THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Summary:
This document details the steps involved in installing and configuring Apache Ranger.
These instructions are for installing Ranger on CentOS/RHEL (release 6).
Prerequisites:
JDK 7+ needs to be installed.
- MySQL (5.6+) or ORACLE DB (11g+) for Policy/Audit DB.
- DB server can be installed on the same host. Or Ranger services need to have access to DB server host
- Maven. If not installed, please follow below steps
wget http://mirrors.gigenet.com/apache/maven/maven-3/3.0.5/binaries/apache-maven-3.0.5-bin.tar.gz
su -c "tar -zxvf apache-maven-3.0.5-bin.tar.gz -C /opt/"
su -c "vi /etc/profile.d/maven.sh" # Add the following lines to maven.sh
export M2_HOME=/opt/apache-maven-3.0.5
export M2=$M2_HOME/bin
export PATH=$M2:$PATH
Now test your install of Maven. Logout of the system and then log back into it. Enter the following command:
- mvn -version
Building Ranger from source:
Get the ranger source
mkdir ~/dev
cd ~/dev
git clone -b master git@github.com:apache/incubator-ranger.git ranger
Now build the source
cd ranger
export MAVEN_OPTS="-Xmx512M"
yum search gcc and Install gcc (yum install gcc.x86_64)
mvn clean compile package assembly:assembly
Verify all the tar files under target dir
ls -ltr *tar.gz
-rw-r--r-- 1 root root 15068844 Dec 1 04:30 ranger-0.4.0-hdfs-plugin.tar.gz
-rw-r--r-- 1 root root 14480716 Dec 1 04:30 ranger-0.4.0-hive-plugin.tar.gz
-rw-r--r-- 1 root root 14349626 Dec 1 04:30 ranger-0.4.0-hbase-plugin.tar.gz
-rw-r--r-- 1 root root 17763192 Dec 1 04:30 ranger-0.4.0-knox-plugin.tar.gz
-rw-r--r-- 1 root root 21243470 Dec 1 04:31 ranger-0.4.0-storm-plugin.tar.gz
-rw-r--r-- 1 root root 126143540 Dec 1 04:31 ranger-0.4.0-admin.tar.gz
-rw-r--r-- 1 root root 7677999 Dec 1 04:31 ranger-0.4.0-usersync.tar.gz
Install/Configure Ranger Admin:
Lay down the binaries into appropriate places.
cd /usr/local
sudo tar zxf ~/dev/ranger/target/ranger-0.4.0-admin.tar.gz
- sudo ln -s ranger-0.4.0-admin ranger-admin
- Open install.properties in ranger root folder
- Verify the root password that you had picked while installing mysql. I had chosen root so the relevant section in my install.properties file looks as follows
- The install process would create a couple of users in the database for storing administration and audit information, pick passwords for those too. With my choices here’s how the relevant sections in the install.properties file look now.
- Ranger allows you to get different authentication modes but for now let’s just leave rest of the things in install.properties file as they are.
Once all the required properties are updated, execute the below scripts to install ranger admin service.
Execute : ./setup.sh
Execute : ./set_globals.shcreate a valid symlink in /usr/bin/ for start/stop of ranger admin
cd /usr/bin
ln -sf /usr/local/ranger-admin/ews/start-ranger-admin.sh ranger-admin-start
ln -sf /usr/local/ranger-admin/ews/stop-ranger-admin.sh ranger-admin-stopupdate ranger-admin service file to link to the start and stop scripts
vim /etc/init.d/ranger-admin ( Update the Start and Stop commands to point to the created symlinks )Start the Ranger Admin
service ranger-admin startYou can verify by visiting the external URL of the server using browser, for example :
http://<Host Address>:6080/
Install/Configure Ranger User Sync:
- Start by extracting out binaries at the appropriate place.
cd /usr/local
sudo tar zxf ~/dev/ranger/target/ranger-0.4.0-usersync.tar.gz
sudo ln -s ranger-0.4.0-usersync ranger-usersync
sudo mkdir -p /var/log/ranger-usersync
sudo chown ranger /var/log/ranger-usersync; sudo chgrp ranger /var/log/ranger-usersync
cd ranger-usersync - Now let’s edit the install.properties file. Here are the relevant lines that you should edit:
POLICY_MGR_URL=http://localhost:6080
SYNC_SOURCE=unix
logdir=/var/log/ranger/usersync - Now install the usersync by running the setup command
export JAVA_HOME=/usr/lib/jvm/java-1.7.0-openjdk-amd64 ./setup.sh create a valid symlink in /usr/bin/ for start/stop of ranger usersync
cd /usr/bin
ln -sf /usr/local/ranger-usersync/start.sh ranger-usersync-start
ln -sf /usr/local/ranger-admin/ews/stop.sh ranger-usersync-stopupdate ranger-usersync service file to link to the start and stop scripts
vim /etc/init.d/ranger-usersync ( Update the Start and Stop commands to point to the created symlinks )
Start the Ranger Usersync
service ranger-usersync startYou can verify by looking at the users tab in Ranger Admin. Unix host users should be sync'ed to ranger.
Install/Configure Ranger HDFS Plugin:
Ranger HDFS plugin helps to centralize the HDFS authorization policies. To verify that, first Apache Hadoop needs to be installed. If Hadoop is not already installed, follow below steps.
- These instructions were written for Hadoop 2.5.2. So grab that tar (hadoop-2.5.2.tar.gz) and checksum file (hadoop-2.5.2.tar.gz.md5).
- Follow the instructions available on the hadoop site http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SingleCluster.html.
- Follow steps given in pseudo distributed mode.
- Make note of the location where you installed hadoop. Here I assume that you have installed it in /usr/local/hadoop.
- Create a user under which we could install and ultimately run the various hadoop processes. And login as that user.
sudo useradd --home-dir /var/hadoop --create-home --shell /bin/bash --user-group hadoop
sudo tar xzf hadoop-2.5.2.tar.gz -C /usr/local
cd /usr/local
sudo ln -s hadoop-2.5.2 hadoop
sudo chown hadoop -R hadoop hadoop-2.5.2
sudo chgrp hadoop -R hadoop hadoop-2.5.2
sudo su - hadoop
Now let's follow the below steps to install/configure Ranger HDFS plugin.
- Start by extracting binaries at the appropriate place (/usr/local).
cd /usr/local
sudo tar zxf ~/dev/ranger/target/ranger-0.4.0-hdfs-plugin.tar.gz
sudo ln -s ranger-0.4.0-hdfs-plugin ranger-hdfs-plugin
cd ranger-hdfs-plugin - Now let’s edit the install.properties file. Here are the relevant lines that you should edit:
POLICY_MGR_URL=http://localhost:6080
REPOSITORY_NAME=local_hdfs
XAAUDIT.DB.HOSTNAME=localhost
XAAUDIT.DB.DATABASE_NAME=ranger
XAAUDIT.DB.USER_NAME=rangerlogger
XAAUDIT.DB.PASSWORD=rangerlogger - Now enable the hdfs-plugin by running the enable-hdfs-plugin.sh command (Remember to set JAVA_HOME)
- Create a symlink as conf dir of hadoop linking to hadoop conf dir
- cd /usr/local/hadoop
- ln -s /usr/local/hadoop/etc/hadoop conf
- Export HADOOP_HOME to bashrc
- echo “export HADOOP_HOME=/usr/local/hadoop” >> /etc/bashrc
- Enable Ranger HDFS plugin
- cd /usr/local/ranger-hdfs-plugin
- ./enable-hdfs-plugin.sh
- Copy all the jar files from ${hadoop_home}/lib
- cp /usr/local/hadoop/lib/* /usr/local/hadoop/share/hadoop/hdfs/lib/
- Create a symlink as conf dir of hadoop linking to hadoop conf dir
- Now edit the xasecure-audit.xml file.
- cd /usr/local/hadoop/conf
- change the xasecure-audit.xml file to look like the below. Make sure the JDBC properties are correct.
<property> <name>xasecure.audit.jpa.javax.persistence.jdbc.url</name>
<value>jdbc:mysql://localhost/ranger</value>
</property>
<property>
<name>xasecure.audit.jpa.javax.persistence.jdbc.user</name>
<value>rangerlogger</value>
</property>
<property> <name>xasecure.audit.jpa.javax.persistence.jdbc.password</name>
<value>rangerlogger</value>
</property>
- Once these changes are done Restart Hadoop namenode. This should start the association of ranger-hdfs-plugin with hadoop.
- You can verify by logging into the Ranger Admin Web interface -> Audit -> Agents
- Now HDFS resources will be authorized via Ranger policies.
Install/Configure Ranger Hive Plugin:
Instructions
Install/Configure Ranger HBase Plugin:
Instructions
Install/Configure Ranger Knox Plugin:
Instructions
Install/Configure Ranger Storm Plugin:
Instructions will be updated soon.