ranger-kms安装

默认已安装ranger-admin和mysql服务。Ranger组件服务默认都在/opt/bigdata.test/core/ranger目录下安装。

    1. 解压安装包

[hadoop~]$ cd /opt/ranger

[hadoop@ ranger]$ tar -xzvf ranger-2.1.0-kms.tar.gz

[hadoop@x ranger]$ mv ranger-2.1.0-kms ranger/ranger-kms

    1. 修改install.properties

修改下列属性,没有出现的保持默认

[hadoop ranger-kms]$ more install.properties |grep -v "#"|grep -v ^$

PYTHON_COMMAND_INVOKER=python

DB_FLAVOR=MYSQL

SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar

db_root_user=root

db_root_password=xxxxx

db_host=-hadoop-0014:3318

#启用kerberos影响dbks-site.xml

db_name=rangerkms

db_user=rangerkms

db_password=xxxxx

ranger_kms_http_enabled=true

ranger_kms_https_keystore_file=

ranger_kms_https_keystore_keyalias=rangerkms

ranger_kms_https_keystore_password=

KMS_MASTER_KEY_PASSWD=Str0ngPassw0rd

kms_principal=rangerkms/x86-hadoop-0023.security.unicom@SECURITY.UNICOM

kms_keytab=/opt/key/rangerkms.keytab

hadoop_conf=/opt/hadoop/etc/hadoop/

#使用hadoop用户启动

unix_user=hadoop

unix_user_pwd=xxxxx

unix_group=hadoop

POLICY_MGR_URL=http://hadoop-0023:6080

REPOSITORY_NAME=kmsdev

SSL_KEYSTORE_FILE_PATH=/opt/ranger/kms/conf/ranger-plugin-keystore.jks

SSL_TRUSTSTORE_FILE_PATH=/opt/ranger/kms/conf/ranger-plugin-truststore.jks

RANGER_KMS_LOG_DIR=/opt/logs/ranger/kms

RANGER_KMS_PID_DIR_PATH=/opt/tmp/run/

    1. 运行 ./setup.sh 安装

使install.properties生效,在$RANGER_HOME/ranger-kms/ews/webapp/WEB-INF/classes/conf下生成kms-site.xml和dbks-site.xml具体配置文件。对应mysql库生成保存密钥的表;

可能会报没权限创建/etc/ranger 需要先创建该目录

之后授权给hadoop权限,需要mkdir /etc/ranger 之后chown hadoop.hadoop /etc/ranger

授权hadoop权限,

后续会自动生成如下目录

执行安装语句

[root@hadoop-0023 ranger-kms]# ./setup.sh

....

Ranger Plugin for kms has been enabled. Please restart kms to ensure that changes are effective.

Installation of Ranger KMS is completed.

[hadoop@x86-hadoop-0023 conf]$ mysql -uroot -pXXX

MariaDB [rangerkms]> show tables;

+---------------------+

| Tables_in_rangerkms |

+---------------------+

| ranger_keystore |

| ranger_masterkey |

+---------------------+

2 rows in set (0.00 sec)

    1. 修改kms-site.xml

配置kerberos认证相关属性以及代理用户;任意principal转换成kms做代理。

hadoop@hadoop-0023 ~]$ cat /opt/ranger/ranger-kms/ews/webapp/WEB-INF/classes/conf/kms-site.xml |grep -v "#"|grep -v ^$

<configuration>

<!-- KMS Backend KeyProvider -->

<property>

<name>hadoop.kms.key.provider.uri</name>

<value>dbks://http@hadoop-0023:9292/kms</value>

<!-- KMS Cache -->

<property>

<name>hadoop.kms.cache.enable</name>

<value>true</value>

</property>

<property>

<name>hadoop.kms.cache.timeout.ms</name>

<value>600000</value>

</property>

<property>

<name>hadoop.kms.current.key.cache.timeout.ms</name>

<value>30000</value>

</property>

<!-- KMS Audit -->

<property>

<name>hadoop.kms.audit.aggregation.window.ms</name>

<value>10000</value>

</property>

<!-- KMS Security -->

<property>

<name>hadoop.kms.authentication.type</name>

<value>kerberos</value>

</property>

<property>

<name>hadoop.kms.authentication.kerberos.keytab</name>

<value>/opt/key/rangerkms.keytab</value>

</property>

<property>

<name>hadoop.kms.authentication.kerberos.principal</name>

<value>HTTP/hadoop-0023@SECURITY</value>

</property>

<property>

<name>hadoop.kms.authentication.kerberos.name.rules</name>

<value>RULE:[2:$1@$0](.*@.*SECURITY)s/.*/rangerkms/

RULE:[1:$1@$0](.*@.*SECURITY)s/.*/rangerkms/

DEFAULT</value>

<description>

Rules used to resolve Kerberos principal names.

rangerkms是票据的名字不是安装用户的名字

</description>

</property>

<property>

<name>hadoop.kms.security.authorization.manager</name>

<value>org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer</value>

</property>

<property>

<name>hadoop.kms.proxyuser.rangeradmin.groups</name>

<value>*</value>

</property>

<property>

<name>hadoop.kms.proxyuser.rangeradmin.hosts</name>

<value>*</value>

</property>

<property>

<name>hadoop.kms.proxyuser.rangeradmin.users</name>

<value>*</value>

</property>

<property>

<name>hadoop.kms.proxyuser.rangerkms.groups</name>

<value>*</value>

</property>

<property>

<name>hadoop.kms.proxyuser.rangerkms.hosts</name>

<value>*</value>

</property>

<property>

<name>hadoop.kms.proxyuser.rangerkms.users</name>

<value>*</value>

</property>

</configuration>

    1. 修改hadoop的hdfs-sit.xml

cat hadoop/etc/hadoop/hdfs-site.xml

<property>

<name>dfs.encryption.zones.enabled</name>

<value>true</value>

</property>

<property>

<name>dfs.encryption.key.provider.uri</name>

<value>kms://http@hadoop-0023:9292/kms</value>

</property>

    1. 修改hadoop的core-site.xml

cat /opt/ranger/ranger-kms/ews/webapp/WEB-INF/classes/conf/core-site.xml |grep -v "#"|grep -v ^$

<property>

<name>hadoop.security.auth_to_local</name>

<value>

RULE:[2:$1@$0](keyadmin.*@.*SECURITY)s/.*/keyadmin/

RULE:[2:$1@$0](rangerkms.*@.*SECURITY)s/.*/rangerkms/

RULE:[2:$1@$0](rangeradmin.*@.*SECURITY)s/.*/rangeradmin/

DEFAULT

</value>

</property>

<!-- KMS Client Config -->

<property>

<name>hadoop.security.key.provider.path</name>

<value>kms://http@hadoop-0023:9292/kms</value>

<description>

The KeyProvider to use when interacting with encryption keys used

when reading and writing to an encryption zone.

</description>

<property>

<name>dfs.encryption.key.provider.uri</name>

<value>kms://http@hadoop-0023:9292/kms</value>

</property>

<!-- KMS Client Config -->

</property>

<property>

<name>hadoop.proxyuser.rangeradmin.users</name>

<value>*</value>

</property>

<property>

<name>hadoop.proxyuser.rangeradmin.groups</name>

<value>*</value>

</property>

<property>

<name>hadoop.proxyuser.rangeradmin.hosts</name>

<value>*</value>

</property>

<property>

<name>hadoop.proxyuser.keyadmin.users</name>

<value>*</value>

</property>

<property>

<name>hadoop.proxyuser.keyadmin.groups</name>

<value>*</value>

</property>

<property>

<name>hadoop.proxyuser.keyadmin.hosts</name>

<value>*</value>

</property>

<property>

<name>hadoop.proxyuser.hadoop.users</name>

<value>*</value>

</property>

<property>

<name>hadoop.proxyuser.hadoop.groups</name>

<value>*</value>

</property>

<property>

<name>hadoop.proxyuser.hadoop.hosts</name>

<value>*</value>

</property>

<property>

<name>hadoop.kms.proxyuser.rangerkms.groups</name>

<value>*</value>

</property>

<property>

<name>hadoop.kms.proxyuser.rangerkms.hosts</name>

<value>*</value>

</property>

<property>

<name>hadoop.kms.proxyuser.rangerkms.users</name>

<value>*</value>

</property>

注释:

hadoop.security.key.provider.path 指定的是密钥提供者的类路径,是 Hadoop 通用安全配置的一部分。

dfs.encryption.key.provider.uri 指定的是 HDFS 加密密钥提供者的具体 URI,是 HDFS 加密配置的一部分。

由于这两个参数分别服务于不同的配置目的和层次,因此它们不应该被合并。合并这两个参数可能会导致配置混乱、功能失效或安全问题。

    1. 配置 ranger-kms-site.xml

cat ranger/ranger-kms/ews/webapp/WEB-INF/classes/conf/ranger-kms-site.xml |grep -v "#" |grep -v ^$

<property>

<name>ranger.service.host</name>

<value>hadoop-0023</value>

</property>

<property>

<name>ranger.service.http.port</name>

<value>9292</value>

</property>

    1. 启动Ranger-KMS服务

[hadoop@hadoop-0023 ranger-kms]$ ranger-kms start

[hadoop@hadoop-0023 ranger-kms]$ ranger-kms stop

[hadoop@hadoop-0023 ranger-kms]$ ranger-kms restart

相关推荐
冰帝海岸40 分钟前
01-spring security认证笔记
java·笔记·spring
世间万物皆对象1 小时前
Spring Boot核心概念:日志管理
java·spring boot·单元测试
没书读了2 小时前
ssm框架-spring-spring声明式事务
java·数据库·spring
小二·2 小时前
java基础面试题笔记(基础篇)
java·笔记·python
开心工作室_kaic2 小时前
ssm161基于web的资源共享平台的共享与开发+jsp(论文+源码)_kaic
java·开发语言·前端
懒洋洋大魔王2 小时前
RocketMQ的使⽤
java·rocketmq·java-rocketmq
武子康2 小时前
Java-06 深入浅出 MyBatis - 一对一模型 SqlMapConfig 与 Mapper 详细讲解测试
java·开发语言·数据仓库·sql·mybatis·springboot·springcloud
转世成为计算机大神3 小时前
易考八股文之Java中的设计模式?
java·开发语言·设计模式
小江村儿的文杰3 小时前
XCode Build时遇到 .entitlements could not be opened 的问题
ide·macos·ue4·xcode
qq_327342733 小时前
Java实现离线身份证号码OCR识别
java·开发语言