THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Summary
In order to install Ranger in kerberized environment, user will have to enable kerberos on the cluster where Ranger is to be installed. Once, cluster is kerberized, user will have to create principals for each Ranger service and then follow below given steps to install Ranger.
Creating Keytab and principals
Note: Below steps required only for manual installation of ranger services and plugins
Do some initial Checks :
Login as “ranger” user:
If ranger user not found then create it i.e. useradd ranger
E.g : su - ranger
Check for HTTP Principal
-> kinit -kt <HTTP keytab path> HTTP/<FQDN_OF_Ranger_Admin_Cluster>@<REALM>
E.g : kinit -kt /etc/security/keytabs/spnego.service.keytab HTTP/mp-ranger-0703-3.novalocal@EXAMPLE.COM
(After above command there should not be any error. You can check using “klist” whether the above command was successful)
-> kdestroy (Please don't miss kdestroy after above step)
For Ranger Admin:
- Create rangeradmin/<FQDN of Ranger Admin>@<REALM>
-> kadmin.local
-> addprinc -randkey rangeradmin/<FQDN of Ranger Admin>
Eg: addprinc -randkey rangeradmin/mp-ranger-0703-3.novalocal@EXAMPLE.COM
-> xst -k /etc/security/keytabs/rangeradmin.keytab rangeradmin/<FQDN of Ranger Admin>@<REALM>
-> exit - Check ranger-admin created principal
-> kinit -kt /etc/security/keytabs/rangeradmin.keytab rangeradmin/<FQDN of Ranger Admin>@<REALM>
E.g : kinit -kt /etc/security/keytabs/rangeradmin.keytab rangeradmin/mp-ranger-0703-3.novalocal@EXAMPLE.COM
(After above command there should not be any error. You can check using “klist” whether the above command was successful)
-> kdestroy (Please don’t miss kdestroy after above step)
For Ranger Lookup:
Create rangerlookup/<FQDN of Ranger Admin>@<REALM>
-> kadmin.local
-> addprinc -randkey rangerlookup/<FQDN of Ranger Admin>
Eg: addprinc -randkey rangerlookup/mp-ranger-0703-3.novalocal@EXAMPLE.COM
-> xst -k /etc/security/keytabs/rangerlookup.keytab rangerlookup/<FQDN of Ranger Admin>@<REALM>
-> exit
Check ranger-lookup created principal
-> kinit -kt /etc/security/keytabs/rangerlookup.keytab rangerlookup/<FQDN of Ranger Admin>@<REALM>
E.g : kinit -kt /etc/security/keytabs/rangerlookup.keytab rangerlookup/mp-ranger-0703-3.novalocal@EXAMPLE.COM
(After above command there should not be any error u can check using “klist” whether the above command was successful)
-> kdestroy (Please don’t miss kdestroy after above step)
For Ranger Usersync:
Create rangerusersync/<FQDN>@<REALM>
-> kadmin.local
-> addprinc -randkey rangerusersync/<FQDN of Ranger usersync>
Eg: addprinc -randkey rangerusersync/mp-ranger-0703-3.novalocal@EXAMPLE.COM
-> xst -k /etc/security/keytabs/rangerusersync.keytab rangerusersync/<FQDN>@<REALM>
-> exit
Check rangerusersync created principal
-> kinit -kt /etc/security/keytabs/rangerusersync.keytab rangerusersync/<FQDN of Ranger usersync>@<REALM>
E.g : kinit -kt /etc/security/keytabs/rangerusersync.keytab rangerusersync/mp-ranger-0703-3.novalocal@EXAMPLE.COM
(After above command there should not be any error u can check using “klist” whether the above command was successful)
-> kdestroy (Please don’t miss kdestroy after above step)
For Ranger Tagsync:
Create rangertagsync/<FQDN>@<REALM>
-> kadmin.local
-> addprinc -randkey rangertagsync/<FQDN of Ranger tagsync>
Eg: addprinc -randkey rangertagsync/mp-ranger-0703-3.novalocal
-> xst -k /etc/security/keytabs/rangertagsync.keytab rangertagsync/<FQDN>@<REALM>
-> exit
Check rangertagsync created principal
-> kinit -kt /etc/security/keytabs/rangertagsync.keytab rangertagsync/<FQDN of Ranger tagsync>@<REALM>
E.g : kinit -kt /etc/security/keytabs/rangertagsync.keytab rangertagsync/mp-ranger-0703-3.novalocal@EXAMPLE.COM
(After above command there should not be any error u can check using “klist” whether the above command was successful)
-> kdestroy (Please don’t miss kdestroy after above step)
Note: Change the keytab permission to read only and assign it to “ranger” user
Installation Steps for Ranger-Admin
Untar the ranger-<verison>-admin.tar.gz
-> tar zxf ranger-<version>-admin.tar.gz
Change directory to ranger-<version>-admin
-> cd ranger-<version>-admin
Edit install.properties (Enter appropriate values for the below given properties)
db_root_user=
db_root_password=
db_host=
db_name=
db_user=
db_password=
policymgr_external_url=http://<FQDN_OF_Ranger_Admin_Cluster>:6080
authentication_method=UNIX or LDAP or AD
spnego_principal=HTTP/<FQDN_OF_Ranger_Admin_Cluster>@<REALM>
spnego_keytab=<HTTP keytab path>
token_valid=30
cookie_domain=<FQDN_OF_Ranger_Admin_Cluster>
cookie_path=/
admin_principal=rangeradmin/<FQDN_OF_Ranger_Admin_Cluster>@<REALM>
admin_keytab=<rangeradmin keytab path>
lookup_principal=rangerlookup/<FQDN_OF_Ranger_Admin_Cluster>@<REALM>
lookup_keytab=<rangerlookup keytab path>
hadoop_conf=/etc/hadoop/conf
Note: If kerberos server and admin are on different host then copy the keytab on admin host and assign permission to “ranger” user
scp the rangeradmin keytab file to the respective path of another host
chown ranger <rangeradmin keytab path>
chmod 400 <rangeradmin keytab path>
Run setup
-> ./setup.sh
Start Ranger admin server
-> ./ranger-admin-services.sh start
Installation Steps for Ranger-Usersync
Untar the ranger-<verison>-usersync.tar.gz
tar zxf ranger-<version>-usersync.tar.gz
Change directory to ranger-<version>-usersync
cd ranger-<version>-usersync
Edit install.properties (Enter appropriate values for the below given properties)
POLICY_MGR_URL =http://<FQDN_OF_Ranger_Admin_Cluster>:6080 usersync_principal=rangerusersync/<FQDN>@<REALM> usersync_keytab=<rangerusersync keytab path> hadoop_conf=/etc/hadoop/conf |
Note: If kerberos server and usersync are on different host then copy the keytab on usersync host and assign permission to “ranger” user
scp the rangerusersync keytab file to the respective path of another host
chown ranger <rangeusersync keytab path>
chmod 400 <rangerusersync keytab path>
Run setup
./setup.sh
Start Ranger usersync server
./ranger-usersync-services.sh start