Configuring Security for Ranger

Describes how to configure security for Ranger.

Configuring Encryption

Optionally, you can configure parameters that are used to encrypt passwords for Ranger internal use cases: 
#Encryption 
password_encryption_key= 
password_salt=f77aLYLo 
password_iteration_count=1000 
password_encryption_algorithm=PBEWithHmacSHA512AndAES_128

Note that the password_encryption_key is empty by default. If you do not explicitly set the password_encryption_key, Ranger generates a key automatically. If reconfiguration using setup.sh is needed later, Ranger uses the generated key, and no user interaction is needed.

Configuring SSL over DB

The following settings are SSL over DB related:
#SSL config 
db_ssl_enabled=false 
db_ssl_required=false 
db_ssl_verifyServerCertificate=false 
#db_ssl_auth_type=1-way|2-way, where 1-way represents standard one way ssl authentication and 2-way represents mutual ssl authentication 
db_ssl_auth_type=2-way 
javax_net_ssl_keyStore= 
javax_net_ssl_keyStorePassword= 
javax_net_ssl_trustStore= 
javax_net_ssl_trustStorePassword= 
javax_net_ssl_trustStore_type=jks 
javax_net_ssl_keyStore_type=jks 

mysql_enabled_tls_protocols=TLSv1.2

Configuring SSL Security

In a secure cluster, Ranger configures SSL security by using the EEP-specific key store by default. In a secure cluster, the Ranger Admin UI runs on https://<hostname>:6182. In a non-secure cluster, the Ranger Admin UI runs on http://<hostname>:6080.

To override the default SSL configuration, you can use either of the following options:
  • Public CA Certificates
  • Self-Signed Certificate

Only one step is different in these configuration options. If you use a self-signed certificate, you need to create the certificate, as directed in step 2.

SSL Configuration for Services
  1. If Ranger is configured and running, stop the Ranger service on each node:
    maprcli node services -name ranger-admin -action stop -nodes `hostname`
maprcli node services -name ranger-usersync -action stop -nodes `hostname`
  2. If using the self-signed option, create the self-signed certificates. For example, to create the Admin keystore:
    keytool -genkey -keyalg RSA -alias rangeradmin -keystore ranger-admin-keystore.jks -storepass xasecure -validity 360 -keysize 2048
chmod 400 ranger-admin-keystore.jks
    To create the Usersync trust store:
    keytool -export -keystore ranger-admin-keystore.jks -alias rangeradmin -file ranger-admin-trust.cer 
chown mapr:mapr ranger-admin-trust.cer
keytool -import -file ranger-admin-trust.cer -alias rangeradmintrust -keystore mytruststore.jks -storepass changeit
chown mapr:mapr mytruststore.jks
  3. Modify the Ranger Admin install.properties file as follows:
    policymgr_external_url=https://FQDN:6182
policymgr_http_enabled=false
policymgr_https_keystore_file=/path/to/ranger-admin-keystore.jks
policymgr_https_keystore_keyalias=rangeradmin
policymgr_https_keystore_password=xasecure
  4. Modify the Ranger Usersync install.properties file as follows:
    # SSL Authentication
AUTH_SSL_ENABLED=true
AUTH_SSL_KEYSTORE_FILE=/etc/ranger/usersync/conf/cert/unixauthservice.jks
AUTH_SSL_KEYSTORE_PASSWORD=UnIx529p
AUTH_SSL_TRUSTSTORE_FILE=/path/to/mytruststore.jks
AUTH_SSL_TRUSTSTORE_PASSWORD=changeit
  5. Run the Ranger Admin setup.sh script to configure the new options:
    sudo /opt/mapr/ranger/ranger-<version>/ranger-admin/setup.sh
  6. Restart the services if Ranger is already configured; otherwise, you must run configure.sh once the full configuration is completed:
    maprcli node services -name ranger-admin -action start -nodes `hostname`
maprcli node services -name ranger-usersync -action start -nodes `hostname`
SSL Configuration for Plug-ins
  1. Add the certificates that you specified for the services into the install.properties file of the corresponding plug-in as follows:
    SSL_KEYSTORE_FILE_PATH=/path/to/ranger-admin-keystore.jks
SSL_KEYSTORE_PASSWORD=xasecure
SSL_TRUSTSTORE_FILE_PATH=/path/to/mytruststore.jks
SSL_TRUSTSTORE_PASSWORD=changeit
  2. Run the script for the plug-in:
    enable-<component>-plugin.sh

Configuring the Security Type

In releases 7.2.0 and later, you can use a security type property to specify the authentication between Ranger and the HPE Ezmeral Data Fabric. This property determines the authentication protocol used by the Ranger Admin service. You can set the security type in the install.properties file or in the ranger-admin-site.xml file.
If you set the security type in this file . . . Use this property name
install.properties security_type
site.xml ranger.security.type
Possible values for the property are:
Value Description
none The Ranger Admin runs in non-secure mode, and no authentication is required for API calls.
maprsasl The Ranger Admin uses Data Fabric SASL authentication.
kerberos The Ranger Admin uses Kerberos authentication.

If a value is not specified, Ranger uses the value found in mapr-clusters.conf.