Page History

...

mkdir ~/dev 
cd ~/dev 
git clone https://github.com/apache/incubator-ranger.git
cd incubator-ranger
git checkout ranger-0.5
# If you are interested in brining ranger-0.5.0 release source code to work with
# you should execute the following command to get the source associated with ranger-0.5.0 release
#
#  git checkout tags/ranger-0.5.0-rc3
#

Build the source 

cd ~/dev/incubator-ranger 
export MAVEN_OPTS="-Xmx512M" 
export JAVA_HOME=<Java Installation Directory>
#e.g. export JAVA_HOME=/usr/lib/jvm/java
#Make sure your java version is 1.7.x
$JAVA_HOME/bin/java -version
   java version "1.7.0_79"
   OpenJDK Runtime Environment (rhel-2.5.5.3.el6_6-x86_64 u79-b14)
   OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode)
export PATH=$JAVA_HOME/bin:$PATH
mvn clean compile package assembly:assembly install
ls target/*.tar.gz
   ranger-0.5.0-admin.tar.gz ranger-0.5.0-kms.tar.gz ranger-0.5.0-storm-plugin.tar.gz ranger-0.5.0-hbase-plugin.tar.gz ranger-0.5.0-knox-plugin.tar.gz ranger-0.5.0-usersync.tar.gz ranger-0.5.0-hdfs-plugin.tar.gz ranger-0.5.0-migration-util.tar.gz ranger-0.5.0-yarn-plugin.tar.gz ranger-0.5.0-hive-plugin.tar.gz ranger-0.5.0-solr-plugin.tar.gz ranger-0.5.0-kafka-plugin.tar.gz ranger-0.5.0-src.tar.gz
 

...

1. 1. Add parameter -­Djavax.net.ssl.trustStore=<path to the cacertswithknox> to the java call in the script.

• Restart Ranger Admin.

Enabling Ranger Solr Plugin

Follow these steps to configure Ranger for Solr

...

Install and configure Apache Solr in SolrCloud mode

You can refer here for instructioninstructions.

Solr Service in Ranger Admin

...

• Repeat the above process for all the Solr instances. You can reuse the same install.properties for all the servers.
• After these changes and enable-solr-plugin.sh are run on all the servers, restart all the Solr instances
• You can check the solr.log for any errors

Configuring Solr for Ranger

Solr needs to be configured to use Ranger Authorization implementation. For that, run the following command on one of the Solr host

$SOLR_INSTALL_HOME/server/scripts/cloud-scripts/zkcli.sh -zkhost  $ZK_HOST:2181 -cmd put /solr/security.json '{"authentication":{"class": "org.apache.solr.security.KerberosPlugin"},"authorization":{"class": "org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer"}}'

In addition, please do following on all the Solr hosts

mkdir -p /var/log/solr/audit/solr/spool
chown solr /var/log/solr/audit/solr/spool
mkdir -p /var/log/solr/audit/hdfs/spool
chown solr /var/log/solr/audit/hdfs/spool

• Restart all the Solr instances
• You can check the solr.log for any errors
• You can You can verify by logging into the Ranger Admin Web interface ­> Audit > Plugins
• Make sure to create required policies for users. If users are getting denied, please check the audit logs.

...

To enable Audit to HDFS for a plugin do the below

1. Depending upon Keberos or non-kerberos mode, one of the scripts from here need to be run: https://github.com/apache/incubator-ranger/tree/master/security-admin/contrib/audit_hdfs_folders 
2. Set XAAUDIT.HDFS.ENABLE = true for respective component plugin in the install.properties file which may be found in /usr/local/ranger­<component>­plugin/ directory.
3. Configure NameNode host in the XAAUDIT.HDFS.HDFS_DIR.
4. Create a policy in HDFS service from Ranger Admin for individual component users (hive/hbase/knox/storm/yarn/kafka/kms) to give READ+ WRITE permission for the particular audit folder. i.e for enabling Hive component to log Audits to HDFS , we need to create a policy for hiveuser with READ+ WRITE permissions to respective audit directory
5. Audit to HDFS caches logs in local directory, which can be specified in XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY ( this can be like ‘/var/log/<component>/**), which is the path where audit is stored temporarily, likewise for archived logs we need to update XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY value ( this can be like ‘/var/log/<component>/**), before enabling the plugin for the component.
   
   

...