默认已安装ranger-admin和mysql服务。Ranger组件服务默认都在/opt/bigdata.test/core/ranger目录下安装。
-
- 解压安装包
[hadoop~]$ cd /opt/ranger
[hadoop@ ranger]$ tar -xzvf ranger-2.1.0-kms.tar.gz
[hadoop@x ranger]$ mv ranger-2.1.0-kms ranger/ranger-kms
-
- 修改install.properties
修改下列属性,没有出现的保持默认
[hadoop ranger-kms]$ more install.properties |grep -v "#"|grep -v ^$
PYTHON_COMMAND_INVOKER=python
DB_FLAVOR=MYSQL
SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar
db_root_user=root
db_root_password=xxxxx
db_host=-hadoop-0014:3318
#启用kerberos影响dbks-site.xml
db_name=rangerkms
db_user=rangerkms
db_password=xxxxx
ranger_kms_http_enabled=true
ranger_kms_https_keystore_file=
ranger_kms_https_keystore_keyalias=rangerkms
ranger_kms_https_keystore_password=
KMS_MASTER_KEY_PASSWD=Str0ngPassw0rd
kms_principal=rangerkms/x86-hadoop-0023.security.unicom@SECURITY.UNICOM
kms_keytab=/opt/key/rangerkms.keytab
hadoop_conf=/opt/hadoop/etc/hadoop/
#使用hadoop用户启动
unix_user=hadoop
unix_user_pwd=xxxxx
unix_group=hadoop
POLICY_MGR_URL=http://hadoop-0023:6080
REPOSITORY_NAME=kmsdev
SSL_KEYSTORE_FILE_PATH=/opt/ranger/kms/conf/ranger-plugin-keystore.jks
SSL_TRUSTSTORE_FILE_PATH=/opt/ranger/kms/conf/ranger-plugin-truststore.jks
RANGER_KMS_LOG_DIR=/opt/logs/ranger/kms
RANGER_KMS_PID_DIR_PATH=/opt/tmp/run/
-
- 运行 ./setup.sh 安装
使install.properties生效,在$RANGER_HOME/ranger-kms/ews/webapp/WEB-INF/classes/conf下生成kms-site.xml和dbks-site.xml具体配置文件。对应mysql库生成保存密钥的表;
可能会报没权限创建/etc/ranger 需要先创建该目录
之后授权给hadoop权限,需要mkdir /etc/ranger 之后chown hadoop.hadoop /etc/ranger
授权hadoop权限,
后续会自动生成如下目录
执行安装语句
[root@hadoop-0023 ranger-kms]# ./setup.sh
....
Ranger Plugin for kms has been enabled. Please restart kms to ensure that changes are effective.
Installation of Ranger KMS is completed.
[hadoop@x86-hadoop-0023 conf]$ mysql -uroot -pXXX
MariaDB [rangerkms]> show tables;
+---------------------+
| Tables_in_rangerkms |
+---------------------+
| ranger_keystore |
| ranger_masterkey |
+---------------------+
2 rows in set (0.00 sec)
-
- 修改kms-site.xml
配置kerberos认证相关属性以及代理用户;任意principal转换成kms做代理。
hadoop@hadoop-0023 ~]$ cat /opt/ranger/ranger-kms/ews/webapp/WEB-INF/classes/conf/kms-site.xml |grep -v "#"|grep -v ^$
<configuration>
<!-- KMS Backend KeyProvider -->
<property>
<name>hadoop.kms.key.provider.uri</name>
<value>dbks://http@hadoop-0023:9292/kms</value>
<!-- KMS Cache -->
<property>
<name>hadoop.kms.cache.enable</name>
<value>true</value>
</property>
<property>
<name>hadoop.kms.cache.timeout.ms</name>
<value>600000</value>
</property>
<property>
<name>hadoop.kms.current.key.cache.timeout.ms</name>
<value>30000</value>
</property>
<!-- KMS Audit -->
<property>
<name>hadoop.kms.audit.aggregation.window.ms</name>
<value>10000</value>
</property>
<!-- KMS Security -->
<property>
<name>hadoop.kms.authentication.type</name>
<value>kerberos</value>
</property>
<property>
<name>hadoop.kms.authentication.kerberos.keytab</name>
<value>/opt/key/rangerkms.keytab</value>
</property>
<property>
<name>hadoop.kms.authentication.kerberos.principal</name>
<value>HTTP/hadoop-0023@SECURITY</value>
</property>
<property>
<name>hadoop.kms.authentication.kerberos.name.rules</name>
<value>RULE:[2:$1@$0](.*@.*SECURITY)s/.*/rangerkms/
RULE:[1:$1@$0](.*@.*SECURITY)s/.*/rangerkms/
DEFAULT</value>
<description>
Rules used to resolve Kerberos principal names.
rangerkms是票据的名字不是安装用户的名字
</description>
</property>
<property>
<name>hadoop.kms.security.authorization.manager</name>
<value>org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer</value>
</property>
<property>
<name>hadoop.kms.proxyuser.rangeradmin.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.rangeradmin.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.rangeradmin.users</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.rangerkms.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.rangerkms.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.rangerkms.users</name>
<value>*</value>
</property>
</configuration>
-
- 修改hadoop的hdfs-sit.xml
cat hadoop/etc/hadoop/hdfs-site.xml
<property>
<name>dfs.encryption.zones.enabled</name>
<value>true</value>
</property>
<property>
<name>dfs.encryption.key.provider.uri</name>
<value>kms://http@hadoop-0023:9292/kms</value>
</property>
-
- 修改hadoop的core-site.xml
cat /opt/ranger/ranger-kms/ews/webapp/WEB-INF/classes/conf/core-site.xml |grep -v "#"|grep -v ^$
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[2:$1@$0](keyadmin.*@.*SECURITY)s/.*/keyadmin/
RULE:[2:$1@$0](rangerkms.*@.*SECURITY)s/.*/rangerkms/
RULE:[2:$1@$0](rangeradmin.*@.*SECURITY)s/.*/rangeradmin/
DEFAULT
</value>
</property>
<!-- KMS Client Config -->
<property>
<name>hadoop.security.key.provider.path</name>
<value>kms://http@hadoop-0023:9292/kms</value>
<description>
The KeyProvider to use when interacting with encryption keys used
when reading and writing to an encryption zone.
</description>
<property>
<name>dfs.encryption.key.provider.uri</name>
<value>kms://http@hadoop-0023:9292/kms</value>
</property>
<!-- KMS Client Config -->
</property>
<property>
<name>hadoop.proxyuser.rangeradmin.users</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.rangeradmin.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.rangeradmin.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.keyadmin.users</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.keyadmin.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.keyadmin.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.hadoop.users</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.hadoop.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.hadoop.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.rangerkms.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.rangerkms.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.rangerkms.users</name>
<value>*</value>
</property>
注释:
hadoop.security.key.provider.path 指定的是密钥提供者的类路径,是 Hadoop 通用安全配置的一部分。
dfs.encryption.key.provider.uri 指定的是 HDFS 加密密钥提供者的具体 URI,是 HDFS 加密配置的一部分。
由于这两个参数分别服务于不同的配置目的和层次,因此它们不应该被合并。合并这两个参数可能会导致配置混乱、功能失效或安全问题。
-
- 配置 ranger-kms-site.xml
cat ranger/ranger-kms/ews/webapp/WEB-INF/classes/conf/ranger-kms-site.xml |grep -v "#" |grep -v ^$
<property>
<name>ranger.service.host</name>
<value>hadoop-0023</value>
</property>
<property>
<name>ranger.service.http.port</name>
<value>9292</value>
</property>
-
- 启动Ranger-KMS服务
[hadoop@hadoop-0023 ranger-kms]$ ranger-kms start
[hadoop@hadoop-0023 ranger-kms]$ ranger-kms stop
[hadoop@hadoop-0023 ranger-kms]$ ranger-kms restart