Community Articles

Find and share helpful community-sourced technical articles.
Labels (2)
avatar

Note:Ranger communicates with Plug-ins only with 2 WAY SSL (1 way SSL in not allowed).

[Updated] Appears like one way SSL is possible with latest patch - https://issues.apache.org/jira/browse/RANGER-1094

First get server keystore as skeystore.jks and truststore strustore.jks and client keystore as ckeystore.jks and ctruststore.jks (you can create these keystore/truststores once you get the signed certs from CA Signing.

here is the steps:

1. Login to Ambari
Go to Ranger > Configs > Ranger Settings > External URL points to a URL that uses SSL: https://<hostname of Ranger>:<https port, default is 6182> 

and

ranger.service.https.attrib.ssl.enabled to false
2. Go to HDFS > Configs > Advanced > ranger-hdfs-policymgr-ssl and set the following properties:
    xasecure.policymgr.clientssl.keystore = /etc/hadoop/conf/ckeystore.jks
    xasecure.policymgr.clientssl.keystore.password = bigdata
    xasecure.policymgr.clientssl.truststore = strustore.jks
    xasecure.policymgr.clientssl.truststore.password = bigdata
3. Go to HDFS > Configs > Advanced > Advanced ranger-hdfs-plugin-properties
     common.name.for.certificate = specify the common name (or alias) that is specified in ckeystore.jks 
4.HDFS > Configs > Advanced > Advanced ranger-hdfs-plugin-properties then select the Enable Ranger for HDFS check box. 
5.Go to  Ranger > Configs > Ranger Settings > Advanced ranger-admin-site
ranger.https.attrib.keystore.file=skeystore.jks
ranger.service.https.attrib.keystore.pass=bigdata
ranger.service.https.attrib.keystore.keyalias=specify alias name that is specified in skeystore.jks file
ranger.service.https.attrib.clientAuth=want

Add below under custom Ranger-admin-site
ranger.service.https.attrib.client.auth=want
ranger.service.https.attrib.keystore.file=skeystore.jks
6.Log into the Ranger Policy Manager UI as the admin user. Click the Edit button of your repository (in this case, hadoopdev) and provide the CN name of the keystore as the value for Common Name For Certificate, then save your changes. 
7. This is applicable only for HDP2.5 (this is a bug 2.5 hence modifying the sh script)
Go to /usr/hdp/current/ranger-admin/ews/ranger-admin-services.sh
Edit the JAVA_OPTS to add trustore and truststorepassword

JAVA_OPTS=" ${JAVA_OPTS} -XX:MaxPermSize=256m -Xmx1024m -Xms1024m -Djavax.net.ssl.trustStore=/tmp/rangercerts/ctruststore.jks -Djavax.net.ssl.trustStorePassword=bigdata"
8. Restart all the service and you HDFS plug-in should be able to communicate with Ranger service.
Note:
while creating the client certs, make sure you provide extension as "usr_cert" and server cert as "server_cert" , other wise 2 WAY SSL communication would fail.
7,059 Views
Comments

@apappu

You are using "code" blocks for non-code regular text. For example you describe textually each step using a code block. The same issue with final note. It is text, not code.

Also, the article, should include a structure like:

  • Problem Description
  • Assumptions
  • Steps
  • Conclusions

Could you clean-up the article for that, also spell checks and resubmit? Our articles need to have a publisher quality.

From HDP 2.5, two way SSL is not required for kerberized environments.

From HDP 2.5 onwards, ranger does not require 2-way SSL in kerberos env

Could you add more detail to your note? In particular, I'm not aware of any certificate extention "usr_cert". do you mean "-ext EKU=clientAuth"?

avatar
Expert Contributor

I think you have a typo, because you want HTTPS to be enabled, so you should set this property to false (also it's the only one in "Ranger Settings" section):

ranger.service.http.enabled = false

The property ranger.service.https.attrib.ssl.enabled is in the "Advanced ranger-admin-site" section and this has to be true in order to use https on Ranger.

avatar
Expert Contributor

Also in the step (3) the property common.name.for.certificate is NOT the alias for the certificate in the keystore (as you said) but the Common Name (CN=xxxx,...) in the client certificate's subject.
These values could be the same but don't need to be and usually the have different values.

avatar
Expert Contributor

@amarnath reddy pappu can you please elaborate on the Note: about providing extension as "usr_cert" and "server_cert" ?

I have a wildcard certificate and after following all the above steps and also with modifications as mentioned by @Luis Vazquez the plugins don't show up in the ranger ui and the error is keyadmin is not allowed to do "GET_KEYS". the documentation on setting this up correctly using CA signed certs is suprisingly sparse.