Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

HTTPS access to Ranger via Knox ?

avatar
Guru

Hi,

due to security concerns I need to provide Ranger WebUI via Https, and I thought accessing it through Knox would be a simple approach. But I can also imagine some wired conflicts while e.g. configuring Knox policies for Knox, in Ranger and thereby creating some Kind of 'deadlock'....

What do you think about that approach, is it possible at all and how would a topology in Knox look like?!?!

Thanks for any thoughts and Hints!

1 ACCEPTED SOLUTION

avatar

Currently Knox does not currently support proxying the Ranger UI. If/when Knox does support proxying the Ranger UI you are correct that it may be impossible to access the Ranger UI via Knox if the Range/Knox agent is installed and if the required users have not already been granted access. Presumably setting up the required policies would be done before hand or from "within" the cluster and not via Knox.

View solution in original post

6 REPLIES 6

avatar
Master Mentor

avatar

Currently Knox does not currently support proxying the Ranger UI. If/when Knox does support proxying the Ranger UI you are correct that it may be impossible to access the Ranger UI via Knox if the Range/Knox agent is installed and if the required users have not already been granted access. Presumably setting up the required policies would be done before hand or from "within" the cluster and not via Knox.

avatar
Guru

Thanks @Kevin Minder for your explanation.

Is it possible to proxy the NN / RM Webpage through Knox?....Just to put Access to those webuis behind HTTPS

avatar

Hi Kevin Minder-

I am at a similar situation right now. Trying to enable SSL in ranger (Version 0.5). I could see some some config props in Ambari ranger, so i am guess SSL enabling is possible and changed following props,

- ranger.service.https.attrib.ssl.enabled : true

- ranger.service.https.port :6182

- HTTP enabled :false

- External URL : https://hostname:6182

After trying out above steps to enable ssl for ranger i end up getting an alert connection refused error to the url

https://hostname:6182 and the ranger UI doesn't show up. I wonder if enabling SSL is possible for ranger UI Ver 0.5 (

https://issues.apache.org/jira/browse/RANGER-795)

or is there any other configs that I missed ?

avatar
Rising Star

Right now I was able to enable SSL in Ranger 0.6.0 downloaded from the Apache Foundation but not in Ranger 0.5.0 included in HDP 2.4.0. Hope in the next release Hortonworks will upgrade Ranger to 0.6.0.

avatar

I couldn't enable ssl in ranger.