tag:blogger.com,1999:blog-7391783704166348052.post3241820287538902248..comments2024-03-15T22:26:58.542-07:00Comments on Open Source Security: Securing Apache Hadoop Distributed File System (HDFS) - part VIColm O hEigeartaighhttp://www.blogger.com/profile/10711987281965801793noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-7391783704166348052.post-82102614101232421802017-06-08T07:41:23.888-07:002017-06-08T07:41:23.888-07:00Hi,
To ensure that the KMS service configured in ...Hi,<br /><br />To ensure that the KMS service configured in Part IV [1] of this tutorial works after we have enabled Kerberos please follow the following steps:<br /><br />Change the following properties in "kms-site.xml" as follows:<br />("kms-site.xml" file can be found at {$ranger-kms-home}/ews/webapp/WEB-INF/classes/conf/kms-site.xml)<br /><br />hadoop.kms.authentication.type=kerberos<br />hadoop.kms.authentication.kerberos.keytab={$PATH-TO_THE_KEYTABS_FROM_PART_V[2]}/target/keyadmin.keytab<br />hadoop.kms.authentication.kerberos.principal={set it to "*" or "HTTP/localhost"}<br /><br />change property "hadoop.kms.proxyuser.ranger.groups" to "hadoop.kms.proxyuser.keyadmin.groups"<br />change property "hadoop.kms.proxyuser.ranger.hosts" to "hadoop.kms.proxyuser.keyadmin.hosts"<br />change property "hadoop.kms.proxyuser.ranger.users" to "hadoop.kms.proxyuser.keyadmin.users"<br /><br />For all three properties set value - "*" (without the quotes). If the properties are not there then add them.<br /><br />Stop both ranger-admin and ranger-kms. <br />Start ranger-admin and then ranger-kms.<br /><br />Now you should be able to get "Connection Successful" for the kmsdev service when you log into the ranger admin UI using keyadmin/keyadmin. You have to change username/password of the service to be - keyadmin@hadoop.apache.org/keyadmin.<br /><br />You should also be able to retrieve the keys created for this service under keymanager.<br /><br />[1] https://coheigea.blogspot.ca/2017/04/securing-apache-hadoop-distributed-file_26.html<br />[2] https://coheigea.blogspot.ca/2017/05/securing-apache-hadoop-distributed-file.html<br /><br /><br />Thanks<br />Shabirshabirmeanhttps://www.blogger.com/profile/13282079595220703533noreply@blogger.comtag:blogger.com,1999:blog-7391783704166348052.post-59671628796792652872017-05-31T17:14:43.011-07:002017-05-31T17:14:43.011-07:00Was able to solve the issue.
I was having two ve...Was able to solve the issue. <br /><br />I was having two versions of the ranger-admin setup and was making the changes explained in this tutorial to the one which was not actually getting executed. <br /><br />It all works well now. <br /><br />Thanks!!shabirmeanhttps://www.blogger.com/profile/13282079595220703533noreply@blogger.comtag:blogger.com,1999:blog-7391783704166348052.post-49357294476555091172017-05-31T17:12:07.549-07:002017-05-31T17:12:07.549-07:00This comment has been removed by the author.shabirmeanhttps://www.blogger.com/profile/13282079595220703533noreply@blogger.comtag:blogger.com,1999:blog-7391783704166348052.post-39091711797375561972017-05-31T11:56:33.039-07:002017-05-31T11:56:33.039-07:00Hi,
I have followed this tutorial in the followin...Hi,<br /><br />I have followed this tutorial in the following order:<br /><br />1. I have completed the Hadoop setup as described in Part 1<br />2. Enabled Ranger plugin as explained in Part 2<br />3. Skipped Part 3 & 4 & 5 and setup as required in the SASL tutorial<br />4. Finally did the changes mentioned here.<br /><br />However, still "Test Connection" fails in my setup with the following error:<br /><br />Connection Failed.<br />Unable to retrieve any files using given parameters, You can still save the repository and start creating policies, but you would not be able to use autocomplete for resource names. Check ranger_admin.log for more info.<br /><br />org.apache.ranger.plugin.client.HadoopException: Unable to login to Hadoop environment [HDFSTest]. <br />Unable to login to Hadoop environment [HDFSTest]. <br />Login failure for admin using password ************. <br />Client not found in Kerberos database (6) - Client not found in Kerberos database. <br />Identifier doesn't match expected value (906). <br /><br />Also, since I have skipped Part 3 my HDFS Service in ranger admin is "HDFSTest" and not "cl1_hadoop". <br /><br />Should I make that change too?<br /><br />Your help will be much appreciated.<br />Thank You<br />Shabir<br />shabirmeanhttps://www.blogger.com/profile/13282079595220703533noreply@blogger.com