Configure Ranger KMS HA

High availability (HA) allows the Ranger KMS service to deploy a backup in case the main host goes down.

IMPORTANT
The HA mode is enabled automatically when two or more Ranger KMS instances are detected.

Configuration in ADCM

To add an extra Ranger KMS component, follow the steps below:

  1. In the cluster configuration menu, open the Services tab and run the Add Ranger KMS action for Ranger. Alternatively, in the Ranger service menu, you can go to the Components tab and run the Add action for Ranger KMS that leads to the same result.

    The Add Ranger KMS action
    The Add Ranger KMS action
  2. In the opened window, add an extra host for the Ranger KMS component and click Run.

    The host-component mapping window
    The host-component mapping window
  3. Confirm the action in the pop-up window and wait for it to finish.

NOTE
For a kerberized cluster, SASL is used for authentication with the Kerberos user credentials. The name resolution rules are defined by the hadoop.kms.authentication.kerberos.name.rules parameter in the kms-site.xml parameter group available with the Show advanced flag enabled. By default, these rules concern only the service users (e.g. ranger, hive, yarn, etc.).

Check

To check if the HA mode is enabled, follow the steps below:

  1. Log into Ranger Admin UI as keyadmin.

  2. Enter the edit page for the Ranger KMS service.

    Edit the Ranger KMS service
    Edit the Ranger KMS service
    Edit the Ranger KMS service
    Edit the Ranger KMS service
  3. If the HA mode is enabled, the KMS URL parameter should have several KMS host URLs (kms://http@<kms_host_1>;<kms_host_2>:9292/kms). Otherwise — there should be only one URL (dbks://http@<kms_host>:9292/kms). If SSL is enabled, http will be changed to https and the port 9292 will be changed to 9393.

    The KMS URL parameter
    The "KMS URL" parameter
    The KMS URL parameter
    The "KMS URL" parameter
Found a mistake? Seleсt text and press Ctrl+Enter to report it