Configuration to plug Indexima with Ranger
Ranger is a framework to enable, monitor, and manage comprehensive data security across the Hadoop platform.
Setup an Indexima CLUSTER
Deploy the jar files
Download the packaged Ranger-plug-in available here. Choose the plugin version related to the indexima version you're currently running.
- if you're installing on HDP 2, choose the following driver: indexima-installer-ranger-VERSION_NUMBER.zip
- if you're installing on HDP 3.1, choose the following driver: indexima-installer-ranger-hdp3-VERSION_NUMBER.zip
Unzip it in the INDEXIMA MASTER destination. This package contains the following files:
| galactica | file | |
|---|---|---|
| conf | galactica.conf.template | |
| ranger.indexima.audit.xml.template | ||
| ranger.indexima.security.xml.template | ||
| lib | galactica-plugin-ranger-client-0.0.1.jar | |
| httpmime-4.5.6.jar | ||
| noggit-0.8.jar | ||
| ranger-plugins-audit-0.7.0.jar | ||
| ranger-plugins-common-0.7.0.jar | used for Rule’s synchronization (every 30 sec) | |
| plug-in | galactica-plugin-ranger-server-0.0.1.tar.gz |
Make sure your distribution has installed the following libraries in galactica/lib directory
- galactica-plugin-ranger-client-0.0.1.jar
- httpmime-4.5.6.jar
- noggit-0.8.jar
- ranger-plugins-audit-0.7.0.jar
- ranger-plugins-common-0.7.0.jar
and the following files in the galactica root directory,
- galactica.conf.template
- ranger.indexima.audit.xml.template
- ranger.indexima.security.xml.template
Parameter
On this page, we would use the parameter <Ranger_Service_Name>. In most cases, an administrator would choose the value indexima.Adapt Indexima's Configuration
Ranger Plugin usage by the engine
Modify your conf/galactica.conf with the following properties:
galactica.conf
# parameters for Ranger plugin
privilege.driver.name=io.galactica.ranger.client.RangerIndeximaDriver
# The Ranger GUI will use the following parameters to display the service name
privilege.driver.property.servicetype=<Ranger_Service_Name>
privilege.driver.property.appid=<Ranger_Service_Name>Ranger Plugin usage within the Hadoop cluster
Modify your conf/galactica.conf with the following properties:
galactica.conf
# Include the system user used to run Indexima process as Admin user of indexima
users.in.admin.role=Indexima_Process_UserConnecting to the Ranger server
Untemplate & adapt file names
Enable the connection with the Ranger server by editing the file conf/ranger-indexima-security.xml
cp ranger.indexima.audit.xml.template ranger.<Ranger_Service_Name>.audit.xml
cp ranger.indexima.security.xml.template ranger.<Ranger_Service_Name>.security.xmlConfigure ranger-indexima-security.xml
Set the following property in ranger-indexima-security.xml points on your Ranger server.
URL to Ranger Admin
ranger-indexima-security.xml
<property>
<name>ranger.plugin.indexima.policy.rest.url</name>
<value>http://localhost:6080</value>
<description>URL to Ranger Admin</description>
</property>
Service name & misc
ranger-indexima-security.xml
<property>
<name>ranger.plugin.<Ranger_Service_Name>.service.name</name>
<value>indexima</value>
<description>Name of the Ranger service containing policies for this YARN instance</description>
</property>
<property>
<name>ranger.plugin.indexima.policy.cache.dir</name>
<value>./policycache</value>
<description>Directory where Ranger policies are cached after successful retrieval from the source</description>
</property>
<property>
<name>ranger.plugin.indexima.policy.pollIntervalMs</name>
<value>30000</value>
<description> How often to poll for changes in policies? </description>
</property>| Parameter Name | Description |
|---|---|
| ranger.plugin.indexima.policy.cache.dir | keeps persistent Ranger rules. |
| ranger.plugin.indexima.service.name | specifies the service name which is indexima by default |
Additional setup for connecting a Standalone Indexima cluster to a Ranger in a Hadoop environment
Connection to an SSL secured Ranger in a Kerberised environment
Prerequisites
You need to have a Kerberos environment configured on your machine.
It would require that firewall rules allows data flow between Ranger server machine and Indexima cluster
Configure ranger-indexima-security.xml
A template file ranger-indexima-security.xml.template is provided with the plugin.
You need to specify the location of your ranger server (variable ranger.plugin.indexima.policy.rest.url)
Configure ranger-policy-mgr-ssl.xml
If your ranger server is configured with SSL, you will need to provide a ranger-policy-mgr-ssl.xml
ranger-indexima-security.xml
<configuration>
<property>
<name>xasecure.policymgr.clientssl.keystore</name>
<value>...<your-path-here>.../rangerssl/ranger-plugin-keystore.jks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.credential.file</name>
<value>jceks://file/...<your-path-here>.../rangerssl/client.jceks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.password</name>
<value>PASSWORD</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore</name>
<value>...<your-path-here>.../rangerssl/ranger-plugin-truststore.jks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.credential.file</name>
<value>jceks://file/...<your-path-here>.../rangerssl/trust.jceks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.password</name>
<value>PASSWORD</value>
</property>
</configuration>
start-node.sh Configuration
Configure start-node.sh in order to use jaas.conf (the debug option is not mandatory)
NODESERVER_JVM_OPTIONS="-Dsun.security.krb5.debug=true -Djava.security.auth.login.config=./conf/jaas.confJaas.conf configuration
Add or modify the following parameter
- required principal
- keyTab
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="XXX@YOUR_DOMAIN.COM"
keyTab="/path/XXX.keytab"
useKeyTab=true
storeKey=true
debug=true;
};
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="XXX@YOUR_DOMAIN.COM"
keyTab="/path/XXX.keytab"
useKeyTab=true
storeKey=true
debug=true;
};