Connecting to a Ranger host using SSL
This section describes how to connect a Ranger host using Secure Socket Layer (SSL) in Dremio.
Before adding the Hive source
- On all coordinator nodes, copy the keystore, truststore, and credentials files to a location accessible by the Dremio user. (for example, the Dremio configuration directory).
- On all coordinator nodes,
create a
policymgr-ssl.xmlfile with appropriate paths to the keystore/truststore and credentials. - Ensure that the
ranger-hive-security.xmlfile doesn't exist within the Dremio configuration path. - Ensure all files have the appropriate permissions.
Example policymgr-ssl.xml configuration
The following example is a policymgr-ssl.xml configuration based on ranger-policymgr-ssl.xml.
If you use this sample configuration as a template,
replace all the [path/to/...] entries with the full path.
For example, replace [/path/to/keystore] with /etc/dremio/conf/keystore.jks.
<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
<property>
<name>xasecure.policymgr.clientssl.keystore</name>
<value>[/path/to/keystore].jks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.credential.file</name>
<value>jceks://file/[path/to/credentials].jceks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.password</name>
<value>crypted</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore</name>
<value>[/path/to/truststore].jks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.credential.file</name>
<value>jceks://file/[path/to/credentials].jceks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.password</name>
<value>crypted</value>
</property>
</configuration>
Configuring the Hive Source
When adding a Hive source to Dremio, configure the path to the policy manager configuration file:
- In the Dremio UI, navigate to the
Advanced Optionssettings. - Add the following property:
| Name | Value |
|---|---|
| ranger.plugin.hive.policy.rest.ssl.config.file | </path/to/policymgr.config>.xml |
Troubleshooting
Access denied
If access is denied when attempting to query a Hive data source under the following circumstances:
- Ranger Based authorization is configured.
- Dremio logs a "FileNotFoundException */xasecure-audit.xml (No such file or directory)" error.
This behavior is triggered within the Ranger plugin libraries when hdfs-site.xml, hive-site.xml, or hbase-site.xml are present in the Dremio configuration path.
To fix this environment issue, rename the ranger-hive-audit.xml configuration file generated by the Ranger Hive plugin installer to xasecure-audit.xml and copy it to the Dremio configuration path on all coordinator nodes.