Apache Ranger installation

Olga Semme, Daria Barysheva

Upload an ADPS bundle

  1. Upload an ADPS bundle using ADCM by clicking upload bundles icon on the Bundles tab.

  2. Upload the newest bundle version from your local file system.

  3. Carefully read the Terms of Use (EULA) by clicking orange warning triangle for a bundle that has just been uploaded. Click Yes if you accept the license agreement.

Create a cluster

Now you need to create an Arenadata Platform Security cluster.

CAUTION
Ranger components must be installed on a separate VM or server and must not use existing nodes of the current cluster.

  1. In ADCM, select CLUSTERS → Create cluster.

  2. In the Create cluster window, fill in the following fields:

    • Bundle — click orange dropdown and select the required ADPS (Platform security) bundle.

    • Version — choose the bundle version if several bundles are uploaded.

      Click green cloud to download the specific bundle if necessary.

    • Cluster name — specify a name for the cluster.

    • Description — a text field with a cluster description.

    create cluster
    Create cluster window

  3. Click Create to create the cluster or Cancel to abort.

Add services

  1. Go to the CLUSTERS → <your_ADPS_cluster> → Services and click add services to add services to the ADPS cluster.

  2. Select the required services to add in the cluster and click Add.

    adps cluster add services
    Choosing services

  3. In Host-Components, you need to distribute the components across the hosts.

    adps host components
    Components distribution
    NOTE
    You can install all the services on one host, but it’s recommended to distribute the services between different hosts to ensure fault tolerance.

    If you haven’t added any host to the cluster yet, click green cross and add the host.

    adps add host to cluster
    Adding hosts

    Select the host you want to add and click Add.

  4. Click Save to save the configuration.

Configure services

In this step, you need to configure your Ranger services in CLUSTERS → <your_ADPS_cluster> → Services → Ranger → Configuration. To save the configuration, click Save.

CAUTION
When choosing passwords, don’t use simple passwords like admin or 123, because it may cause errors in the operation of some services. It is recommended to use strong passwords, like 2uHt2>[\'cfb' vS'.

Credentials section

In this section, you must specify the credentials for users to access the interface and the components of the Ranger service. To expand the Credentials section, click the expander arrow.

ranger configuration credentials
Configure credentials

Check the table below to get additional information.

Credentials section
Name Default value Required Description

Password for admin user

 — 

Yes

Password for ADCM administrator

Password for keyadmin user

 — 

Yes

Password for Ranger KMS administrator

Password for rangerusersync user

 — 

Yes

Password for the user with the rights to add users and groups to Ranger Admin as part of the synchronization mechanism with LDAP/AD or UNIX

External database

Select radio button grey External database if you are using an external database.

ranger configuration external database
Configure external database

Check the table below to get additional information.

External database
Name Default value Required Description

Database type

 — 

Yes

An external database. The possible values are: MySQL/MariaDB and PostgreSQL

Hostname

 — 

Yes

The host name of the database used by Ranger Admin

Custom port

 — 

No

Port for a database

Ranger Admin database name

ranger

Yes

Username for the Ranger Admin database

Ranger KMS database name

rangerkms

Yes

Username for the Ranger KMS database

dbks-site.xml section

In this section, you should specify the access password for the encryption keys and the password for connecting to the database. To expand the dbks-site.xml section, click the expander arrow.

ranger configuration dbks site
Configure dbks-site.xml

Check the table below to get additional information.

dbks-site.xml
Name Default value Required Description

ranger.db.encrypt.key.password

 — 

Yes

Password of the Master Key encryption

ranger.ks.jpa.jdbc.password

 — 

Yes

Database user password

ranger.ks.jpa.jdbc.user

rangerkms

Yes

Database username used for the operations

ranger-admin-site.xml section

In this section, you should specify the access password to connect to the database and Solr instance to ensure the audit of user actions. To expand the ranger-admin-site.xml section, click the expander arrow.

ranger configuration ranger admin site
Configure ranger-admin-site.xml

Check the table below to get additional information.

ranger-admin-site.xml
Name Default value Required Description

ranger.authentication.method

 — 

No

Authentication methods (ACTIVE DIRECTORY, LDAP, NONE). These methods are used for login to Ranger Admin

ranger.jpa.jdbc.password

 — 

Yes

Password for the Ranger admin database

ranger.jpa.jdbc.user

rangeradmin

Yes

Username for Ranger admin database

ranger.service.http.port

6080

Yes

HTTP port for Ranger admin

ranger.service.shutdown.port

6085

Yes

HTTP port used for graceful shutdown of the service

ranger.solr.audit.user.password

 — 

Yes

Password for Solr user

ranger.admin.kerberos.token.valid.seconds

 — 

No

Time (in seconds) to validate the Kerberos token

core_site.xml section

The section has no editable parameters.

ranger-kms-audit.xml section

In this section, you should specify the configuration properties for the Ranger Key Management Service (KMS) audit. To expand the ranger-kms-audit.xml section, click the expander arrow.

ranger configuration ranger kms audit
Configure ranger-kms-audit.xml

Check the table below to get additional information.

ranger-kms-audit.xml
Name Default value Required Description

xasecure.audit.destination.solr.batch.filespool.dir

/srv/ranger/kms/audit_solr_spool

Yes

Sets the directory where the spool files are stored when the in-memory buffer is full

ranger-kms-security.xml section

In this section, you should specify security properties for KMS. To expand the ranger-kms-security.xml section, click the expander arrow.

ranger configuration ranger kms security
Configure ranger-kms-security.xml

Check the table below to get additional information.

ranger-kms-security.xml
Name Default value Required Description

ranger.plugin.kms.policy.cache.dir

srv/ranger/kms/policycache

Yes

Sets the directory where Ranger policies are cached after being successfully retrieved from the source

ranger-kms-site.xml section

In this section, you should specify the HTTP ports for accessing KMS. To expand the ranger-kms-site.xml section, click the expander arrow.

ranger ranger kms site
Configure ranger-kms-site.xml

Check the table below to get additional information.

ranger-kms-site.xml
Name Default value Required Description

HTTP Port for Ranger admin

9292

Yes

HTTP Port for Ranger Admin

ranger.service.shutdown.port

7085

Yes

HTTP port that will be used for the correct shutdown of the service

ranger-ugsync-site.xml section

This section describes the configuration of Ranger User Sync for UNIX and LDAP/AD. To expand the ranger-ugsync-site section, click the expander arrow.

ranger ranger ugsync site
Configure ranger-ugsync-site.xml

Check the table below to get additional information.

ranger-ugsync-site.xml
Name Default value Required Description

ranger.usersync.port

5151

Yes

Sets the port for Unix authentication service

ranger.usersync.role.assignment.list.delimiter

&amp;

Yes

Specifies a delimiter while syncing roles to users, groups, and roles in Ranger Admin

ranger.usersync.sleeptimeinmillisbetweensynccycle

 — 

No

Sleep time (in milliseconds) interval between user sync operations

ranger.usersync.unix.minGroupId

500

Yes

Minimum Group ID to start syncing. This parameter is used to avoid syncing of UNIX system-level users in the Ranger Admin

ranger.usersync.unix.minUserId

500

Yes

Minimum User ID to start syncing. This parameter is used to avoid syncing of UNIX system-level users in the Ranger Admin

ranger.usersync.username.groupname.assignment.list.delimiter

,

Yes

Set this parameter to specify a delimiter while syncing users and groups in Ranger Admin

ranger.usersync.users.groups.assignment.list.delimiter

:

Yes

Set this parameter to specify a delimiter while syncing users and groups with specified roles in Ranger Admin. This delimiter separates the users and groups from respective roles
NOTE
The delimiters cannot contain characters that aren’t allowed in username or group name.

The ranger.usersync.role.assignment.list.delimiter parameter is used as delimiter for roles. Check the example below.

ROLE_SYS_ADMIN:u:username01,username02&ROLE_KEY_ADMIN:g:groupname01

In this example, the roles ROLE_SYS_ADMIN and ROLE_KEY_ADMIN in Ranger Admin are separated by delimiter &.

The ranger.usersync.username.groupname.assignment.list.delimiter parameter is used as a delimiter to differentiate between two or more users and groups. Check the example below.

ROLE_SYS_ADMIN:u:username01,username02

In this example, users username1 and username2 are separated by the , delimiter.

The ranger.usersync.users.groups.assignment.list.delimiter is used as a delimiter to differentiate between users and groups from respective roles. Check the example below.

ROLE_SYS_ADMIN:u:username01,username02&ROLE_SYS_ADMIN:g:groupname01,groupname02

In this example, ROLE_SYS_ADMIN is a role, and u denotes the list of users followed by actual usernames, which are username01 and username02. The g is used to indicate the list of groups followed by actual group names, which are groupname01 and groupname02.

LDAP sync source for User synchronizer section

Select radio button grey LDAP sync source for User synchronizer if you need to use LDAP or Active Directory user authentication.

ranger configuration ldap ad sync
Configure LDAP sync source for User synchronizer

Check the table below to get additional information.

LDAP sync source for User synchronizer
Name Default value Required Description

ranger.usersync.ldap.binddn

 — 

Yes

Full distinguished name (DN)

LDAP bind password

 — 

Yes

Password for the LDAP bind user

ranger.usersync.ldap.searchBase

rangerkms

Yes

Search base for the users and groups

ranger.usersync.ldap.url

ranger

Yes

LDAP server URL

ranger.usersync.ldap.user.groupnameattribute

memberof,ismemberof

Yes

LDAP user group name attribute

ranger.usersync.ldap.user.nameattribute

cn

Yes

LDAP user name attribute

ranger.usersync.ldap.user.objectclass

person

Yes

LDAP User Object Class

ranger.usersync.ldap.user.searchbase

 — 

Yes

Search base for the users

ranger.usersync.ldap.user.searchfilter

 — 

No

Optional additional filter constraining the users selected for syncing

ranger.usersync.ldap.user.searchscope

 — 

Yes

Search scope for the users (sub, one and base)

ranger.usersync.group.searchenabled

 — 

No

Whether Usersync should use ldapsearch to find groups instead of relying on user entry attributes

ranger.usersync.group.memberattributename

member

Yes

LDAP group member attribute name

ranger.usersync.group.nameattribute

cn

Yes

LDAP group name attribute

ranger.usersync.group.objectclass

groupofnames

Yes

LDAP Group object class

ranger.usersync.group.searchbase

 — 

Yes

Search base for the groups

ranger.usersync.group.searchfilter

 — 

No

Optional additional filter constraining the groups selected for syncing

ranger.usersync.group.searchscope

 — 

Yes

Search scope for the groups (sub, one and base)

The ranger.usersync.ldap.binddn parameter is used to set the DN, including the common name (CN), of an LDAP user account that has privileges to search for users. This can be a read-only LDAP user. Check the example below.

cn=admin,dc=example,dc=com

The ranger.usersync.ldap.searchBase parameter is used to set the search base for users and groups. Multiple values can be separated with ; (semicolon). Check the example below.

dc=hadoop,dc=arenadata,dc=tech

The ranger.usersync.ldap.url parameter is used to set the URL for LDAP server. Check the example below.

ldaps://localhost:8000
ldap://localhost:8080

The ranger.usersync.ldap.user.groupnameattribute parameter is the same as the username attribute. Check the example below.

*sAMAccountName* in AD, _uid_ or _cn_ in OpenLDAP

The ranger.usersync.ldap.user.nameattribute parameter is used to set the LDAP username attribute. Check the example below.

sAMAccountName in AD, _uid_ or _cn_ in OpenLDAP

The ranger.usersync.ldap.user.searchbase parameter is used to set the PATH to search base for users. Multiple values can be configured with ; (semicolon) separated.

CAUTION
The value of this parameter overrides the value specified in ranger.usersync.ldap.searchBase.

Check the example below.

ou=users,dc=hadoop,dc=arenadata,dc=tech
cn=users,dc=example,dc=com;ou=example1,ou=example2

The ranger.usersync.ldap.user.searchscope parameter is used to specify the user search scope. This parameter has three values:

  • Base — only the entry specified as the search base in ranger.usersync.ldap.user.searchbase should be included.

  • One — only the direct children of the entry specified as the search base in ranger.usersync.ldap.user.searchbase should be included.

  • Sub — the entry specified as the search base in ranger.usersync.ldap.user.searchbase and all of its descendants at any depth should be included.

The ranger.usersync.group.searchbase is used to specify the group’s search base. Multiple values can be separated with ; (semicolon). If a value is not specified, it takes the value of ranger.usersync.ldap.searchBase. If ranger.usersync.ldap.searchBase is also not specified, it takes the value of ranger.usersync.ldap.user.searchbase.

CAUTION
The value of this parameter overrides the values specified in ranger.usersync.ldap.searchBase and ranger.usersync.ldap.user.searchbase.

Check the example below.

ou=groups,dc=hadoop,dc=apache,dc=org
ou=groups,DC=example,DC=com;ou=group1,ou=group2

The ranger.usersync.group.searchscope is used to specify the group’s search scope. This parameter has three values:

  • Base — only the entry specified as the search base in ranger.usersync.group.searchbase should be included.

  • One — only the immediate children of the entry specified as the search base in ranger.usersync.group.searchbase should be included.

  • Sub — the entry specified as the search base in ranger.usersync.group.searchbase, and all of its subordinates to any depth, should be included.

LDAP sync source for Ranger Admin authentication section

Select radio button grey LDAP sync source for Ranger Admin authentication if you need to use LDAP or Active Directory Ranger admin authentication.

ranger configuration ldap admin
Configure LDAP sync source for Ranger Admin authentication

Check the table below to get additional information.

LDAP sync source for Ranger Admin authentication
Name Default value Required Description

ranger.ldap.url

 — 

Yes

LDAP server URL

ranger.ldap.bind.dn

 — 

Yes

Full distinguished name (DN)

ranger.ldap.bind.password

 — 

Yes

Password for the LDAP bind user; used for users searching

ranger.ldap.base.dn

 — 

Yes

The Distinguished Name of the start for directory server searches. Used if authentication method is LDAP

ranger.ldap.group.searchbase

 — 

Yes

LDAP group searchbase. Used if authentication method is LDAP

ranger.ldap.group.searchfilter

 — 

Yes

LDAP group search filter. Used if authentication method is LDAP

ranger.ldap.group.roleattribute

 — 

Yes

LDAP group role attribute. Used if authentication method is LDAP

ranger.ldap.user.searchfilter

 — 

Yes

LDAP user search filter. Used if authentication method is LDAP

ranger.ldap.user.dnpattern

 — 

Yes

LDAP user DN. Used if authentication method is LDAP

ranger.ldap.referral

ignore

Yes

Set to follow if multiple LDAP servers are configured to return continuation references for results. Three values are available: ignore, follow and throw

The ranger.ldap.url parameter is used to specify the URL for LDAP. Check the example below.

ldaps://localhost:8000
ldap://localhost:8080

The ranger.ldap.referral parameter is used if the authentication method is LDAP. This parameter has three values:

  • follow — using if multiple LDAP servers are configured to return continuation references for results;

  • ignore — using if no referrals should be followed;

  • throw —  using if all the standard entries are returned to the enumeration first before the ReferralException is thrown.

MySQL configuration

Before starting the Ranger installation, you need to set a password for the root user in the MySQL database.

  1. Go to the CLUSTERS → <your_ADPS_cluster> → Services and click MySQL.

  2. In the Configuration window, set the password for the root user.

    ranger mysql password
    Setting a password for the root user

  3. Click Save.

Import plugins

In this step, you need to connect the monitoring plugins to ADPS cluster.

  1. Go to the CLUSTERS → <your_ADPS_cluster> → Import window.

  2. Select Monitoring/Graphite and Monitoring/Grafana.

    ranger import
    Import of monitoring plugins

  3. Click Save.

Start the installation

NOTE
Before you start the installation, make sure there are no more warnings in the interface regarding the configuration of services.

  1. Go to the CLUSTERS → <your_ADPS_cluster> → Services window.

  2. Start the installation services in the following order:

    1. Monitoring

    2. Zookeeper

    3. MySQL

    4. Solr

    5. Ranger

  3. On the CLUSTERS window, click green arrow and choose Install action for ADPS cluster.

  4. Click Run to confirm the installation.

    run action install
    Verifying the action

If you need to start the installation of each of the ADPS services, then you can do it manually in the following order:

  1. Monitoring

  2. Zookeeper

  3. MySQL

  4. Solr

  5. Ranger

After the installation is completed, all components must have the valid status (highlighted in green).

ranger install pass
Successful installation
Found a mistake? Seleсt text and press Ctrl+Enter to report it