Enabling Dremio Ranger SSL with Kerberos
This topic covers how to use SSL when setting up a Hive data source using Ranger Authorization in Dremio.
Requirements
To enable SSL with Ranger, you will need to create the following files using the Java keytool:
<keystore name>.jks→ (ranger-hive-keystore.jks)<truststore name>.jks→ (ranger-hive-truststore.jks)<credentials name>.jceks→ (cred.jceks)
See the following links for more information:
- Hadoop documentation for creating a credentials file
- Hortonworks documentation for generating keystore/truststore
Creating self-signed keys for testing purposes
This section describes several methods used to create self-signed keys.
Creating the credentials file from scratch using hadoop tool chain
hadoop credential create sslKeyStore -value <password> -provider localjceks://file/<path/to/cred>.jceks
hadoop credential create sslTrustStore -value <password> -provider localjceks://file/<path/to/cred>.jceks
Creating the keystore using Java keytool
keytool -genkey -keyalg RSA -alias rangeradmin -keystore </path/to/keystore>.jks -storepass <password> -keysize 2048 -validity <length in days>
The Hortonworks documentation mentions that when the keytool asks for your first and last name you should use the FQDN of the site (i.e example.com). All other fields should be left blank (you provided the password as an input to the keytool).
Creating the truststore using Java keytool
keytool -export -alias rangeradmin -keystore </path/to/keystore>.jks -file <path/to/keystore>.cer
keytool -import -file </path/to/keystore>.cer -alias rangeradmin -keystore </path/to/truststore>.jks -storepass <password>
The Hortonworks documentation mentions that when the keytool asks for your first and last name you should use the FQDN of the site (i.e example.com). All other fields should be left blank (you provided the password as an input to the keytool).
Enabling SSL in Ranger-Admin
Copy the generated files to a directory accessible by the ranger-admin and ensure the right permissions are set (ranger user should own them, chmod 400).
Useful links:
Leave ranger.service.https.attrib.clientAuth and ranger.service.https.attrib.client.auth set to false.
In summary, set the following keys to the ranger-admin-site.xml file and restart ranger-admin.:
| key | value | notes |
|---|---|---|
| ranger.https.attrib.keystore.file | </path/to/keystore>.jks | You may need to add this key to the custom ranger-admin-site settings |
| ranger.service.https.attrib.keystore.keyalias | rangeradmin | |
| ranger.service.https.attrib.keystore.pass | <password> | |
| ranger.service.https.attrib.ssl.enabled | true | |
| ranger.service.https.port | 6182 | |
| ranger.externalurl | https://<url>:6182 | |
| ranger.service.http.enabled | false |
- The default settings for ranger-usersync and ranger-tagsync should work.
- The ranger-tagsync setting can have some issues if tag-based-policy testing isn't being done then this service can just be disabled.
Connecting to a Ranger host using SSL in Dremio
See Configuring Ambari Ranger SSL for more information.
- Copy the keystore, truststore, and credentials files to a location accessible by the Dremio user (i.e. the Dremio configuration directory) on all coordinator nodes
- Create policymgr-ssl.xml with appropriate paths to the keystore/truststore and credentials on all coordinator nodes
- Verify that the ranger-hive-security.xml file does not exist within the Dremio configuration path.
- Ensure all files have the appropriate permissions.
- In Dremio under the Hive data source Advanced Options tab, add the
ranger.plugin.hive.policy.rest.ssl.config.fileproperty with the</path/to/policymgr.config>.xmlvalue
Example policymgr-ssl.xml configuration (based on ranger-policymgr-ssl.xml):
<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
<property>
<name>xasecure.policymgr.clientssl.keystore</name>
<value>[/path/to/keystore].jks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.credential.file</name>
<value>jceks://file/[path/to/credentials].jceks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.password</name>
<value>crypted</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore</name>
<value>[/path/to/truststore].jks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.credential.file</name>
<value>jceks://file/[path/to/credentials].jceks</value>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.password</name>
<value>crypted</value>
</property>
</configuration>
Replace all the [path/to/...] entries with the full path (ie [/path/to/keystore] → /etc/dremio/conf/keystore.jks).
Configuring Dremio service principal for use in Kerberized Ranger
This section provides the steps necessary for configuring Kerberos for Dremio.
The only additional step necessary to interact with a Kerberized Ranger instance is to ensure the Dremio user (the user associated with the Dremio principal) is configured as an Admin within Ranger. This is done through the Ranger Admin UI by going to the User/Groups page and finding the Dremio user, editing it, and selecting the 'admin' role for that user.
Troubleshooting
Keystore or Password Error in a Kubernetes Deployment
When you deploy the SSL keystore, truststore, and credentials files to a Kubernetes deployment of Dremio, the certificates are installed with the default file permissions 777 and the default filesystem owner and group root:root. As a result, the SSL configuration fails with the following error:
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
To resolve the problem, deploy the keystore, truststore, and credentials files to a permanent volume, set the file permissions to 400 (read-only by owner), and set the filesystem owner and group to dremio:dremio.