Connecting to a Ranger host using SSL

This section describes how to connect a Ranger host using Secure Socket Layer (SSL) in Dremio.

Before adding the Hive source

  1. On all coordinator nodes, copy the keystore, truststore, and credentials files to a location accessible by the Dremio user. (for example, the Dremio configuration directory).
  2. On all coordinator nodes, create a policymgr-ssl.xml file with appropriate paths to the keystore/truststore and credentials.
  3. Ensure that the ranger-hive-security.xml file doesn't exist within the Dremio configuration path.
  4. Ensure all files have the appropriate permissions.

Example policymgr-ssl.xml configuration

The following example is a policymgr-ssl.xml configuration based on ranger-policymgr-ssl.xml. If you use this sample configuration as a template, replace all the [path/to/...] entries with the full path. For example, replace [/path/to/keystore] with /etc/dremio/conf/keystore.jks.


  <configuration  xmlns:xi="http://www.w3.org/2001/XInclude">

    <property>
      <name>xasecure.policymgr.clientssl.keystore</name>
      <value>[/path/to/keystore].jks</value>
    </property>

    <property>
      <name>xasecure.policymgr.clientssl.keystore.credential.file</name>
      <value>jceks://file/[path/to/credentials].jceks</value>
    </property>

    <property>
      <name>xasecure.policymgr.clientssl.keystore.password</name>
      <value>crypted</value>
    </property>

    <property>
      <name>xasecure.policymgr.clientssl.truststore</name>
      <value>[/path/to/truststore].jks</value>
    </property>

    <property>
      <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
      <value>jceks://file/[path/to/credentials].jceks</value>
    </property>

    <property>
      <name>xasecure.policymgr.clientssl.truststore.password</name>
      <value>crypted</value>
    </property>

  </configuration>

Configuring the Hive Source

When adding a Hive source to Dremio, configure the path to the policy manager configuration file:

  1. In the Dremio UI, navigate to the Advanced Options settings.
  2. Add the following property:
Name Value
ranger.plugin.hive.policy.rest.ssl.config.file </path/to/policymgr.config>.xml

Troubleshooting

Access denied

If access is denied when attempting to query a Hive data source under the following circumstances:

  • Ranger Based authorization is configured.
  • Dremio logs a "FileNotFoundException */xasecure-audit.xml (No such file or directory)" error.

This behavior is triggered within the Ranger plugin libraries when hdfs-site.xml, hive-site.xml, or hbase-site.xml are present in the Dremio configuration path.

To fix this environment issue, rename the ranger-hive-audit.xml configuration file generated by the Ranger Hive plugin installer to xasecure-audit.xml and copy it to the Dremio configuration path on all coordinator nodes.

For More Information


results matching ""

    No results matching ""