Short Description:
Steps to be followed if Ranger uses Ambari Infra Solr enabled in SSL for audits.Article
Enable SSL for Ambari Infra Solr:
1) Create directory on Infra Solr node:
mkdir -p /etc/security/serverKeys cd /etc/security/serverKeys
2) Create Infra Solr keystore:
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass bigdata -storepass bigdata -validity 9999 -keystore infra.solr.keyStore.jks -ext SAN=DNS:{solr-hostname},IP:{solr-host-ip-address} -dname "CN={solr-hostname}, OU=Ambari, O=InfraSolr, L=Location, ST=State, C=Country"
3) Update the keystore file infra.solr.keyStore.jks ownership:
chown infra-solr:hadoop infra.solr.keyStore.jks
4) Update below properties from Ambari under Ambari Infra Config Tab in Advanced infra-solr-env section:
infra_solr_ssl_enabled (Enable SSL to Infra Solr) - true infra_solr_keystore_location (Infra Solr key store location) - /etc/security/serverKeys/infra.solr.keyStore.jks infra_solr_keystore_type (Infra Solr key store type) - jks infra_solr_keystore_password (Infra Solr key store password) - bigdata (Enter password given in -storepass argument while creating keystore) Here, using the same keystore as truststore. infra_solr_truststore_location (Infra Solr trust store location) - /etc/security/serverKeys/infra.solr.keyStore.jks infra_solr_truststore_type (Infra Solr trust store type) - jks infra_solr_truststore_password (Infra Solr truststore store password) - bigdata (Enter password given in -storepass argument while creating keystore)
5) (Optional, Ambari Infra Solr restart handles setting https urlScheme) Configure Infra Solr cluster properties in Zookeeper:
/usr/lib/ambari-infra-solr/server/scripts/cloud-scripts/zkcli.sh -zkhost {zookeeper-host}:2181/infra-solr -cmd clusterprop -name urlScheme -val https
6) Restart Ambari Infra Solr.
NOTE: For more detailed explanation on enabling solr in SSL refer: Enabling SSL
Configure Ranger and Ranger Plugins:
1) Create directory on Ranger node as well on Ranger Plugin node:
mkdir -p /etc/security/serverKeys cd /etc/security/serverKeys
2) Create solr-trust.cer file. Need to export infra.solr.keyStore.jks certificate into it:
keytool -export -keystore infra.solr.keyStore.jks -alias solr-ssl -file solr-trust.cer -storepass bigdata
3) Import Infra Solr certificate into JDK cacerts:
keytool -import -file solr-trust.cer -alias solr-trust -keystore {java_home_path}/jre/lib/security/cacerts -storepass changeit
4) Create Ranger truststore file having Infra Solr certificate:
keytool -import -file solr-trust.cer -alias solr-ranger-trust -keystore rangertruststore -storepass changeit
5) Update the ownership of Ranger truststore file and also update below properties from Ambari under Ranger service config tab in Advanced ranger-admin-site section
chown ranger:hadoop rangertruststore Properties: ranger.truststore.file - /etc/security/serverKeys/rangertruststore ranger.truststore.password - changeit (Enter the password given in -storepass argument while creating truststore)
6) For Ranger Plugin import Infra Solr certificate into JDK cacerts file on the node where Ranger Plugin is enabled:
keytool -import -file solr-trust.cer -alias solr-trust -keystore {java_home_path}/jre/lib/security/cacerts -storepass changeit
7) After updating properties Restart Ranger and Ranger Plugin supported Components.
Technically, step 3 and step 4 are mutually exclusive. If you're using the Java cacerts then you don't need to set up a truststore for Ranger and vice-versa.
If doing step 3, make sure you update the correct Java cacerts as the Ranger JVM is started with just the command 'java' (not the full path to java) so if you have both OpenJDK and Oracle JDK installed and your Hadoop JAVA_HOME is set to the Oracle JDK, Ranger will actually be started with OpenJDK if /etc/alternatives has not been updated.
Also, 'rangertruststore' should probably be called 'rangertruststore.jks' for consistency.
Contributors
