The best option is to just backup your Ranger database. For production, you should also consider setting up DB level replication (active/active or active/passive). This will give you HA and DR. ... View more

@sdutta in SolrCloud you should be using CloudSolrClient class. It should take care of everything you mentioned. Gets the active Solr servers from Zookeeper. And when you add the document, it will automatically send it to the server which is hosting the shard for the id, etc. It also keeps track if any Solr server is out of commission and automatically reconfigures itself. CloudSolrClient solrCloudClient = new CloudSolrClient(zkHosts); solrCloudClient.setDefaultCollection(collectionName); ... View more

@Kuldeep Kulkarni, how are you setting user admin as administrator? Is the user admin in dfs.cluster.administrators? Do you have access to user "hdfs"? ... View more

The primary limitation is wrt to UserSync. If there are multiple clusters, but using the same AD/LDAP, then you can use the same the Ranger instance to manage all of them. ... View more

In Kafka, topic creation and deletion is still done directly at the ZooKeeper level and doesn't go through Broker. If you are using HDP, then OOTB, only principal "kafka" has permission to do these operations. In future releases, Kafka community will support creation of Topics via Broker. Till that time, there is not much option, but to manage the creation/delete permissions using ZooKeeper ACLs ... View more

Since you brought up this blog, there are 3 things you need to know. 1. Authentication, 2. User/Group Mapping and 3. Authorization 1. For authentication, there is no alternative for Kerberos. Once your cluster is Kerberized, you can make it easier for certain access path by using AD/LDAP. Example, access to HS2 via AD/LDAP authentication or accessing various services using Knox. 2. Group mapping can be done in 3 ways. One as the blog says, where you lookup AD/LDAP to get the groups for the users. Second is to materialize the AD/LDAP users on the linux server using SSSD, Centrify, etc. Third is to manually create the users and groups in the linux env.All these options are applicable regardless whether you have Kerberos or not. 3. Authorization can be done via Ranger or using the natively supported ACL. Except Storm and Kafka, having Kerberos is not mandatory. Without reliable authentication, authorization and auditing is meaningless. Common use case as yours: User A logs into the system with his AD credentials, HDFS or Hive ACL's kicks in for authorization. You have to qualify "system". Which system are you logging in? Only HS2 and Knox allows you to login via AD/LDAP. If you are planning to do that, then you have to setup a very tight firewall around your Hadoop cluster. Absolutely no one should be able to connect to the NameNode, DataNode or any other service port from outside the cluster, except to the JDBC port of HS2 or Knox port. If you can setup this firewall, then all business users will be secure even if don't kerberize your cluster. However, any user who has shell login/port access to edge node/cluster or able to submit a custom job in the cluster will be able to impersonate anyone. Setting up this firewall is not a trivial thing. Even if you do, there will be users who will need access to the cluster. There should be limited number of such users and these users should be trusted. And you should not let any un-approved job running within the cluster. If the customer is okay with all the "ifs" and comfortable with limited number of super admin users, then yes you can have security without Keberos. ... View more

All the APIs from Hadoop KMS should work with RangerKMS also. We could a make a note of it in the documentation. ... View more

Yes you will be able to rollover the Encryption Zone Key (EZKey). EZKey is used to encrypt the key used to encrypt the data/file. There is one active EZ key per encryption zone. You can rollover the EZKey as needed and new EEK (File Keys) will be encrypted with the new key. However file/data keys encrypted with older keys will not be rekeyed. Since the EZKeys are versioned, older EEK will be decrypted with appropriate version. So everything works seamlessly. ... View more

Preferred way is to create a file like ranger-admin-env00-java_mem.sh in /etc/ranger/admin/conf and have the following values: JAVA_OPTS=" -XX:MaxPermSize=256m -Xmx1024m " export JAVA_OPTS In this way, even when Ranger is upgraded, your custom overrides are still there. ... View more