Short Description: This article includes manual steps to be performed, if a cluster is setup with Hdfs, Ranger and Ranger KMS services and Ranger service is syncing users from LDAP/AD and Hadoop group mapping is configured using SSSD. Steps provided will help Ranger KMS service to resolve groups with spaces or no name as same as in Hadoop. Article: To resolve groups with spaces or no name, Ranger KMS process should have access to hadoop native library path for using JniBasedUnixGroupsMapping class. Steps for Ambari 2.6.x version: Create a sh file ranger-kms-env-javaopts.sh in Ranger KMS conf directory which will specify -Djava.library.path. vim /usr/hdp/current/ranger-kms/conf/ranger-kms-env-javaopts.sh Add below content and save ranger-kms-env-javaopts.sh file. export JAVA_OPTS=" ${JAVA_OPTS} -Djava.library.path=${JAVA_LIBRARY_PATH}:/usr/hdp/current/hadoop-client/lib/native " Update the ownership of ranger-kms-env-javaopts.sh with the user which is used to start Ranger KMS process. (default user is kms) chown kms:kms /usr/hdp/current/ranger-kms/conf/ranger-kms-env-javaopts.sh Restart Ranger KMS service from Ambari. Steps for Ambari 3.0.x version: Directly specify -Djava.library.path in Configs section of Ranger KMS from Ambari. Go to Ranger KMS > Configs > Advanced section > Advanced kms-env section > kms-env template, add below line export JAVA_OPTS=" ${JAVA_OPTS} -Djava.library.path=${JAVA_LIBRARY_PATH}:/usr/hdp/current/hadoop-client/lib/native " After saving the configs from Ambari, restart Ranger KMS service. ... View more

Below steps are for taking backup of ranger audits and then restore them back to new collection which will be using updated manage-schema fix given in RANGER-1938. Note: Steps are only for Solr version 5.x and Ranger service managed by Ambari. 1) Backup existing ranger_audits collection: curl -X GET "http://${SOLR_HOST}:${SOLR_PORT}/solr/ranger_audits/replication?command=backup&location=/tmp" 2) Download existing managed-schema from Zookeeper: /usr/lib/ambari-infra-solr/server/scripts/cloud-scripts/zkcli.sh --zkhost "${ZK_HOST}:${ZK_PORT}/${SOLR_ZNODE}" -cmd getfile /configs/ranger_audits/managed-schema /tmp/managed-schema 3) Upload updated managed-schema given here to Zookeeper: /usr/lib/ambari-infra-solr/server/scripts/cloud-scripts/zkcli.sh --zkhost "${ZK_HOST}:${ZK_PORT}/${SOLR_ZNODE}" -cmd putfile /configs/ranger_audits/managed-schema managed-schema 4) Delete existing ranger_audits collection: curl -i "http://${SOLR_HOST}:${SOLR_PORT}/solr/admin/collections?action=DELETE&name=ranger_audits" 5) Update max retention days(ranger_audit_max_retention_days) config value in Advanced ranger-solr-configuration to 21 and Restart Ranger Service. 6) Restore ranger_audits collection backup to newly created collection: curl -X POST "http://${SOLR_HOST}:${SOLR_PORT}/solr/ranger_audits/replication?command=restore&location=/tmp" 7) To check the status of restore: curl http://${SOLR_HOST}:${SOLR_PORT}/solr/ranger_audits/replication?command=restorestatus ... View more

Scenario - Cluster managed by Ambari with Ranger Plugins enabled and if Ambari upgrade process fails, below are the things to consider. 1) Updating stack_features property in cluster-env config type Get the current cluster-env version using configs.sh utility. /var/lib/ambari-server/resources/scripts/configs.sh get <AMBARI_HOST> <CLUSTER_NAME> cluster-env cluster_env.json Open cluster_env.json and check for "ranger_xml_configuration" feature in stack_features property. If it is not present add below content and save the cluster_env.json. {\n \"name\": \"ranger_xml_configuration\",\n \"description\": \"Ranger code b ase support xml configurations\",\n \"min_version\": \"2.3.0.0\"\n } Now update the latest cluster-env, /var/lib/ambari-server/resources/scripts/configs.sh set <AMBARI_HOST> <CLUSTER_NAME> cluster-env cluster_env.json 2) Updating Ranger url in plugin properties. Update "ranger.plugin.<SERVICE>.policy.rest.url" property value under Advanced ranger.<SERVICE>.security section with Ranger Url. ie (http:RANGER_ADMIN_HOST:RANGER_ADMIN_PORT). ... View more

Enable SSL for Ambari Infra Solr: 1) Create directory on Infra Solr node: mkdir -p /etc/security/serverKeys cd /etc/security/serverKeys 2) Create Infra Solr keystore: keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass bigdata -storepass bigdata -validity 9999 -keystore infra.solr.keyStore.jks -ext SAN=DNS:{solr-hostname},IP:{solr-host-ip-address} -dname "CN={solr-hostname}, OU=Ambari, O=InfraSolr, L=Location, ST=State, C=Country" 3) Update the keystore file infra.solr.keyStore.jks ownership: chown infra-solr:hadoop infra.solr.keyStore.jks 4) Update below properties from Ambari under Ambari Infra Config Tab in Advanced infra-solr-env section: infra_solr_ssl_enabled (Enable SSL to Infra Solr) - true infra_solr_keystore_location (Infra Solr key store location) - /etc/security/serverKeys/infra.solr.keyStore.jks infra_solr_keystore_type (Infra Solr key store type) - jks infra_solr_keystore_password (Infra Solr key store password) - bigdata (Enter password given in -storepass argument while creating keystore) Here, using the same keystore as truststore. infra_solr_truststore_location (Infra Solr trust store location) - /etc/security/serverKeys/infra.solr.keyStore.jks infra_solr_truststore_type (Infra Solr trust store type) - jks infra_solr_truststore_password (Infra Solr truststore store password) - bigdata (Enter password given in -storepass argument while creating keystore) 5) (Optional, Ambari Infra Solr restart handles setting https urlScheme) Configure Infra Solr cluster properties in Zookeeper: /usr/lib/ambari-infra-solr/server/scripts/cloud-scripts/zkcli.sh -zkhost {zookeeper-host}:2181/infra-solr -cmd clusterprop -name urlScheme -val https 6) Restart Ambari Infra Solr. NOTE: For more detailed explanation on enabling solr in SSL refer: Enabling SSL Configure Ranger and Ranger Plugins: 1) Create directory on Ranger node as well on Ranger Plugin node: mkdir -p /etc/security/serverKeys cd /etc/security/serverKeys 2) Create solr-trust.cer file. Need to export infra.solr.keyStore.jks certificate into it: keytool -export -keystore infra.solr.keyStore.jks -alias solr-ssl -file solr-trust.cer -storepass bigdata 3) Import Infra Solr certificate into JDK cacerts: keytool -import -file solr-trust.cer -alias solr-trust -keystore {java_home_path}/jre/lib/security/cacerts -storepass changeit 4) Create Ranger truststore file having Infra Solr certificate: keytool -import -file solr-trust.cer -alias solr-ranger-trust -keystore rangertruststore -storepass changeit 5) Update the ownership of Ranger truststore file and also update below properties from Ambari under Ranger service config tab in Advanced ranger-admin-site section chown ranger:hadoop rangertruststore Properties: ranger.truststore.file - /etc/security/serverKeys/rangertruststore ranger.truststore.password - changeit (Enter the password given in -storepass argument while creating truststore) 6) For Ranger Plugin import Infra Solr certificate into JDK cacerts file on the node where Ranger Plugin is enabled: keytool -import -file solr-trust.cer -alias solr-trust -keystore {java_home_path}/jre/lib/security/cacerts -storepass changeit 7) After updating properties Restart Ranger and Ranger Plugin supported Components. ... View more

When Ranger service is configured for using custom PID file location and custom user using HDP-2.5, below steps need to be followed. 1) Edit ranger-admin-services.sh script file: This file is located at /usr/hdp/current/ranger-admin/ews/ranger-admin-services.sh which have hard-coded default path as pidf=/var/run/ranger/rangeradmin.pid. Need to update the hard-coded path with the custom value specified from Ambari in ranger_pid_dir property under Advanced ranger-env section. Also update the hard-coded user used for chown {pidf} with the service user’s name given during installation of Ranger service on a Misc Tab from Ambari. Update PID location: pidf={custom_pid_path}/rangeradmin.pid Update service user: chown {custom_user} ${pidf} 2) Edit ranger-usersync-services.sh: This file is located at /usr/hdp/current/ranger-usersync/ranger-usersync-services.sh. Similar changes are required to update the hard-coded pid location and hard-coded service user for Ranger Usersync component. Update PID location: pidf={custom_pid_path}/usersync.pid Update service user: chown {custom_user} ${pidf} 3) Start Ranger Service: Start Service from Ambari ... View more

From HDP-2.5 onwards Ranger installation with Ambari 2.4.0, supports uploading of solrconfig to zookeeper during start of Ranger Admin component. However once default solrconfig.xml is uploaded the modified solrconfig.xml is not uploaded again for the next Ranger Admin start. To upload modified solrconfig.xml, below manual steps needs to be followed. 1) Edit solrconfig.xml: Ranger solrconfig.xml is located at /usr/hdp/current/ranger-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml 2) Upload modified solrconfig.xml under znode used by Ranger Audit: Znode can be found in property ranger.audit.solr.zookeepers as {zookeeper_host}:2181/znode under Ranger Audit Tab. NOTE: If Ranger is using Ambari Infra solr cloud then default znode is /infra-solr otherwise if it is using externally managed solr cloud znode is /ranger_audits Use below command to upload, need to also export JAVA_HOME=/usr/jdk64/jdk1.8.0_77 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string {zookeeper_host}:2181/infra-solr --upload-config --config-dir /usr/hdp/current/ranger-admin/contrib/solr_for_audit_setup/conf --config-set ranger_audits NOTE: For kerberos env use --jaas-file oprtion and provide the jass file path as /usr/hdp/current/ranger-admin/conf/ranger_solr_jaas.conf /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string {zookeeper_host}:2181/infra-solr --upload-config --config-dir /usr/hdp/current/ranger-admin/contrib/solr_for_audit_setup/conf --config-set ranger_audits --jaas-file /usr/hdp/current/ranger-admin/conf/ranger_solr_jaas.conf 3) Restart Solr Service: If using Ambari Infra, restart Ambari Infra service from Ambari. NOTE: Using Ambari with HDP-2.6, solrconfig.xml can be modified from Ambari UI as it is exposed under Ranger Service Config tab. It is found under Advanced ranger-solr-configuration in content property entry with label as solr-config template. Restart Ranger Admin Component after saving the modified solrconfig to get it uploaded under znode. ... View more