Skip to main content
Version: 24.3.x

Connecting to a Ranger host using SSL

This section describes how to connect a Ranger host using Secure Socket Layer (SSL) in Dremio.

Before adding the Hive source

  1. On all coordinator nodes, copy the keystore, truststore, and credentials files to a location accessible by the Dremio user, such as the Dremio configuration directory. Be sure to verify that the paths to the truststore, keystore, and credentials files are correct and accessible by Dremio. It is important that the following conditions are met:

    • These files are owned by the Dremio service user.
    • The file permission is to read-only by owner (chmod 400).
  2. On all coordinator nodes, create a policymgr-ssl.xml file with appropriate paths to the keystore/truststore and credentials.

  3. Ensure that the ranger-hive-security.xml file doesn't exist within the Dremio configuration path.

  4. Ensure all files have the appropriate permissions.

Example policymgr-ssl.xml configuration

The following example is a policymgr-ssl.xml configuration based on ranger-policymgr-ssl.xml. If you use this sample configuration as a template, replace all the [path/to/...] entries with the full path. For example, replace [/path/to/keystore] with /etc/dremio/conf/keystore.jks.

Example policymgr-ssl.xml configuration

<configuration xmlns:xi="http://www.w3.org/2001/XInclude">

<property>
<name>xasecure.policymgr.clientssl.keystore</name>
<value>[/path/to/keystore].jks</value>
</property>

<property>
<name>xasecure.policymgr.clientssl.keystore.credential.file</name>
<value>jceks://file/[path/to/credentials].jceks</value>
</property>

<property>
<name>xasecure.policymgr.clientssl.keystore.password</name>
<value>crypted</value>
</property>

<property>
<name>xasecure.policymgr.clientssl.truststore</name>
<value>[/path/to/truststore].jks</value>
</property>

<property>
<name>xasecure.policymgr.clientssl.truststore.credential.file</name>
<value>jceks://file/[path/to/credentials].jceks</value>
</property>

<property>
<name>xasecure.policymgr.clientssl.truststore.password</name>
<value>crypted</value>
</property>

</configuration>

Configuring the Hive Source

When adding a Hive source to Dremio, configure the path to the policy manager configuration file:

  1. In the Dremio UI, navigate to the Advanced Options settings.
  2. Add the following property:
NameValue
ranger.plugin.hive.policy.rest.ssl.config.file</path/to/policymgr.config>.xml

Troubleshooting

Access Denied

If access is denied when attempting to query a Hive data source under the following circumstances:

  • Ranger Based authorization is configured.
  • Dremio logs a "FileNotFoundException */xasecure-audit.xml (No such file or directory)" error.

This behavior is triggered within the Ranger plugin libraries when hdfs-site.xml or hive-site.xml are present in the Hive plugin's configuration path (eg a sub-directory under <dremio-root>/plugins/connectors/<**hive-plugin-id**>. See Hive Configuration for more details).

To fix this environment issue, rename the ranger-hive-audit.xml configuration file generated by the Ranger Hive plugin installer to xasecure-audit.xml and copy it to the Dremio configuration path on all coordinator nodes.

Keystore or Password Error in a Kubernetes Deployment

When you deploy the SSL keystore, truststore, and credentials files to a Kubernetes deployment of Dremio, the certificates are installed with the default file permissions 777 and the default filesystem owner and group root:root. As a result, the SSL configuration fails with the following error:

Keystore or Password Error
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect

To resolve the problem, deploy the keystore, truststore, and credentials files to a permanent volume, set the file permissions to 400 (read-only by owner), and set the filesystem owner and group to dremio:dremio.

For More Information