ~/dev/incubator-ranger/target/ranger-0.5.0-solr-plugin.tar.gz
cd ranger-0.5.0-solr-plugin |
- Edit the install.properties file. Here are the relevant lines that you should edit:
- Change the insall.properties file
- set JAVA_HOME
- Now enable the solr-plugin by running the enable-solr-plugin.sh command
Code Block |
---|
|
./enable-solr-plugin.sh |
- Repeat the above process for all the Solr instances. You can reuse the same install.properties for all the servers.
- After these changes and enable-solr-plugin.sh are run on all the servers
Configuring Solr for Ranger
Solr needs to be configured to use Ranger Authorization implementation. For that, run the following command on one of the Solr host
Code Block |
---|
|
$SOLR_INSTALL_HOME/server/scripts/cloud-scripts/zkcli.sh -zkhost $ZK_HOST:2181 -cmd put /solr/security.json '{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"},"authorization":{"class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}}'
|
In addition, please do following on all the Solr hosts
Code Block |
---|
|
mkdir -p /var/log/solr/audit/solr/spool
chown solr /var/log/solr/audit/solr/spool
mkdir -p /var/log/solr/audit/hdfs/spool
chown solr /var/log/solr/audit/hdfs/spool |
- Restart all the Solr instances
- You can check the solr.log for any errors
- You can verify by logging into the Ranger Admin Web interface > Audit > Plugins
- Make sure to create required policies for users. If users are getting denied, please check the audit logs.
Installing Apache Storm (0.10.0)
- Let’s Let’s download and install apache Storm from Apache Mirrors
...
To enable Audit to HDFS for a plugin do the below
- Depending upon Keberos or non-kerberos mode, one of the scripts from here need to be run: https://github.com/apache/incubator-ranger/tree/master/security-admin/contrib/audit_hdfs_folders
- Set XAAUDIT.HDFS.ENABLE = true for respective component plugin in the install.properties file which may be found in /usr/local/ranger<component>plugin/ directory.
- Configure NameNode host in the XAAUDIT.HDFS.HDFS_DIR.
- Create a policy in HDFS service from Ranger Admin for individual component users (hive/hbase/knox/storm/yarn/kafka/kms) to give READ+ WRITE permission for the particular audit folder. i.e for enabling Hive component to log Audits to HDFS , we need to create a policy for hiveuser with READ+ WRITE permissions to respective audit directory
- Audit to HDFS caches logs in local directory, which can be specified in XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY ( this can be like ‘/var/log/<component>/**), which is the path where audit is stored temporarily, likewise for archived logs we need to update XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY value ( this can be like ‘/var/log/<component>/**), before enabling the plugin for the component.
...