Hortonworks.com
  • Explore
    • All Tags
    • All Questions
    • All Articles
    • All Ideas
    • All Repos
    • All SKB
    • All Users
    • All Badges
    • Leaderboard
  • Create
    • Ask a question
    • Create Article
    • Post Idea
    • Add Repo
  • Tracks
    • All Tracks
    • Community Help
    • Cloud & Operations
    • CyberSecurity
    • Data Ingestion & Streaming
    • Data Processing
    • Data Science & Advanced Analytics
    • Design & Architecture
    • Governance & Lifecycle
    • Hadoop Core
    • Sandbox & Learning
    • Security
    • Solutions
  • Login
HCC Hortonworks Community Connection
  • Home /
  • Security /
  • Home /
  • Security /
avatar image

Setup Ranger to use Ambari Infra Solr enabled in SSL

  • Export to PDF
Article by mvaradkar · Apr 12, 2017 at 12:51 PM · edited · Apr 12, 2017 at 12:23 PM
1

Short Description:

Steps to be followed if Ranger uses Ambari Infra Solr enabled in SSL for audits.

Article

Enable SSL for Ambari Infra Solr:

1) Create directory on Infra Solr node:

mkdir -p /etc/security/serverKeys
cd /etc/security/serverKeys

2) Create Infra Solr keystore:

keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass bigdata -storepass bigdata -validity 9999 -keystore infra.solr.keyStore.jks -ext SAN=DNS:{solr-hostname},IP:{solr-host-ip-address} -dname "CN={solr-hostname}, OU=Ambari, O=InfraSolr, L=Location, ST=State, C=Country"

3) Update the keystore file infra.solr.keyStore.jks ownership:

chown infra-solr:hadoop infra.solr.keyStore.jks

4) Update below properties from Ambari under Ambari Infra Config Tab in Advanced infra-solr-env section:

infra_solr_ssl_enabled (Enable SSL to Infra Solr) - true
infra_solr_keystore_location (Infra Solr key store location) - /etc/security/serverKeys/infra.solr.keyStore.jks
infra_solr_keystore_type (Infra Solr key store type) - jks
infra_solr_keystore_password (Infra Solr key store password) - bigdata (Enter password given in -storepass argument while creating keystore)

Here, using the same keystore as truststore.
infra_solr_truststore_location (Infra Solr trust store location) - /etc/security/serverKeys/infra.solr.keyStore.jks
infra_solr_truststore_type (Infra Solr trust store type) - jks
infra_solr_truststore_password (Infra Solr truststore store password) - bigdata (Enter password given in -storepass argument while creating keystore)

5) (Optional, Ambari Infra Solr restart handles setting https urlScheme) Configure Infra Solr cluster properties in Zookeeper:

/usr/lib/ambari-infra-solr/server/scripts/cloud-scripts/zkcli.sh -zkhost {zookeeper-host}:2181/infra-solr -cmd clusterprop -name urlScheme -val https

6) Restart Ambari Infra Solr.

NOTE: For more detailed explanation on enabling solr in SSL refer: Enabling SSL

Configure Ranger and Ranger Plugins:

1) Create directory on Ranger node as well on Ranger Plugin node:

mkdir -p /etc/security/serverKeys
cd /etc/security/serverKeys

2) Create solr-trust.cer file. Need to export infra.solr.keyStore.jks certificate into it:

keytool -export -keystore infra.solr.keyStore.jks -alias solr-ssl -file solr-trust.cer -storepass bigdata

3) Import Infra Solr certificate into JDK cacerts:

keytool -import -file solr-trust.cer -alias solr-trust -keystore {java_home_path}/jre/lib/security/cacerts -storepass changeit

4) Create Ranger truststore file having Infra Solr certificate:

keytool -import -file solr-trust.cer -alias solr-ranger-trust -keystore rangertruststore -storepass changeit

5) Update the ownership of Ranger truststore file and also update below properties from Ambari under Ranger service config tab in Advanced ranger-admin-site section

chown ranger:hadoop rangertruststore

Properties:
ranger.truststore.file - /etc/security/serverKeys/rangertruststore
ranger.truststore.password - changeit (Enter the password given in -storepass argument while creating truststore)

6) For Ranger Plugin import Infra Solr certificate into JDK cacerts file on the node where Ranger Plugin is enabled:

keytool -import -file solr-trust.cer -alias solr-trust -keystore {java_home_path}/jre/lib/security/cacerts -storepass changeit

7) After updating properties Restart Ranger and Ranger Plugin supported Components.

thub.nodes.view.add-new-comment
How-To/TutorialRangerambari-infraauditsolrcloudssl
Add comment · Show 1
10 |6000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Up to 5 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

avatar image Terry Stebbens · Sep 19, 2017 at 10:29 PM 0
Share

Technically, step 3 and step 4 are mutually exclusive. If you're using the Java cacerts then you don't need to set up a truststore for Ranger and vice-versa.

If doing step 3, make sure you update the correct Java cacerts as the Ranger JVM is started with just the command 'java' (not the full path to java) so if you have both OpenJDK and Oracle JDK installed and your Hadoop JAVA_HOME is set to the Oracle JDK, Ranger will actually be started with OpenJDK if /etc/alternatives has not been updated.

Also, 'rangertruststore' should probably be called 'rangertruststore.jks' for consistency.

Article

Contributors

avatar image

avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image

Navigation

Setup Ranger to use Ambari Infra Solr enabled in SSL

Related Articles

Installing Apache Ranger using Ambari Infra (SolrCloud) for Ranger Audit

Solr Rule-Based Authorization Plugin With External SolrCloud

Hive Row Level Access Restriction Using Ranger

Ranger SSL - pitfalls

Installing Apache Ranger with Ambari Postgresql

Modifying Ranger Audit Solr Config

Ranger User Variables use for HDFS policies

Best Practices In HDFS Authorization with Apache Ranger

Restore backup ranger audits to new collection

SSL configuration for Distcp accross the cluster in wire encrypted Multicluster Envrionment

This website uses cookies for analytics, personalisation and advertising. To learn more or change your cookie settings, please read our Cookie Policy. By continuing to browse, you agree to our use of cookies.

HCC Guidelines | HCC FAQs | HCC Privacy Policy | Privacy Policy | Terms of Service

© 2011-2019 Hortonworks Inc. All Rights Reserved.

Hadoop, Falcon, Atlas, Sqoop, Flume, Kafka, Pig, Hive, HBase, Accumulo, Storm, Solr, Spark, Ranger, Knox, Ambari, ZooKeeper, Oozie and the Hadoop elephant logo are trademarks of the Apache Software Foundation.

  • Anonymous
  • Login
  • Create
  • Ask a question
  • Create Article
  • Post Idea
  • Add Repo
  • Create SupportKB
  • Tracks
  • Community Help
  • Cloud & Operations
  • CyberSecurity
  • Data Ingestion & Streaming
  • Data Processing
  • Data Science & Advanced Analytics
  • Design & Architecture
  • Governance & Lifecycle
  • Hadoop Core
  • Sandbox & Learning
  • Security
  • Solutions
  • Explore
  • All Tags
  • All Questions
  • All Articles
  • All Ideas
  • All Repos
  • All SKB
  • All Users
  • Leaderboard
  • All Badges