Blueprint support for Ranger
Starting from HDP2.3 Ranger can be deployed using Blueprints in two ways either using stack advisor or setting all the needed properties in the Blueprint.
Deploy Ranger with the use of stack advisor
Stack advisor makes simple the deployment of Ranger as it sets automatically the needed properties thus the user has to provided only a minimal set of configurations. The configurations properties that must be provided in either the Blueprint or cluster creation template are:
admin-properties:
DB_FLAVOR - the default is MYSQL. No need to provide this if MYSQL is to be used the database server for Ranger databases. Consult Ranger documentation for supported database servers. Also ensure the ambari-server has the appropriate jdbc driver installed for the selected database server type (e.g.: ambari-server setup --jdbc-driver)
db_host - set the host:port of the database server that Ranger Admin will use
db_root_user - the db user with root access that will be used during deployment to create the databases used by Ranger. By default root is used if this property is not specified.
db_root_password - the password for root user
db_password - the password that will be used access the Ranger database
audit_db_password - the password that will be used to access the Ranger Audit db
ranger-env
ranger_admin_password - this is the Ambari user password created for creating repositories and policies in Ranger Admin for each plugin
ranger-yarn-plugin-enabled - Enable/Disable YARN Ranger plugin. The default is Disable.
ranger-hdfs-plugin-enabled - Enable/Disable HDFS Ranger plugin. The default is Disable.
ranger-hbase-plugin-enabled -Enable/Disable HBase Ranger plugin. The default is Disable.
... - check Ranger documentation for the list of supported ranger plugins
kms-properties
DB_FLAVOR - the default is MYSQL. No need to provide this if MYSQL is to be used the database server for Ranger databases. Consult Ranger KMS documentation for supported database servers. Also ensure the ambari-server has the appropriate jdbc driver installed for the selected database server type (e.g.: ambari-server setup --jdbc-driver)
SQL_CONNECTOR_JAR - the default is /usr/share/java/mysql-connector-java.jar
KMS_MASTER_KEY_PASSWD
db_host - the host:port of the database server that Ranger KMS will use
db_root_user - the db user with root access that will be used during deployment to create the databases used by Ranger KMS. By default root is used if this property is not specified.
db_root_password - database password for root user
db_password - database password for the Ranger KMS schema
hadoop-env
- keyserver_port - Port number where Key Management Server is available
- keyserver_host - Hostnames where Key Management Server is installed
Deploy Ranger without the use of stack advisor
Without stack advisor all the configs related to Ranger, Ranger KMS and ranger plugins that don't have default values must be set in the Blueprint or cluster creation template. Consult Ranger and ranger plugin plugins documentation for all properties.
An example of such Blueprint where everything is set manually (note that this just covers a subset of currently supported configuration properties and ranger plugins):
{
"configurations" : [
{
"admin-properties" : {
"properties_attributes" : { },
"properties" : {
"DB_FLAVOR" : "MYSQL",
"audit_db_name" : "ranger_audit",
"db_name" : "ranger",
"audit_db_user" : "rangerlogger",
"SQL_CONNECTOR_JAR" : "/usr/share/java/mysql-connector-java.jar",
"db_user" : "rangeradmin",
"policymgr_external_url" : "http://%HOSTGROUP::host_group_1%:6080",
"db_host" : "172.17.0.9:3306",
"db_root_user" : "root"
}
}
},
{
"ranger-kms-security" : {
"properties_attributes" : { },
"properties" : {
"ranger.plugin.kms.policy.source.impl" : "org.apache.ranger.admin.client.RangerAdminRESTClient",
"ranger.plugin.kms.service.name" : "{{repo_name}}",
"ranger.plugin.kms.policy.rest.url" : "{{policymgr_mgr_url}}"
}
}
},
{
"kms-site" : {
"properties_attributes" : { },
"properties" : {
"hadoop.kms.security.authorization.manager" : "org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer",
"hadoop.kms.key.provider.uri" : "dbks://http@localhost:9292/kms"
}
}
},
{
"ranger-hdfs-plugin-properties" : {
"properties_attributes" : { },
"properties" : {
"REPOSITORY_CONFIG_USERNAME" : "hadoop",
"ranger-hdfs-plugin-enabled" : "Yes",
"common.name.for.certificate" : "",
"policy_user" : "ambari-qa",
"hadoop.rpc.protection" : ""
}
}
},
{
"ranger-admin-site" : {
"properties_attributes" : { },
"properties" : {
"ranger.ldap.group.searchfilter" : "{{ranger_ug_ldap_group_searchfilter}}",
"ranger.ldap.group.searchbase" : "{{ranger_ug_ldap_group_searchbase}}",
"ranger.sso.enabled" : "false",
"ranger.externalurl" : "{{ranger_external_url}}",
"ranger.sso.browser.useragent" : "Mozilla,chrome",
"ranger.service.https.attrib.ssl.enabled" : "false",
"ranger.ldap.ad.referral" : "ignore",
"ranger.jpa.jdbc.url" : "jdbc:mysql://172.17.0.9:3306/ranger",
"ranger.https.attrib.keystore.file" : "/etc/ranger/admin/conf/ranger-admin-keystore.jks",
"ranger.ldap.user.searchfilter" : "{{ranger_ug_ldap_user_searchfilter}}",
"ranger.jpa.jdbc.driver" : "com.mysql.jdbc.Driver",
"ranger.authentication.method" : "UNIX",
"ranger.service.host" : "{{ranger_host}}",
"ranger.jpa.audit.jdbc.user" : "{{ranger_audit_db_user}}",
"ranger.ldap.referral" : "ignore",
"ranger.jpa.audit.jdbc.credential.alias" : "rangeraudit",
"ranger.service.https.attrib.keystore.pass" : "SECRET:ranger-admin-site:2:ranger.service.https.attrib.keystore.pass",
"ranger.audit.solr.username" : "ranger_solr",
"ranger.sso.query.param.originalurl" : "originalUrl",
"ranger.service.http.enabled" : "true",
"ranger.audit.source.type" : "solr",
"ranger.ldap.url" : "{{ranger_ug_ldap_url}}",
"ranger.service.https.attrib.clientAuth" : "want",
"ranger.ldap.ad.domain" : "",
"ranger.ldap.ad.bind.dn" : "{{ranger_ug_ldap_bind_dn}}",
"ranger.credential.provider.path" : "/etc/ranger/admin/rangeradmin.jceks",
"ranger.jpa.audit.jdbc.driver" : "{{ranger_jdbc_driver}}",
"ranger.audit.solr.urls" : "",
"ranger.sso.publicKey" : "",
"ranger.ldap.bind.dn" : "{{ranger_ug_ldap_bind_dn}}",
"ranger.unixauth.service.port" : "5151",
"ranger.ldap.group.roleattribute" : "cn",
"ranger.jpa.jdbc.dialect" : "{{jdbc_dialect}}",
"ranger.sso.cookiename" : "hadoop-jwt",
"ranger.service.https.attrib.keystore.keyalias" : "rangeradmin",
"ranger.audit.solr.zookeepers" : "NONE",
"ranger.jpa.jdbc.user" : "{{ranger_db_user}}",
"ranger.jpa.jdbc.credential.alias" : "rangeradmin",
"ranger.ldap.ad.user.searchfilter" : "{{ranger_ug_ldap_user_searchfilter}}",
"ranger.ldap.user.dnpattern" : "uid={0},ou=users,dc=xasecure,dc=net",
"ranger.ldap.base.dn" : "dc=example,dc=com",
"ranger.service.http.port" : "6080",
"ranger.jpa.audit.jdbc.url" : "{{audit_jdbc_url}}",
"ranger.service.https.port" : "6182",
"ranger.sso.providerurl" : "",
"ranger.ldap.ad.url" : "{{ranger_ug_ldap_url}}",
"ranger.jpa.audit.jdbc.dialect" : "{{jdbc_dialect}}",
"ranger.unixauth.remote.login.enabled" : "true",
"ranger.ldap.ad.base.dn" : "dc=example,dc=com",
"ranger.unixauth.service.hostname" : "{{ugsync_host}}"
}
}
},
{
"dbks-site" : {
"properties_attributes" : { },
"properties" : {
"ranger.ks.jpa.jdbc.url" : "jdbc:mysql://172.17.0.9:3306/rangerkms",
"hadoop.kms.blacklist.DECRYPT_EEK" : "hdfs",
"ranger.ks.jpa.jdbc.dialect" : "{{jdbc_dialect}}",
"ranger.ks.jdbc.sqlconnectorjar" : "{{ews_lib_jar_path}}",
"ranger.ks.jpa.jdbc.user" : "{{db_user}}",
"ranger.ks.jpa.jdbc.credential.alias" : "ranger.ks.jdbc.password",
"ranger.ks.jpa.jdbc.credential.provider.path" : "/etc/ranger/kms/rangerkms.jceks",
"ranger.ks.masterkey.credential.alias" : "ranger.ks.masterkey.password",
"ranger.ks.jpa.jdbc.driver" : "com.mysql.jdbc.Driver"
}
}
},
{
"kms-env" : {
"properties_attributes" : { },
"properties" : {
"kms_log_dir" : "/var/log/ranger/kms",
"create_db_user" : "true",
"kms_group" : "kms",
"kms_user" : "kms",
"kms_port" : "9292"
}
}
},
{
"ranger-hdfs-security" : {
"properties_attributes" : { },
"properties" : {
"ranger.plugin.hdfs.policy.source.impl" : "org.apache.ranger.admin.client.RangerAdminRESTClient"
}
}
},
{
"ranger-env" : {
"properties_attributes" : { },
"properties" : {
"xml_configurations_supported" : "true",
"ranger_user" : "ranger",
"xasecure.audit.destination.hdfs.dir" : "hdfs://ambari-agent-1.node.dc1.consul:8020/ranger/audit",
"create_db_dbuser" : "true",
"ranger-hdfs-plugin-enabled" : "Yes",
"ranger_privelege_user_jdbc_url" : "jdbc:mysql://172.17.0.9:3306",
"ranger-knox-plugin-enabled" : "No",
"is_solrCloud_enabled" : "false",
"bind_anonymous" : "false",
"ranger-yarn-plugin-enabled" : "Yes",
"ranger-kafka-plugin-enabled" : "No",
"xasecure.audit.destination.hdfs" : "true",
"ranger-hive-plugin-enabled" : "No",
"xasecure.audit.destination.solr" : "false",
"xasecure.audit.destination.db" : "true",
"ranger_group" : "ranger",
"ranger_admin_username" : "amb_ranger_admin",
"ranger-hbase-plugin-enabled" : "Yes",
"admin_username" : "admin"
}
}
},
{
"kms-properties" : {
"properties_attributes" : { },
"properties" : {
"REPOSITORY_CONFIG_USERNAME" : "keyadmin",
"KMS_MASTER_KEY_PASSWD" : "SECRET:kms-properties:1:KMS_MASTER_KEY_PASSWD",
"DB_FLAVOR" : "MYSQL",
"db_name" : "rangerkms",
"SQL_CONNECTOR_JAR" : "/usr/share/java/mysql-connector-java.jar",
"db_user" : "rangerkms",
"db_host" : "172.17.0.9:3306",
"db_root_user" : "root"
}
}
},
{
"ranger-yarn-security" : {
"properties_attributes" : { },
"properties" : {
"ranger.plugin.yarn.policy.source.impl" : "org.apache.ranger.admin.client.RangerAdminRESTClient"
}
}
},
{
"usersync-properties" : {
"properties_attributes" : { },
"properties" : { }
}
},
{
"ranger-hbase-security" : {
"properties_attributes" : { },
"properties" : {
"ranger.plugin.hbase.policy.source.impl" : "org.apache.ranger.admin.client.RangerAdminRESTClient"
}
}
},
{
"hdfs-site" : {
"properties_attributes" : { },
"properties" : {
"dfs.encryption.key.provider.uri" : "kms://http@%HOSTGROUP::host_group_1%:9292/kms",
"dfs.namenode.inode.attributes.provider.class" : "org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer"
}
}
},
{
"ranger-yarn-plugin-properties" : {
"properties_attributes" : { },
"properties" : {
"REPOSITORY_CONFIG_USERNAME" : "yarn",
"common.name.for.certificate" : "",
"ranger-yarn-plugin-enabled" : "Yes",
"policy_user" : "ambari-qa",
"hadoop.rpc.protection" : ""
}
}
},
{
"ranger-hbase-plugin-properties" : {
"properties_attributes" : { },
"properties" : {
"REPOSITORY_CONFIG_USERNAME" : "hbase",
"common.name.for.certificate" : "",
"ranger-hbase-plugin-enabled" : "Yes",
"policy_user" : "ambari-qa"
}
}
}
],
"host_groups" : [
{
"name" : "host_group_1",
"configurations" : [ ],
"components" : [
{
"name" : "ZOOKEEPER_CLIENT"
},
{
"name" : "ZOOKEEPER_SERVER"
},
{
"name" : "RANGER_ADMIN"
},
{
"name" : "HBASE_REGIONSERVER"
},
{
"name" : "HBASE_CLIENT"
},
{
"name" : "HBASE_MASTER"
},
{
"name" : "RANGER_USERSYNC"
},
{
"name" : "NAMENODE"
},
{
"name" : "NODEMANAGER"
},
{
"name" : "HDFS_CLIENT"
},
{
"name" : "YARN_CLIENT"
},
{
"name" : "MAPREDUCE2_CLIENT"
},
{
"name" : "DATANODE"
},
{
"name" : "RANGER_KMS_SERVER"
}
],
"cardinality" : "1"
},
{
"name" : "host_group_2",
"configurations" : [ ],
"components" : [
{
"name" : "ZOOKEEPER_SERVER"
},
{
"name" : "HISTORYSERVER"
},
{
"name" : "HBASE_REGIONSERVER"
},
{
"name" : "APP_TIMELINE_SERVER"
},
{
"name" : "HDFS_CLIENT"
},
{
"name" : "NODEMANAGER"
},
{
"name" : "SECONDARY_NAMENODE"
},
{
"name" : "DATANODE"
},
{
"name" : "RESOURCEMANAGER"
}
],
"cardinality" : "1"
},
{
"name" : "host_group_3",
"configurations" : [ ],
"components" : [
{
"name" : "ZOOKEEPER_CLIENT"
},
{
"name" : "ZOOKEEPER_SERVER"
},
{
"name" : "HBASE_REGIONSERVER"
},
{
"name" : "HBASE_CLIENT"
},
{
"name" : "HDFS_CLIENT"
},
{
"name" : "NODEMANAGER"
},
{
"name" : "YARN_CLIENT"
},
{
"name" : "MAPREDUCE2_CLIENT"
},
{
"name" : "DATANODE"
}
],
"cardinality" : "1"
}
],
"Blueprints" : {
"stack_name" : "HDP",
"stack_version" : "2.3"
}
}
Deploy Ranger in HA mode
The difference from deploying Ranger in non-HA mode is:
- Deploy RANGER_ADMIN component to multiple host
- Setup a load balancer and configure it to front all RANGER_ADMIN instances (The URL of a Ranger Admin instance is http://host:port (default port 6080) )
- admin-properties
- policymgr_external_url - override the value of this configuration property with the URL of the load balancer. Each component interacting with Ranger is using the value of this property to connect to Ranger thus these will connect via the balancer.