Connecting to a Ranger host using SSL
This section describes how to connect a Ranger host using Secure Socket Layer (SSL) in Dremio.
Before adding the Hive source
-
On all coordinator nodes, copy the keystore, truststore, and credentials files to a location accessible by the Dremio user, such as the Dremio configuration directory. Be sure to verify that the paths to the truststore, keystore, and credentials files are correct and accessible by Dremio. It is important that the following conditions are met:
- These files are owned by the Dremio service user.
- The file permission is to read-only by owner (chmod 400).
-
On all coordinator nodes, create a
policymgr-ssl.xml
file with appropriate paths to the keystore/truststore and credentials. -
Ensure that the
ranger-hive-security.xml
file doesn't exist within the Dremio configuration path. -
Ensure all files have the appropriate permissions.
Example policymgr-ssl.xml configuration
The following example is a policymgr-ssl.xml
configuration based on ranger-policymgr-ssl.xml
.
If you use this sample configuration as a template,
replace all the [path/to/...]
entries with the full path.
For example, replace [/path/to/keystore]
with /etc/dremio/conf/keystore.jks
.
<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
<property>
<name>xasecure.policymgr.clientssl.keystore</name>
<value>[/path/to/keystore].jks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.credential.file</name>
<value>jceks://file/[path/to/credentials].jceks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.password</name>
<value>crypted</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore</name>
<value>[/path/to/truststore].jks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.credential.file</name>
<value>jceks://file/[path/to/credentials].jceks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.password</name>
<value>crypted</value>
</property>
</configuration>
Configuring the Hive Source
When adding a Hive source to Dremio, configure the path to the policy manager configuration file:
- In the Dremio UI, navigate to the
Advanced Options
settings. - Add the following property:
Name | Value |
---|---|
ranger.plugin.hive.policy.rest.ssl.config.file | </path/to/policymgr.config>.xml |
Troubleshooting
Access Denied
If access is denied when attempting to query a Hive data source under the following circumstances:
- Ranger Based authorization is configured.
- Dremio logs a "FileNotFoundException */xasecure-audit.xml (No such file or directory)" error.
This behavior is triggered within the Ranger plugin libraries when hdfs-site.xml or hive-site.xml are present in the Hive plugin's configuration path (eg a sub-directory under <dremio-root>/plugins/connectors/<**hive-plugin-id**>
. See Hive Configuration for more details).
To fix this environment issue, rename the ranger-hive-audit.xml configuration file generated by the Ranger Hive plugin installer to xasecure-audit.xml and copy it to the Dremio configuration path on all coordinator nodes.
Keystore or Password Error in a Kubernetes Deployment
When you deploy the SSL keystore, truststore, and credentials files to a Kubernetes deployment of Dremio, the certificates are installed with the default file permissions 777
and the default filesystem owner and group root:root
. As a result, the SSL configuration fails with the following error:
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
To resolve the problem, deploy the keystore, truststore, and credentials files to a permanent volume, set the file permissions to 400
(read-only by owner), and set the filesystem owner and group to dremio:dremio
.