Skip to main content
Skip table of contents

Configuration to plug Indexima with Ranger

Ranger is a framework to enable, monitor, and manage comprehensive data security across the Hadoop platform.

Setup an Indexima CLUSTER

Deploy the jar files

Download the packaged Ranger-plug-in available here. Choose the plugin version related to the indexima version you're currently running.

  • if you're  installing on HDP 2, choose the following driver: indexima-installer-ranger-VERSION_NUMBER.zip
  • if you're  installing on HDP 3.1, choose the following driver: indexima-installer-ranger-hdp3-VERSION_NUMBER.zip

Unzip it in the INDEXIMA MASTER destination. This package contains the following files:

galacticafile
confgalactica.conf.template

ranger.indexima.audit.xml.template

ranger.indexima.security.xml.template
libgalactica-plugin-ranger-client-0.0.1.jar

httpmime-4.5.6.jar

noggit-0.8.jar

ranger-plugins-audit-0.7.0.jar

ranger-plugins-common-0.7.0.jar

used for Rule’s synchronization (every 30 sec)

plug-ingalactica-plugin-ranger-server-0.0.1.tar.gz

Make sure your distribution has installed the following libraries in galactica/lib directory

  • galactica-plugin-ranger-client-0.0.1.jar
  • httpmime-4.5.6.jar
  • noggit-0.8.jar
  • ranger-plugins-audit-0.7.0.jar
  • ranger-plugins-common-0.7.0.jar

and the following files in the galactica root directory,

  • galactica.conf.template
  • ranger.indexima.audit.xml.template
  • ranger.indexima.security.xml.template

Parameter

On this page, we would use the parameter <Ranger_Service_Name>. In most cases, an administrator would choose the value indexima.

Adapt Indexima's Configuration

Ranger Plugin usage by the engine

Modify your conf/galactica.conf with the following properties:

galactica.conf

SQL
# parameters for Ranger plugin
privilege.driver.name=io.galactica.ranger.client.RangerIndeximaDriver
# The Ranger GUI will use the following parameters to display the service name
privilege.driver.property.servicetype=<Ranger_Service_Name>
privilege.driver.property.appid=<Ranger_Service_Name>

Ranger Plugin usage within the Hadoop cluster

Modify your conf/galactica.conf with the following properties:

galactica.conf

SQL
# Include the system user used to run Indexima process as Admin user of indexima
users.in.admin.role=Indexima_Process_User

Connecting to the Ranger server

Untemplate & adapt file names

Enable the connection with the Ranger server by editing the file conf/ranger-indexima-security.xml

BASH
cp ranger.indexima.audit.xml.template ranger.<Ranger_Service_Name>.audit.xml
cp ranger.indexima.security.xml.template ranger.<Ranger_Service_Name>.security.xml

Configure ranger-indexima-security.xml

Set the following property in ranger-indexima-security.xml points on your Ranger server.

URL to Ranger Admin

ranger-indexima-security.xml

XML
<property>
	<name>ranger.plugin.indexima.policy.rest.url</name>
    <value>http://localhost:6080</value>
    <description>URL to Ranger Admin</description>
</property>

Service name & misc

ranger-indexima-security.xml

XML
<property>
	<name>ranger.plugin.<Ranger_Service_Name>.service.name</name>
	<value>indexima</value>
	<description>Name of the Ranger service containing policies for this YARN instance</description>
</property>

<property>
	<name>ranger.plugin.indexima.policy.cache.dir</name>
	<value>./policycache</value>
	<description>Directory where Ranger policies are cached after successful retrieval from the source</description>
</property>

<property>
	<name>ranger.plugin.indexima.policy.pollIntervalMs</name>
	<value>30000</value>
	<description> How often to poll for changes in policies? </description>
</property>


Parameter NameDescription
ranger.plugin.indexima.policy.cache.dir keeps persistent Ranger rules.
ranger.plugin.indexima.service.namespecifies the service name which is indexima by default

Additional setup for connecting a Standalone Indexima cluster to a Ranger in a Hadoop environment

Connection to an SSL secured Ranger in a Kerberised environment

Prerequisites

You need to have a Kerberos environment configured on your machine.

It would require that firewall rules allows data flow between Ranger server machine and Indexima cluster

Configure ranger-indexima-security.xml

A template file ranger-indexima-security.xml.template is provided with the plugin.

You need to specify the location of your ranger server (variable ranger.plugin.indexima.policy.rest.url)

Configure ranger-policy-mgr-ssl.xml

If your ranger server is configured with SSL, you will need to provide a ranger-policy-mgr-ssl.xml

ranger-indexima-security.xml

XML
<configuration>
	<property>
  		<name>xasecure.policymgr.clientssl.keystore</name>
  		<value>...<your-path-here>.../rangerssl/ranger-plugin-keystore.jks</value>
	</property>

	<property>
  		<name>xasecure.policymgr.clientssl.keystore.credential.file</name>
  		<value>jceks://file/...<your-path-here>.../rangerssl/client.jceks</value>
	</property>

	<property>
  		<name>xasecure.policymgr.clientssl.keystore.password</name>
  		<value>PASSWORD</value>
	</property>

	<property>
  		<name>xasecure.policymgr.clientssl.truststore</name>
  		<value>...<your-path-here>.../rangerssl/ranger-plugin-truststore.jks</value>
	</property>

	<property>
  		<name>xasecure.policymgr.clientssl.truststore.credential.file</name>
  		<value>jceks://file/...<your-path-here>.../rangerssl/trust.jceks</value>
	</property>

	<property>
  		<name>xasecure.policymgr.clientssl.truststore.password</name>
  		<value>PASSWORD</value>
	</property>
</configuration>

start-node.sh Configuration 

Configure start-node.sh in order to use jaas.conf (the debug option is not mandatory)

CODE
NODESERVER_JVM_OPTIONS="-Dsun.security.krb5.debug=true -Djava.security.auth.login.config=./conf/jaas.conf

Jaas.conf configuration

Add or modify the following parameter 

  • required principal
  • keyTab
CODE
com.sun.security.jgss.initiate { 
	com.sun.security.auth.module.Krb5LoginModule required 
    principal="XXX@YOUR_DOMAIN.COM"
	keyTab="/path/XXX.keytab"
	useKeyTab=true
	storeKey=true
	debug=true;
};
com.sun.security.jgss.krb5.initiate { 
	com.sun.security.auth.module.Krb5LoginModule required
    principal="XXX@YOUR_DOMAIN.COM"
	keyTab="/path/XXX.keytab"
	useKeyTab=true
	storeKey=true
	debug=true; 
};
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.