Secured Hadoop clusters

Kerberos support

All Kerberos configuration will occur in the relay definition. So, refer to

• hdfs_relay
• hive_relay
• hbase_relay
• kafka_relay
• storm_relay
• source_host_credentials

In the Reference part for how to configure Kerberos access for all HADeploy operations.

Ranger tricks

SSL Certificate validation

If Ranger admin is configured with SSL, default configuration will require an valid certificate, one recognized be a registered certificate authority. If this is not the case, all Ranger access will throw an error, unless you:

• Disable certificate validation: validate_certs: no in ranger_relay

Or:

• Provide a CA_BUNDLE.

In its simplest case, a CA_BUNDLE can be simply the certificate of the Ranger server, in PEM format.

To grab this certificate, you may use a tiny python program like the following:

import ssl

if __name__ == '__main__':
    cert = ssl.get_server_certificate(("ranger.mycluster.corp.com", 6182), ssl_version=ssl.PROTOCOL_SSLv23)
    print cert
    f = open("cert.pem", "w")
    f.write(cert)
    f.close()

Resources collision

Apache Ranger does not allow to have several policies granting access to the same set of resources (Path, table, topics,...).

To work around this limitation, a simple trick it to add an un-existing, fake resource to the resource list on one of the colliding policies.

For example:

kafka_ranger_policies:
- name: "allToJim"
  topics: 
  - "*"
  - "dummy_topic"
  permissions:
  - users:
    - jim
  accesses:
    - publish
    - consume
    - configure
    - describe
    - create
    - delete
    - kafka_admin