To disable SSLv3 for old Hue version, do the following: 1.) open file "/usr/lib/hue/desktop/core/src/desktop/lib/wsgiserver.py" 2.) add the following line, after line no. 1669: ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) 3.) restart Hue To check if Hue replies on SSLv3 or not you can use this one: openssl s_client -connect <hue-server-name>:<hue-port> -ssl3 Here the corresponding GitHub patch, thanks to @cdraper: https://github.com/cloudera/hue/commit/0060abf9aae0049c082c9948658eea7df848ab6e ... View more

While enabling SSL for Ranger (I am writing for Ranger 0.4 from HDP2.2.4, configured by Ambari) I ran into issues loosing some days. The critical points are verify that property "Common Name For Certificate" in Ranger policy definition AND in Plugin configuration is matching the DN of your used certificate if you use HA enabled services like Namenode-HA, you have to use the same cert (at least) throughout both Namenodes to match the "Common Name for Certificate". !! Do not use the servers FQDN for the DN property at certification creation time !! This is the step-by-step instruction what I did to make it work. Please keep in mind that I will use ONE certificate throughout all nodes. If that does not match your security criteria, you have to adapt the steps accordingly create Ranger-admin keystore cd /etc/ranger/admin/conf/ sudo /usr/java/jdk1.7.0_79/bin/keytool -genkey -keyalg RSA -alias ranger-admin -keystore ranger-admin-keystore.jks -validity 360 -keysize 2048 -storepass <password> export Ranger-admin key to .cer file and distribute that throughout all cluster nodes sudo /usr/java/jdk1.7.0_79/bin/keytool -export -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -alias ranger-admin -file ranger-admin-trust.cer # copy the .cer to all the other hosts ssh to one master, e.g. the active namenode create certificate ( this will be used on all other hosts as well) cd /etc/hadoop/conf/ sudo /usr/java/jdk1.7.0_79/bin/keytool -genkey -noprompt -dname "CN=commonname, OU=test, O=test" -keyalg RSA -alias rangeragent -keystore ranger-agent-keystore.jks -validity 360 -keysize 2048 -storepass <password> # keep the storepass in mind for configuring the plugins later on in Ambari # important is the "commonname", you need this value in Ranger repository definition and in the Ranger plugin configuration export that cert and disribute it to all nodes in the cluster sudo /usr/java/jdk1.7.0_79/bin/keytool -export -keystore /etc/hadoop/conf/ranger-agent-keystore.jks -alias rangeragent -file ranger-agent.cer create a truststore ON ALL NODES for the ranger-admin cert (the one from step 2. ) sudo /usr/java/jdk1.7.0_79/bin/keytool -import -file ranger-admin-trust.cer -alias rangeradmintrust -keystore /etc/hadoop/conf/ranger-admin-truststore.jks -storepass <password> # do this on all nodes where ranger plugins will become active import the "client" cert (the one from step 4. ) on the ranger-admin node into the default java keystore "cacerts" ssh <ranger-admin-node> cd /etc/ranger/admin/conf/ sudo /usr/java/jdk1.7.0_79/bin/keytool -import -file ranger-agent.cer -alias rangeragent -keystore /usr/java/jdk1.7.0_79/jre/lib/security/cacerts -storepass <cacerts-password> Now that the underlying SSL stuff has been setup you can proceed configuring Ranger and the Ranger-plugins in Ambari by providing: keystore_file_path = /etc/hadoop/conf/ranger-agent-keystore.jks truststore_file_path = /etc/hadoop/conf/ranger-admin-truststore.jks also the corresponding password properties and the property "common.name.for.certificate" = commonname Restart the services and have fun configuring Ranger policies 😄 Check the latest timestamp of the Agents in Ranger=>Audit=>Agents to verify that all the plugins received the latest policies ... View more

In Ambari the Hiveserver2 is shown as "green", but there is an alert indicating problem with the Hiverserver2 process. This is due to a known bug in HDP2.2.3/2.2.4, that at Hive startup time no Kerberos ticket will be grabbed. To get rid of that alert, login to the Hiveserver node, become user hive and execute a "kinit -kt /etc/security/keytabs/hive.service.keytab hive/<hiveserver>@<REALM>" (if you keytab is in that default directory) to ensure the hive user got a valid Kerberos ticket. Afterwards you can restart Hiveserver in Ambari and the alert will disappear (Thanks to @dprichici for highlighting this) Regards, Gerd ... View more

Hi, I'm asking myself where to put security related concerns/questions and would suggest to create a seperate heading for that. Or is there an according section already, but I didn't find it ?!?   I'm thinking of topics like "secure logging", "auditing", "traceability", etc   br, Gerd ... View more