ranger-kms安装 - 技术栈

默认已安装ranger-admin和mysql服务。Ranger组件服务默认都在/opt/bigdata.test/core/ranger目录下安装。

1. 解压安装包

[hadoop~]$ cd /opt/ranger

[hadoop@ ranger]$ tar -xzvf ranger-2.1.0-kms.tar.gz

[hadoop@x ranger]$ mv ranger-2.1.0-kms ranger/ranger-kms

1. 修改install.properties

修改下列属性，没有出现的保持默认

[hadoop ranger-kms]$ more install.properties |grep -v "#"|grep -v ^$

PYTHON_COMMAND_INVOKER=python

DB_FLAVOR=MYSQL

SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar

db_root_user=root

db_root_password=xxxxx

db_host=-hadoop-0014:3318

#启用kerberos影响dbks-site.xml

db_name=rangerkms

db_user=rangerkms

db_password=xxxxx

ranger_kms_http_enabled=true

ranger_kms_https_keystore_file=

ranger_kms_https_keystore_keyalias=rangerkms

ranger_kms_https_keystore_password=

KMS_MASTER_KEY_PASSWD=Str0ngPassw0rd

kms_principal=rangerkms/x86-hadoop-0023.security.unicom@SECURITY.UNICOM

kms_keytab=/opt/key/rangerkms.keytab

hadoop_conf=/opt/hadoop/etc/hadoop/

#使用hadoop用户启动

unix_user=hadoop

unix_user_pwd=xxxxx

unix_group=hadoop

POLICY_MGR_URL=http://hadoop-0023:6080

REPOSITORY_NAME=kmsdev

SSL_KEYSTORE_FILE_PATH=/opt/ranger/kms/conf/ranger-plugin-keystore.jks

SSL_TRUSTSTORE_FILE_PATH=/opt/ranger/kms/conf/ranger-plugin-truststore.jks

RANGER_KMS_LOG_DIR=/opt/logs/ranger/kms

RANGER_KMS_PID_DIR_PATH=/opt/tmp/run/

1. 运行 ./setup.sh 安装

使install.properties生效，在$RANGER_HOME/ranger-kms/ews/webapp/WEB-INF/classes/conf下生成kms-site.xml和dbks-site.xml具体配置文件。对应mysql库生成保存密钥的表；

可能会报没权限创建/etc/ranger 需要先创建该目录

之后授权给hadoop权限,需要mkdir /etc/ranger 之后chown hadoop.hadoop /etc/ranger

授权hadoop权限,

后续会自动生成如下目录

执行安装语句

[root@hadoop-0023 ranger-kms]# ./setup.sh

....

Ranger Plugin for kms has been enabled. Please restart kms to ensure that changes are effective.

Installation of Ranger KMS is completed.

[hadoop@x86-hadoop-0023 conf]$ mysql -uroot -pXXX

MariaDB [rangerkms]> show tables;

+---------------------+

| Tables_in_rangerkms |

+---------------------+

| ranger_keystore |

| ranger_masterkey |

+---------------------+

2 rows in set (0.00 sec)

1. 修改kms-site.xml

配置kerberos认证相关属性以及代理用户；任意principal转换成kms做代理。

hadoop@hadoop-0023 ~]$ cat /opt/ranger/ranger-kms/ews/webapp/WEB-INF/classes/conf/kms-site.xml |grep -v "#"|grep -v ^$

<name>hadoop.kms.key.provider.uri</name>

<value>dbks://http@hadoop-0023:9292/kms</value>

<name>hadoop.kms.cache.enable</name>

</property>

<name>hadoop.kms.cache.timeout.ms</name>

</property>

<name>hadoop.kms.current.key.cache.timeout.ms</name>

</property>

<name>hadoop.kms.audit.aggregation.window.ms</name>

</property>

<name>hadoop.kms.authentication.type</name>

<value>kerberos</value>

</property>

<name>hadoop.kms.authentication.kerberos.keytab</name>

<value>/opt/key/rangerkms.keytab</value>

</property>

<name>hadoop.kms.authentication.kerberos.principal</name>

<value>HTTP/hadoop-0023@SECURITY</value>

</property>

<name>hadoop.kms.authentication.kerberos.name.rules</name>

<value>RULE:[2:$1@$0](.*@.*SECURITY)s/.*/rangerkms/

RULE:[1:$1@$0](.*@.*SECURITY)s/.*/rangerkms/

DEFAULT</value>

Rules used to resolve Kerberos principal names.

rangerkms是票据的名字不是安装用户的名字

</description>

</property>

<name>hadoop.kms.security.authorization.manager</name>

<value>org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer</value>

</property>

<name>hadoop.kms.proxyuser.rangeradmin.groups</name>

</property>

<name>hadoop.kms.proxyuser.rangeradmin.hosts</name>

</property>

<name>hadoop.kms.proxyuser.rangeradmin.users</name>

</property>

<name>hadoop.kms.proxyuser.rangerkms.groups</name>

</property>

<name>hadoop.kms.proxyuser.rangerkms.hosts</name>

</property>

<name>hadoop.kms.proxyuser.rangerkms.users</name>

</property>

</configuration>

1. 修改hadoop的hdfs-sit.xml

cat hadoop/etc/hadoop/hdfs-site.xml

<name>dfs.encryption.zones.enabled</name>

</property>

<name>dfs.encryption.key.provider.uri</name>

<value>kms://http@hadoop-0023:9292/kms</value>

</property>

1. 修改hadoop的core-site.xml

cat /opt/ranger/ranger-kms/ews/webapp/WEB-INF/classes/conf/core-site.xml |grep -v "#"|grep -v ^$

<name>hadoop.security.auth_to_local</name>

<value>

RULE:[2:$1@$0](keyadmin.*@.*SECURITY)s/.*/keyadmin/

RULE:[2:$1@$0](rangerkms.*@.*SECURITY)s/.*/rangerkms/

RULE:[2:$1@$0](rangeradmin.*@.*SECURITY)s/.*/rangeradmin/

DEFAULT

</value>

</property>

<name>hadoop.security.key.provider.path</name>

<value>kms://http@hadoop-0023:9292/kms</value>

The KeyProvider to use when interacting with encryption keys used

when reading and writing to an encryption zone.

</description>

<name>dfs.encryption.key.provider.uri</name>

<value>kms://http@hadoop-0023:9292/kms</value>

</property>

</property>

<name>hadoop.proxyuser.rangeradmin.users</name>

</property>

<name>hadoop.proxyuser.rangeradmin.groups</name>

</property>

<name>hadoop.proxyuser.rangeradmin.hosts</name>

</property>

<name>hadoop.proxyuser.keyadmin.users</name>

</property>

<name>hadoop.proxyuser.keyadmin.groups</name>

</property>

<name>hadoop.proxyuser.keyadmin.hosts</name>

</property>

<name>hadoop.proxyuser.hadoop.users</name>

</property>

<name>hadoop.proxyuser.hadoop.groups</name>

</property>

<name>hadoop.proxyuser.hadoop.hosts</name>

</property>

<name>hadoop.kms.proxyuser.rangerkms.groups</name>

</property>

<name>hadoop.kms.proxyuser.rangerkms.hosts</name>

</property>

<name>hadoop.kms.proxyuser.rangerkms.users</name>

</property>

注释：

hadoop.security.key.provider.path 指定的是密钥提供者的类路径，是 Hadoop 通用安全配置的一部分。

dfs.encryption.key.provider.uri 指定的是 HDFS 加密密钥提供者的具体 URI，是 HDFS 加密配置的一部分。

由于这两个参数分别服务于不同的配置目的和层次，因此它们不应该被合并。合并这两个参数可能会导致配置混乱、功能失效或安全问题。

1. 配置 ranger-kms-site.xml

cat ranger/ranger-kms/ews/webapp/WEB-INF/classes/conf/ranger-kms-site.xml |grep -v "#" |grep -v ^$

<name>ranger.service.host</name>

<value>hadoop-0023</value>

</property>

<name>ranger.service.http.port</name>

</property>

1. 启动Ranger-KMS服务

[hadoop@hadoop-0023 ranger-kms]$ ranger-kms start

[hadoop@hadoop-0023 ranger-kms]$ ranger-kms stop

[hadoop@hadoop-0023 ranger-kms]$ ranger-kms restart