Community Articles

While enabling SSL for Ranger (I am writing for Ranger 0.4 from HDP2.2.4, configured by Ambari) I ran into issues loosing some days. The critical points are

1. verify that property "Common Name For Certificate" in Ranger policy definition AND in Plugin configuration is matching the DN of your used certificate
2. if you use HA enabled services like Namenode-HA, you have to use the same cert (at least) throughout both Namenodes to match the "Common Name for Certificate". !! Do not use the servers FQDN for the DN property at certification creation time !!

This is the step-by-step instruction what I did to make it work. Please keep in mind that I will use ONE certificate throughout all nodes. If that does not match your security criteria, you have to adapt the steps accordingly

1. create Ranger-admin keystore cd /etc/ranger/admin/conf/ sudo /usr/java/jdk1.7.0_79/bin/keytool -genkey -keyalg RSA -alias ranger-admin -keystore ranger-admin-keystore.jks -validity 360 -keysize 2048 -storepass <password>
2. export Ranger-admin key to .cer file and distribute that throughout all cluster nodes sudo /usr/java/jdk1.7.0_79/bin/keytool -export -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias ranger-admin -file ranger-admin-trust.cer # copy the .cer to all the other hosts
3. ssh to one master, e.g. the active namenode
4. create certificate ( this will be used on all other hosts as well) cd /etc/hadoop/conf/ sudo /usr/java/jdk1.7.0_79/bin/keytool -genkey -noprompt -dname "CN=commonname, OU=test, O=test" -keyalg RSA -alias rangeragent -keystore ranger-agent-keystore.jks -validity 360 -keysize 2048 -storepass <password> # keep the storepass in mind for configuring the plugins later on in Ambari # important is the "commonname", you need this value in Ranger repository definition and in the Ranger plugin configuration
5. export that cert and disribute it to all nodes in the cluster sudo /usr/java/jdk1.7.0_79/bin/keytool -export -keystore /etc/hadoop/conf/ranger-agent-keystore.jks -alias rangeragent -file ranger-agent.cer
6. create a truststore ON ALL NODES for the ranger-admin cert (the one from step 2. ) sudo /usr/java/jdk1.7.0_79/bin/keytool -import -file ranger-admin-trust.cer -alias rangeradmintrust -keystore /etc/hadoop/conf/ranger-admin-truststore.jks -storepass <password> # do this on all nodes where ranger plugins will become active
7. import the "client" cert (the one from step 4. ) on the ranger-admin node into the default java keystore "cacerts" ssh <ranger-admin-node> cd /etc/ranger/admin/conf/ sudo /usr/java/jdk1.7.0_79/bin/keytool -import -file ranger-agent.cer -alias rangeragent -keystore /usr/java/jdk1.7.0_79/jre/lib/security/cacerts -storepass <cacerts-password>

Now that the underlying SSL stuff has been setup you can proceed configuring Ranger and the Ranger-plugins in Ambari by providing:

• keystore_file_path = /etc/hadoop/conf/ranger-agent-keystore.jks
• truststore_file_path = /etc/hadoop/conf/ranger-admin-truststore.jks
• also the corresponding password properties
• and the property "common.name.for.certificate" = commonname

Restart the services and have fun configuring Ranger policies 😄

Check the latest timestamp of the Agents in Ranger=>Audit=>Agents to verify that all the plugins received the latest policies