@Jasper Ranger service - configuration has details on which hadoop components is using Ranger for authorization and what policies are there which can be enabled / disabled / audited or not. These service definitions gets created when you enable ranger for the respective components from Ambari and restart the service These properties which are there against the services are used only for Test Connection and Lookup functionality which allows you to select the resource when you maintain policies, i.e auto population of the resource based on the resource name you are going to type in the field. e.g For Hive when you maintain policies if the "Database" field if there are multiple databases in hive and some of them starts with letter "d" and you type "d" in that field in brings up a list of databases which starts with "d". Same case with HDFS it will bring the matching directories for the "PATH". Same with other components too. To do this operation, Ranger communicates with respective hadoop component and brings those details. The user and config maintained here will be used for this communication and in kerberos it will be a service principal which will be used. These users will have policy to do these operations. This is the main purpose of these configuration and it DOESN'T stop you from using the RANGER plugin if the TEST CONNECTION / LOOKUP is not working. It is just for added convenience when maintaining policies. There are lot of misconception around it. In Kerberos environment in HDP 2.5 where ranger itself is kerberized , there are some "Add New Configuration" parameters get configured which maintains various users which communicates with Ranger admin to download policies, tags, service creation from ambari, service check etc.
... View more
