Ranger configuration parameters

Sergei Tikhomirov
Credentials
Parameter Description Default value

Password for admin user

Password for the Ranger administrator

 — 

Password for keyadmin user

Password for the Ranger KMS administrator

 — 

Password for rangerusersync user

Password for the user with the rights to add users and groups to Ranger Admin as part of the synchronization mechanism with LDAP/AD or UNIX

 — 

Credstore password opts

Defines whether a password is required for a credstore

password-file
dbks-site.xml
Parameter Description Default value

ranger.db.encrypt.key.password

Password of the Master Key encryption

 — 

ranger.ks.jpa.jdbc.password

Database user’s password

 — 

ranger.ks.jpa.jdbc.url

JDBC connection URL for the Ranger KMS database. Leave empty for automatic setup on the next reconfiguration

jdbc:mysql://{{ groups['mysql.master'][0] | d(omit) }}:3306/rangerkms

ranger.ks.jpa.jdbc.driver

A classname for a JDBC driver for the Ranger KMS DB

com.mysql.jdbc.Driver

ranger.ks.jdbc.sqlconnectorjar

Path to a JDBC driver JAR for the Ranger KMS DB

/usr/share/java/jdbc-mysql-connector.jar

ranger.ks.jpa.jdbc.user

Database username used for the operations

rangerkms

ranger.ks.kerberos.keytab

Ranger KMS Kerberos keytab

 — 

ranger.ks.kerberos.principal

Ranger KMS Kerberos principal

 — 
Ranger KMS install.properties
Parameter Description Default value

DB_FLAVOR

DBMS that is used to manage the Ranger KMS metadata database

MYSQL

Custom install.properties

Additional installation parameters

install.properties
ranger-admin-site.xml
Parameter Description Default value

ranger.audit.solr.urls

Used to connect Ranger Admin to Solr for audit

 — 

ranger.audit.solr.zookeepers

Used to connect Ranger Admin to Solr’s Zookeeper for audit

 — 

ranger.audit.source.type

Source for audit store. Currently, only Solr is supported

solr

ranger.authentication.method

Authentication methods (ACTIVE DIRECTORY, LDAP, NONE). These methods are used for login to Ranger Admin

NONE

ranger.jpa.jdbc.driver

A classname for a JDBC driver for the Ranger Admin DB

com.mysql.jdbc.Driver

ranger.jdbc.sqlconnectorjar

Path to a JDBC driver JAR for the Ranger Admin DB

/usr/share/java/jdbc-mysql-connector.jar

ranger.jpa.jdbc.password

Password for the Ranger Admin database

 — 

ranger.jpa.jdbc.url

JDBC connection URL for the Ranger Admin database. Leave empty for automatic setup on the next reconfiguration

jdbc:mysql://{{ groups['mysql.master'][0] | d(omit) }}:3306/ranger

ranger.jpa.jdbc.user

Username for the Ranger Admin database

rangeradmin

ranger.service.http.port

HTTP port for Ranger Admin

6080

ranger.service.https.port

HTTPS port for Ranger Admin

6182

ranger.service.shutdown.port

HTTP port used for graceful shutdown of the service

6085

ranger.solr.audit.user

Username to connect to Solr for audit

rangeraudit

ranger.solr.audit.user.password

Password for Solr user

 — 

ranger.admin.balancer.host

URL of a host with a load balancer

 — 

ranger.admin.balancer.port

Port on which a load balancer listens

 — 

ranger.admin.kerberos.token.valid.seconds

Time (in seconds) to validate the Kerberos token

 — 
Ranger Admin install.properties
Parameter Description Default value

DB_FLAVOR

DBMS that is used to manage the Ranger Admin metadata database

MYSQL

Custom install.properties

Additional installation parameters

install.properties
core-site.xml
Parameter Description Default value

hadoop.security.key.provider.path

The key provider to use when interacting with encryption keys used when reading and writing to an encryption zone

kms://http@<ranger-kms-host>:9292/kms

User managed hadoop.security.auth_to_local

Determines whether to let the user define hadoop.security.auth_to_local

false

hadoop.security.auth_to_local

Maps Kerberos principals to local user names

RULE:[1:$1@$0](.*@AD.RANGER-TEST)s/@.*//RULE:[2:$1@$0](hbase@AD.RANGER-TEST)s/.*/hbase/RULE:[2:$1@$0](hdfs-namenode@AD.RANGER-TEST)s/.*/hdfs/RULE:[2:$1@$0](hdfs-datanode@AD.RANGER-TEST)s/.*/hdfs/RULE:[2:$1@$0](rangeradmin@AD.RANGER-TEST)s/.*/ranger/RULE:[2:$1@$0](rangerkms@AD.RANGER-TEST)s/.*/keyadmin/RULE:[2:$1@$0](rangertagsync@AD.RANGER-TEST)s/.*/rangertagsync/RULE:[2:$1@$0](rangerusersync@AD.RANGER-TEST)s/.*/rangerusersync/RULE:[2:$1@$0](hive@AD.RANGER-TEST)s/.*/hive/RULE:[2:$1/$2@$0](yarn-resourcemanager/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](yarn-nodemanager/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](yarn/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](mapreduce-historyserver/.*@AD.RANGER-TEST)s/.*/mapred/DEFAULT
ranger-kms-audit.xml
Parameter Description Default value

xasecure.audit.destination.solr.batch.filespool.dir

Sets the directory where the spool files are stored when the in-memory buffer is full

/srv/ranger/kms/audit_solr_spool
ranger-kms-security.xml
Parameter Description Default value

ranger.plugin.kms.policy.cache.dir

Directory where Ranger policies are cached after a successful retrieval from the source

/srv/ranger/kms/policycache
ranger-kms-site.xml
Parameter Description Default value

ranger.service.http.port

HTTP Port for Ranger Admin

9292

ranger.service.https.port

HTTPS Port for Ranger Admin

9393

ranger.service.shutdown.port

HTTP port that will be used for the correct shutdown of the service

7085

ranger.contextName

Ranger web context

/kms

ranger.service.host

Ranger service host

localhost
Configure SSL KMS
Parameter Description Default value

ranger.https.attrib.keystore.file

Location of the keystore file

 — 

ranger.service.https.attrib.keystore.pass

Password for the keystore file

 — 

ranger.https.attrib.truststore.file

Location of the truststore file

 — 

ranger.service.https.attrib.truststore.pass

Password for the truststore file

 — 

ranger.service.https.attrib.client.auth

Defines whether to enable clients authentication (but not require). Possible values:

  • want — enables two-way SSL (requires certificates to be present on client machines). Validates client certificates from all agents, but not the requests from web applications.

  • false — enables one-way SSL.

false

ranger.service.https.attrib.ssl.protocol

The enabled SSL protocol

TLSv1.2
Configure SSL Admin
Parameter Description Default value

ranger.https.attrib.keystore.file

Location of the keystore file

 — 

ranger.service.https.attrib.keystore.pass

Password for the keystore file

 — 

ranger.service.https.attrib.clientAuth

Defines whether to require clients to authenticate. Possible values:

  • want — enables two-way SSL (requires certificates to be present on client machines). Validates client certificates from all agents, but not the requests from web applications.

  • false — enables one-way SSL.

 — 

ranger.service.https.attrib.client.auth

Defines whether to enable clients authentication (but not require). Possible values:

  • want — enables two-way SSL (requires certificates to be present on client machines). Validates client certificates from all agents, but not the requests from web applications.

  • false — enables one-way SSL.

false

ranger.service.https.attrib.ssl.protocol

The enabled SSL protocol

TLSv1.2
Configure SSL UGSINK
Parameter Description Default value

ranger.usersync.truststore.file

Location of the truststore file

 — 

ranger.usersync.truststore.password

Password for the truststore file

 — 

ranger.usersync.keystore.file

Location of the keystore file

 — 

ranger.usersync.keystore.password

Password for the keystore file

 — 

ranger.usersync.https.ssl.enabled.protocols

The supported SSL protocols

TLSv1.2
kms-site.xml
Parameter Description Default value

hadoop.kms.authentication.kerberos.name.rules

Name resolution rules for Kerberos principals

RULE:[1:$1@$0](.*@AD.RANGER-TEST)s/@.*//RULE:[2:$1@$0](hbase@AD.RANGER-TEST)s/.*/hbase/RULE:[2:$1@$0](hdfs-namenode@AD.RANGER-TEST)s/.*/hdfs/RULE:[2:$1@$0](hdfs-datanode@AD.RANGER-TEST)s/.*/hdfs/RULE:[2:$1@$0](rangeradmin@AD.RANGER-TEST)s/.*/ranger/RULE:[2:$1@$0](rangerkms@AD.RANGER-TEST)s/.*/keyadmin/RULE:[2:$1@$0](rangertagsync@AD.RANGER-TEST)s/.*/rangertagsync/RULE:[2:$1@$0](rangerusersync@AD.RANGER-TEST)s/.*/rangerusersync/RULE:[2:$1@$0](hive@AD.RANGER-TEST)s/.*/hive/RULE:[2:$1/$2@$0](yarn-resourcemanager/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](yarn-nodemanager/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](yarn/.*@AD.RANGER-TEST)s/.*/yarn/RULE:[2:$1/$2@$0](mapreduce-historyserver/.*@AD.RANGER-TEST)s/.*/mapred/DEFAULT

hadoop.kms.authentication.zk-dt-secret-manager.enable

Whether to use ZKDelegationTokenSecretManager to persist TokenIdentifiers and DelegationKeys in ZooKeeper

false

hadoop.kms.authentication.zk-dt-secret-manager.zkConnectionString

The ZooKeeper connection string, a comma-separated list of hostnames and ports

 — 

hadoop.kms.authentication.zk-dt-secret-manager.znodeWorkingPath

The ZooKeeper znode path, where the KMS instances will store and retrieve the secret from. All the KMS instances that need to coordinate should point to the same path

 — 

hadoop.kms.authentication.zk-dt-secret-manager.zkAuthType

The ZooKeeper authentication type. Possible values: none (default) or sasl (Kerberos)

none

hadoop.kms.authentication.zk-dt-secret-manager.kerberos.keytab

The absolute path for the Kerberos keytab with the credentials to connect to ZooKeeper. This parameter is effective only when hadoop.kms.authentication.zk-dt-secret-manager.zkAuthType is set to sasl

 — 

hadoop.kms.authentication.signer.secret.provider

Indicates how the secret to sign the authentication cookies will be stored. Possible values: random (default), string, and zookeeper. If using a setup with multiple KMS instances, zookeeper should be used

random

hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string

The ZooKeeper connection string, a comma-separated list of hostnames and ports

 — 

hadoop.kms.authentication.signer.secret.provider.zookeeper.path

The ZooKeeper znode path where the KMS instances will store and retrieve the secret from. All the KMS instances that need to coordinate should point to the same path

 — 
ranger-ugsync-site.xml
Parameter Description Default value

ranger.usersync.port

Port for Unix authentication service

5151

ranger.usersync.role.assignment.list.delimiter

Delimiter to use while syncing roles to users, groups, and roles in Ranger Admin

&amp;

ranger.usersync.sleeptimeinmillisbetweensynccycle

Sleep time (in milliseconds) interval between user sync operations

 — 

ranger.usersync.unix.minGroupId

Minimum Group ID to start syncing. This parameter is used to avoid syncing of UNIX system-level users in the Ranger Admin

500

ranger.usersync.unix.minUserId

Minimum User ID to start syncing. This parameter is used to avoid syncing of UNIX system-level users in the Ranger Admin

500

ranger.usersync.username.groupname.assignment.list.delimiter

Delimiter to use while syncing users and groups in Ranger Admin

,

ranger.usersync.users.groups.assignment.list.delimiter

Delimiter to use while syncing users and groups with specified roles in Ranger Admin. This delimiter separates the users and groups from respective roles

:
NOTE
The delimiters cannot contain characters that aren’t allowed in username or group name.

The ranger.usersync.role.assignment.list.delimiter parameter is used as delimiter for roles. Check the example below.

ROLE_SYS_ADMIN:u:username01,username02&ROLE_KEY_ADMIN:g:groupname01

In this example, the roles ROLE_SYS_ADMIN and ROLE_KEY_ADMIN in Ranger Admin are separated by delimiter &.

The ranger.usersync.username.groupname.assignment.list.delimiter parameter is used as a delimiter to differentiate between two or more users and groups. Check the example below.

ROLE_SYS_ADMIN:u:username01,username02

In this example, users username1 and username2 are separated by the , delimiter.

The ranger.usersync.users.groups.assignment.list.delimiter is used as a delimiter to differentiate between users and groups from respective roles. Check the example below.

ROLE_SYS_ADMIN:u:username01,username02&ROLE_SYS_ADMIN:g:groupname01,groupname02

In this example, ROLE_SYS_ADMIN is a role, and u denotes the list of users followed by actual usernames, which are username01 and username02. The g is used to indicate the list of groups followed by actual group names, which are groupname01 and groupname02.

ranger-ugsync-default.xml
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<!--
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
  You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License. See accompanying LICENSE file.
-->

<!-- Put site-specific property overrides in this file. -->

<configuration>
	<property>
		<name>ranger.usersync.port</name>
                <value>5151</value>
	</property>
	<property>
		<name>ranger.usersync.ssl</name>
		<value>true</value>
	</property>
	<property>
		<name>ranger.usersync.https.ssl.enabled.protocols</name>
		<value>SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2</value>
	</property>
	<property>
		<name>ranger.usersync.passwordvalidator.path</name>
		<value>./native/credValidator.uexe</value>
	</property>
	<property>
		<name>ranger.usersync.enabled</name>
		<value>true</value>
	</property>
	<property>
		<name>ranger.usersync.policymanager.maxrecordsperapicall</name>
		<value>1000</value>
	</property>
	<property>
		<name>ranger.usersync.policymanager.mockrun</name>
		<value>false</value>
	</property>
	<property>
		<name>ranger.usersync.unix.minUserId</name>
		<value>500</value>
	</property>
	<property>
		<name>ranger.usersync.unix.minGroupId</name>
		<value>0</value>
	</property>
	<property>
		<name>ranger.usersync.ldap.username.caseconversion</name>
		<value>none</value>
	</property>
	<property>
		<name>ranger.usersync.ldap.groupname.caseconversion</name>
		<value>none</value>
	</property>
	<property>
		<name>ranger.usersync.logdir</name>
		<value>./log</value>
	</property>
	<property>
		<name>ranger.usersync.cookie.enabled</name>
		<value>true</value>
	</property>
</configuration>
LDAP sync source for User synchronizer
Parameter Description Default value

ranger.usersync.ldap.binddn

Full distinguished name (DN)

 — 

ranger.usersync.ldap.deltasync

LDAP delta sync flag used to periodically sync users and groups based on the updates in the server

true

ranger.usersync.ldap.groupname.caseconversion

Controls how to convert group names. Possible values: lower, upper, and none

lower

LDAP bind password

Password for the LDAP bind user

 — 

ranger.usersync.ldap.referral

Indicates how to handle LDAP referrals. Possible values are:

  • follow — use if multiple LDAP servers are configured to return continuation references for results.

  • ignore — use if no referrals should be followed.

ignore

ranger.usersync.ldap.searchBase

Search base for the users and groups

rangerkms

ranger.usersync.ldap.url

LDAP server URL

ranger

ranger.usersync.ldap.user.groupnameattribute

LDAP user group name attribute

memberof,ismemberof

ranger.usersync.ldap.user.nameattribute

LDAP user name attribute

cn

ranger.usersync.ldap.user.objectclass

LDAP User Object Class

person

ranger.usersync.ldap.user.searchbase

Search base for the users

 — 

ranger.usersync.ldap.user.searchfilter

Optional additional filter constraining the users selected for syncing

 — 

ranger.usersync.ldap.user.searchscope

Search scope for the users. Possible values are:

  • base — only the entry specified as the search base in ranger.usersync.ldap.user.searchbase should be included.

  • one — only the direct children of the entry specified as the search base in ranger.usersync.ldap.user.searchbase should be included.

  • sub — the entry specified as the search base in ranger.usersync.ldap.user.searchbase and all of its descendants at any depth should be included.

 — 

ranger.usersync.ldap.username.caseconversion

Controls how to convert usernames. Possible values: lower, upper, and none

lower

ranger.usersync.group.searchenabled

Whether Usersync should use ldapsearch to find groups instead of relying on user entry attributes

 — 

ranger.usersync.group.search.first.enabled

Whether to get users using the 'member' attribute of the group

true

ranger.usersync.group.usermapsyncenabled

Whether to do the ldapsearch to find groups instead of relying on user entry attributes and sync memberships of those groups

false

ranger.usersync.group.memberattributename

LDAP group member attribute name

member

ranger.usersync.group.nameattribute

LDAP group name attribute

cn

ranger.usersync.group.objectclass

LDAP Group object class

groupofnames

ranger.usersync.group.searchbase

Search base for the groups

 — 

ranger.usersync.group.searchfilter

Optional additional filter constraining the groups selected for syncing

 — 

ranger.usersync.group.searchscope

Search scope for the groups. Possible values are:

  • base — only the entry specified as the search base in ranger.usersync.group.searchbase should be included.

  • one — only the direct children of the entry specified as the search base in ranger.usersync.group.searchbase should be included.

  • sub — the entry specified as the search base in ranger.usersync.group.searchbase, and all of its subordinates to any depth, should be included.

 — 

The ranger.usersync.ldap.binddn parameter is used to set the DN, including the common name (CN) of an LDAP user account that has privileges to search for users. This can be a read-only LDAP user. Check the example below.

cn=admin,dc=example,dc=com

The ranger.usersync.ldap.searchBase parameter is used to set the search base for users and groups. Multiple values can be separated with ; (semicolon). Check the example below.

dc=hadoop,dc=arenadata,dc=tech

The ranger.usersync.ldap.url parameter is used to set the URL for LDAP server. Check the example below.

ldaps://localhost:8000
ldap://localhost:8080

The ranger.usersync.ldap.user.groupnameattribute parameter is the same as the username attribute. Check the example below.

memberOf in AD, memberof,ismemberof in OpenLDAP

The ranger.usersync.ldap.user.nameattribute parameter is used to set the LDAP username attribute. Check the example below.

sAMAccountName in AD, uid or cn in OpenLDAP
NOTE
sAMAccountName is a logon account name in SAM, which is needed for compatibility with pre-Windows 2000 systems. cn is a common user name that consists of the first name, middle name, and last name.

The ranger.usersync.ldap.user.searchbase parameter is used to set the PATH to search base for users. Multiple values can be configured with ; (semicolon) separated.

CAUTION
The value of ranger.usersync.ldap.user.searchbase overrides the value specified in ranger.usersync.ldap.searchBase.

Check the example below.

ou=users,dc=hadoop,dc=arenadata,dc=tech
cn=users,dc=example,dc=com;ou=example1,ou=example2

The ranger.usersync.group.searchbase is used to specify the group’s search base. Multiple values can be separated with ; (semicolon). If a value is not specified, it takes the value of ranger.usersync.ldap.searchBase. If ranger.usersync.ldap.searchBase is also not specified, it takes the value of ranger.usersync.ldap.user.searchbase.

CAUTION
The value of ranger.usersync.group.searchbase overrides the values specified in ranger.usersync.ldap.searchBase and ranger.usersync.ldap.user.searchbase.

Check the example below.

ou=groups,dc=hadoop,dc=apache,dc=org
ou=groups,DC=example,DC=com;ou=group1,ou=group2
LDAP sync source for Ranger Admin authentication
Parameter Description Default value

ranger.ldap.url

The LDAP server URL

 — 

ranger.ldap.bind.dn

The full distinguished name (DN) of an LDAP user to bind to

 — 

ranger.ldap.bind.password

The password for an LDAP user to bind to

 — 

ranger.ldap.base.dn

The distinguished name of the start for directory server searches

 — 

ranger.ldap.group.searchbase

The LDAP group search base

 — 

ranger.ldap.group.searchfilter

The LDAP group search filter

 — 

ranger.ldap.group.roleattribute

The LDAP group role attribute

 — 

ranger.ldap.user.searchfilter

The LDAP user search filter

 — 

ranger.ldap.user.dnpattern

The LDAP user DN

 — 

ranger.ldap.referral

Indicates how to handle LDAP referrals. Possible values are:

  • follow — use if multiple LDAP servers are configured to return continuation references for results.

  • ignore — use if no referrals should be followed.

  • throw —  use if all the standard entries are returned to the enumeration first before the ReferralException is thrown.

ignore
Active Directory sync source for Ranger Admin authentication
Parameter Description Default value

ranger.ldap.ad.url

The Active Directory server URL

 — 

ranger.ldap.ad.bind.dn

The full distinguished name (DN) of an AD user to bind to

 — 

ranger.ldap.ad.bind.password

The password for an LDAP user to bind to

 — 

ranger.ldap.ad.base.dn

The Distinguished Name of the start for directory server searches

 — 

ranger.ldap.ad.domain

Server domain name (or IP address) where the ranger-usersync module is running (along with the AD Authentication Service)

 — 

ranger.ldap.ad.user.searchfilter

Search filter for Bind Authentication

sAMAccountName={0}

ranger.ldap.ad.referral

Indicates how to handle AD referrals. There are three possible values:

  • follow — use if multiple AD servers are configured to return continuation references for results.

  • ignore — use if no referrals should be followed. PartialResultException is returned if any referrals are encountered during result processing.

  • throw —  use if all the standard entries are returned in the enumeration first before the ReferralException is thrown.

ignore
Other
Parameter Description Default value

Custom dbks-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the dbks-site.xml configuration file

 — 

Custom ranger-admin-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-admin-site.xml configuration file

 — 

Custom core-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the core-site.xml configuration file

 — 

Custom ranger-kms-audit.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-kms-audit.xml configuration file

 — 

Custom ranger-kms-security.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-kms-security.xml configuration file

 — 

Custom ranger-kms-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-kms-site.xml configuration file

 — 

Custom kms-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the kms-site.xml configuration file

 — 

Custom ranger-kms-policymgr-ssl.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-kms-policymgr-ssl.xml configuration file

 — 

Custom ranger-ugsync-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-ugsync-site.xml configuration file

 — 

 
Each Ranger component has its own settings which are described below.

Ranger Admin
Parameter Description Default value

logback.xml

A file with logging settings for Ranger Admin

logback.xml

ranger-admin-env.sh

A command that sets the RANGER_ADMIN_LOGBACK_CONF_FILE environment variable and additional Java memory options

ranger-admin-env.sh
Monitoring
Parameter Description Default value

Java agent path

Path to jmx_prometheus_javaagent

/usr/lib/adps-utils/jmx/jmx_prometheus_javaagent.jar

Prometheus metrics port

Prometheus port for collecting metrics

9201

Mapping config path

Path to mapping configuration

/etc/ranger/admin/conf/jmx_ranger_admin_metric_config.yml

Mapping config

Mapping configuration

--- lowercaseOutputName: true rules: - pattern: ".*"
Ranger KMS
Parameter Description Default value

logback.xml

A file with logging settings for Ranger KMS

logback.xml

ranger-kms-env.sh

A command that sets additional Java memory options

ranger-kms-env.sh
Monitoring
Parameter Description Default value

Java agent path

Path to jmx_prometheus_javaagent

/usr/lib/adps-utils/jmx/jmx_prometheus_javaagent.jar

Prometheus metrics port

Prometheus port for collecting metrics

9202

Mapping config path

Path to mapping configuration

/etc/ranger/kms/conf/jmx_ranger_kms_metric_config.yml

Mapping config

Mapping configuration

--- lowercaseOutputName: true rules: - pattern: ".*"
Ranger User synchronizer
Parameter Description Default value

logback.xml

A file with logging settings for Ranger User synchronizer

logback.xml

ranger-usersync-env.sh

A command that sets additional Java memory options

ranger-usersync-env.sh
Monitoring
Parameter Description Default value

Java agent path

Path to jmx_prometheus_javaagent

/usr/lib/adps-utils/jmx/jmx_prometheus_javaagent.jar

Prometheus metrics port

Prometheus port for collecting metrics

9203

Mapping config path

Path to mapping configuration

/etc/ranger/usersync/conf/jmx_ranger_usersync_metric_config.yml

Mapping config

Mapping configuration

--- lowercaseOutputName: true rules: - pattern: ".*"
Ranger Resource Mapping manager
ranger-rmm-site.xml
Parameter Description Default value

ranger.rmm.db.driver.classname

The fully qualified class name of the JDBC driver used to connect to the Ranger DB

org.postgresql.Driver

ranger.rmm.db.jdbc.url

JDBC connection URL for Ranger database

jdbc:postgresql://<db_host>:5432/ranger

ranger.rmm.db.username

The username used for authenticating with the Ranger DB

rangeradmin

ranger.rmm.db.password

The password used for authenticating with the Ranger DB

 — 

ranger.rmm.db.pool.size.max

The maximum number of connections allowed in the database connection pool

10

ranger.rmm.db.pool.size.min

The minimum number of connections maintained in the database connection pool

2

ranger.rmm.db.pool.idle.timeout

The maximum time (in milliseconds) a connection can remain idle before being removed from the pool

300000

ranger.rmm.db.pool.lifetime.max

The maximum lifetime (in milliseconds) of a connection in the pool before it is retired

1800000

ranger.rmm.db.pool.connection.timeout

The maximum time (in milliseconds) to wait for a connection from the pool before timing out

30000

ranger.rmm.event.applier.retry.strategy

The strategy used to retry failed event applications. Possible values are:

  • FAIL — fail in case of any error.

  • FIXED_SLEEP — keep trying a limited number of times, waiting a fixed time between attempts.

  • EXPONENTIAL — keep trying a limited number of times, waiting a growing amount of time between attempts. The time between attempts is sleepTime multiplied by a random number in the range of ], where is the number of retries.

FIXED_SLEEP

ranger.rmm.event.applier.retry.interval.ms

The interval (in milliseconds) between retries when saving event to the Ranger DB

1000

ranger.rmm.kerberos.principal

The Kerberos principal used for authenticating the RMM service if the hadoop.security.authentication option is set to Kerberos

 — 

ranger.rmm.kerberos.keytab

The path to the Kerberos keytab file used for authentication

 — 

ranger.rmm.hms.fetch.period.ms

The interval (in milliseconds) at which metadata event batches are fetched from the Hive Metastore

10000

ranger.rmm.hms.fetch.batch.size

The number of metadata events to fetch in a single batch from the Hive Metastore

8192

ranger.rmm.hms.retry.strategy

The strategy used to retry failed fetching from Hive Metastore operations. Possible values are:

  • FAIL — fail in case of any error.

  • FIXED_SLEEP — keep trying a limited number of times, waiting a fixed time between attempts.

  • EXPONENTIAL — keep trying a limited number of times, waiting a growing amount of time between attempts. The time between attempts is sleepTime multiplied by a random number in the range of ], where is the number of retries.

FIXED_SLEEP

ranger.rmm.hms.retry.interval.ms

The time (in milliseconds) to wait between retry attempts for fetching from Hive Metastore

1000

ranger.rmm.hms.retry.max

The maximum number of retries allowed for Hive Metastore operations

10

ranger.rmm.hms.sync.full

Whether to perform full resync of entities from Hive Metastore

false
Other
Parameter Description Default value

Custom ranger-rmm-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-rmm-site.xml configuration file

 — 

logback.xml

A file with logging settings for Ranger User synchronizer

logback.xml

ranger-resource-mapping-manager-env.sh

A command that sets additional Java memory options

ranger-resource-mapping-manager-env.sh
Found a mistake? Seleсt text and press Ctrl+Enter to report it