Connecting to a Ranger host using SSL

This section describes how to connect a Ranger host using Secure Socket Layer (SSL) in Dremio.

Before adding the Hive source

  1. On all coordinator nodes, copy the keystore, truststore, and credentials files to a location accessible by the Dremio user. (for example, the Dremio configuration directory). Be sure to verify that the paths to the truststore, keystore, and credentials files are correct and accessible by Dremio. It is important that the following conditions are met:
    • These files are owned by the Dremio service user.
    • The file permission is to read-only by owner (chmod 400).
  2. On all coordinator nodes, create a policymgr-ssl.xml file with appropriate paths to the keystore/truststore and credentials.
  3. Ensure that the ranger-hive-security.xml file doesn't exist within the Dremio configuration path.
  4. Ensure all files have the appropriate permissions.

Example policymgr-ssl.xml configuration

The following example is a policymgr-ssl.xml configuration based on ranger-policymgr-ssl.xml. If you use this sample configuration as a template, replace all the [path/to/...] entries with the full path. For example, replace [/path/to/keystore] with /etc/dremio/conf/keystore.jks.


  <configuration  xmlns:xi="http://www.w3.org/2001/XInclude">

    <property>
      <name>xasecure.policymgr.clientssl.keystore</name>
      <value>[/path/to/keystore].jks</value>
    </property>

    <property>
      <name>xasecure.policymgr.clientssl.keystore.credential.file</name>
      <value>jceks://file/[path/to/credentials].jceks</value>
    </property>

    <property>
      <name>xasecure.policymgr.clientssl.keystore.password</name>
      <value>crypted</value>
    </property>

    <property>
      <name>xasecure.policymgr.clientssl.truststore</name>
      <value>[/path/to/truststore].jks</value>
    </property>

    <property>
      <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
      <value>jceks://file/[path/to/credentials].jceks</value>
    </property>

    <property>
      <name>xasecure.policymgr.clientssl.truststore.password</name>
      <value>crypted</value>
    </property>

  </configuration>

Configuring the Hive Source

When adding a Hive source to Dremio, configure the path to the policy manager configuration file:

  1. In the Dremio UI, navigate to the Advanced Options settings.
  2. Add the following property:
Name Value
ranger.plugin.hive.policy.rest.ssl.config.file </path/to/policymgr.config>.xml

Troubleshooting

Access denied

If access is denied when attempting to query a Hive data source under the following circumstances:

  • Ranger Based authorization is configured.
  • Dremio logs a "FileNotFoundException */xasecure-audit.xml (No such file or directory)" error.

This behavior is triggered within the Ranger plugin libraries when hdfs-site.xml, hive-site.xml, or hbase-site.xml are present in the Dremio configuration path.

To fix this environment issue, rename the ranger-hive-audit.xml configuration file generated by the Ranger Hive plugin installer to xasecure-audit.xml and copy it to the Dremio configuration path on all coordinator nodes.

For More Information


results matching ""

    No results matching ""