ranger kms blueprint postgres database non-default port

anshuman · ‎03-03-2018

Hi

I have managed to have a successful deployment of a full blown ambari-stack using blueprints. As part of the next level of our security requirements I am attempting to make rangerkms run in its own database instance of postgres on a non-default port.

The corresponding blueprint entry

{
      "dbks-site" : {
        "properties_attributes" : { },
        "properties" : {
          "ranger.ks.hsm.enabled" : "false",
          "hadoop.kms.blacklist.DECRYPT_EEK" : "hdfs",
          "ranger.ks.jpa.jdbc.credential.alias" : "ranger.ks.jdbc.password",
          "ranger.ks.jpa.jdbc.url" : "jdbc:postgresql://mydb.server.com:7432/rangerkms",
          "ranger.ks.jpa.jdbc.driver" : "org.postgresql.Driver"
        }
      }
    }

During blueprint installation the jisql commands attempt to verify the connection to the database but it doesnt seem to take into account the port that i have configured

resource_management.core.exceptions.ExecutionFailed: Execution of 'ambari-python-wrap /usr/hdp/current/ranger-kms/db_setup.py' returned 1. 2018-03-03 00:22:47,004  [I] DB FLAVOR :POSTGRES
2018-03-03 00:22:47,005  [I] --------- Verifying Ranger DB connection ---------
2018-03-03 00:22:47,005  [I] Checking connection
2018-03-03 00:22:47,005  [JISQL] /usr/java/latest/bin/java -cp /usr/hdp/current/ranger-kms/ews/webapp/lib/postgresql-jdbc.jar:/usr/hdp/current/ranger-kms/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://mydb.server.com/rangerkms -u rangerkms -p '********' -noheader -trim -c \; -query "SELECT 1;"
SQLException : SQL state: 28000 org.postgresql.util.PSQLException: FATAL: no pg_hba.conf entry for host "192.168.10.21", user "rangerkms", database "rangerkms", SSL off ErrorCode: 0
2018-03-03 00:22:47,182  [E] Can't establish connection

However on the same host where kms is being attempted to install say foo.server.com if i specify the port the connection is successful

/usr/java/latest/bin/java -cp /usr/hdp/current/ranger-kms/ews/webapp/lib/postgresql-jdbc.jar:/usr/hdp/current/ranger-kms/jisql/lib/* org.apache.util.sql.Jisql -driver postgresql -cstring jdbc:postgresql://mydb.server.com:7432/rangerkms -u rangerkms -p 'rangerkms' -noheader -trim -c \; -query "SELECT 1;" 1 |

How do i get the db connection verifier to use the specified port in the blueprint ?

I do have an entry in my pg_hba conf for foo.server.com to access rangerkms db as user rangerkms ..

anshuman · ‎03-03-2018

As part of this design I want ranger-kms to be separated from the other databases. So obviously if I just switch ports then ranger-kms gets installed but ranger admin does not because it uses the same library without the port !

anshuman · ‎03-03-2018

As a hack I am specifying the port in the host name and that seems to work. Note the db_host below

{
      "kms-properties" : {
        "properties" : {
          "KMS_MASTER_KEY_PASSWD" : "foo",
          "DB_FLAVOR" : "POSTGRES",
          "db_name" : "rangerkms",
          "db_user" : "rangerkms",
          "db_password" : "foo",
          "REPOSITORY_CONFIG_USERNAME" : "keyadmin",
          "db_host" : "mydb.server.com:7432"
          }
      }
    }