This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 4dc7a1856 RANGER-3978: Docker setup for Ranger KMS
4dc7a1856 is described below
commit 4dc7a185685b096d7b2dc2625ac4eb8fce8250cd
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Tue Nov 22 00:41:15 2022 -0800
RANGER-3978: Docker setup for Ranger KMS
---
dev-support/ranger-docker/.dockerignore | 1 +
dev-support/ranger-docker/Dockerfile.ranger-kms | 59 ++++++
.../ranger-docker/docker-compose.ranger-kms.yml | 30 +++
.../scripts/create-ranger-services.py | 7 +
.../scripts/ranger-kms-install-mysql.properties | 225 +++++++++++++++++++++
.../scripts/ranger-kms-install-postgres.properties | 225 +++++++++++++++++++++
dev-support/ranger-docker/scripts/ranger-kms.sh | 48 +++++
7 files changed, 595 insertions(+)
diff --git a/dev-support/ranger-docker/.dockerignore
b/dev-support/ranger-docker/.dockerignore
index 282c456d8..3568d85d7 100644
--- a/dev-support/ranger-docker/.dockerignore
+++ b/dev-support/ranger-docker/.dockerignore
@@ -2,6 +2,7 @@
!config
!dist/version
!dist/ranger-*-admin.tar.gz
+!dist/ranger-*-kms.tar.gz
!dist/ranger-*-usersync.tar.gz
!dist/ranger-*-tagsync.tar.gz
!dist/ranger-*-hdfs-plugin.tar.gz
diff --git a/dev-support/ranger-docker/Dockerfile.ranger-kms
b/dev-support/ranger-docker/Dockerfile.ranger-kms
new file mode 100644
index 000000000..4cf8b9d73
--- /dev/null
+++ b/dev-support/ranger-docker/Dockerfile.ranger-kms
@@ -0,0 +1,59 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+ARG RANGER_DB_TYPE
+
+FROM ranger-base:latest AS ranger-kms
+
+ARG RANGER_VERSION
+ARG RANGER_DB_TYPE
+
+COPY ./dist/version /home/ranger/dist/
+COPY ./dist/ranger-${RANGER_VERSION}-kms.tar.gz /home/ranger/dist/
+
+COPY ./scripts/ranger-kms.sh
${RANGER_SCRIPTS}/
+COPY ./scripts/ranger-kms-install-${RANGER_DB_TYPE}.properties
${RANGER_SCRIPTS}/ranger-kms-install.properties
+
+RUN tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-kms.tar.gz
--directory=${RANGER_HOME} && \
+ ln -s ${RANGER_HOME}/ranger-${RANGER_VERSION}-kms ${RANGER_HOME}/kms && \
+ rm -f /home/ranger/dist/ranger-${RANGER_VERSION}-kms.tar.gz && \
+ cp -f ${RANGER_SCRIPTS}/ranger-kms-install.properties
${RANGER_HOME}/kms/install.properties && \
+ mkdir -p /var/run/ranger_kms && \
+ mkdir -p /var/log/ranger/kms && \
+ mkdir -p /etc/ranger && \
+ touch /etc/init.d/ranger-kms && \
+ ln -s /usr/bin/python3 /usr/bin/python && \
+ ln -s /etc/init.d/ranger-kms /etc/rc2.d/S88ranger-kms && \
+ ln -s /etc/init.d/ranger-kms /etc/rc2.d/K90ranger-kms && \
+ ln -s /etc/init.d/ranger-kms /etc/rc3.d/S88ranger-kms && \
+ ln -s /etc/init.d/ranger-kms /etc/rc3.d/K90ranger-kms && \
+ ln -s ${RANGER_HOME}/kms/ranger-kms-services.sh
/usr/bin/ranger-kms-services.sh && \
+ chown -R rangerkms:ranger ${RANGER_HOME}/kms/ ${RANGER_SCRIPTS}/
/var/run/ranger_kms/ /var/log/ranger/ && \
+ chmod 744 ${RANGER_SCRIPTS}/ranger-kms.sh && \
+ mkdir -p /usr/share/java/
+
+FROM ranger-kms AS ranger_postgres
+COPY ./downloads/postgresql-42.2.16.jre7.jar /home/ranger/dist/
+RUN mv /home/ranger/dist/postgresql-42.2.16.jre7.jar
/usr/share/java/postgresql.jar
+
+FROM ranger-kms AS ranger_mysql
+COPY ./downloads/mysql-connector-java-8.0.28.jar /home/ranger/dist/
+COPY ./downloads/log4jdbc-1.2.jar /home/ranger/dist/
+RUN mv /home/ranger/dist/mysql-connector-java-8.0.28.jar
/usr/share/java/mysql-connector.jar && \
+ mv /home/ranger/dist/log4jdbc-1.2.jar
${RANGER_HOME}/admin/ews/webapp/WEB-INF/lib/log4jdbc-1.2.jar
+
+FROM ranger_${RANGER_DB_TYPE}
+
+ENTRYPOINT [ "/home/ranger/scripts/ranger-kms.sh" ]
diff --git a/dev-support/ranger-docker/docker-compose.ranger-kms.yml
b/dev-support/ranger-docker/docker-compose.ranger-kms.yml
new file mode 100644
index 000000000..148b10a6a
--- /dev/null
+++ b/dev-support/ranger-docker/docker-compose.ranger-kms.yml
@@ -0,0 +1,30 @@
+version: '3'
+services:
+ ranger-kms:
+ build:
+ context: .
+ dockerfile: Dockerfile.ranger-kms
+ args:
+ - RANGER_VERSION=${RANGER_VERSION}
+ - RANGER_DB_TYPE=${RANGER_DB_TYPE}
+ image: ranger-kms:latest
+ container_name: ranger-kms
+ hostname: ranger-kms.example.com
+ stdin_open: true
+ tty: true
+ networks:
+ - ranger
+ ports:
+ - "9292:9292"
+ depends_on:
+ ranger:
+ condition: service_started
+ environment:
+ - RANGER_VERSION
+ - RANGER_DB_TYPE
+ command:
+ - /home/ranger/scripts/ranger-kms.sh
+
+networks:
+ ranger:
+ name: rangernw
diff --git a/dev-support/ranger-docker/scripts/create-ranger-services.py
b/dev-support/ranger-docker/scripts/create-ranger-services.py
index f329d1f29..1b2bcafd2 100644
--- a/dev-support/ranger-docker/scripts/create-ranger-services.py
+++ b/dev-support/ranger-docker/scripts/create-ranger-services.py
@@ -47,6 +47,10 @@ hbase = RangerService({'name': 'dev_hbase', 'type': 'hbase',
'hbase.zookeeper.quorum': 'ranger-hbase',
'zookeeper.znode.parent': '/hbase'}})
+kms = RangerService({'name': 'dev_kms', 'type': 'kms',
+ 'configs': {'username': 'keyadmin', 'password':
'rangerR0cks!',
+ 'provider': 'http://ranger-kms:9292'}})
+
if service_not_exists(hdfs):
ranger_client.create_service(hdfs)
print('HDFS service created!')
@@ -65,3 +69,6 @@ if service_not_exists(kafka):
if service_not_exists(knox):
ranger_client.create_service(knox)
print('Knox service created!')
+if service_not_exists(kms):
+ ranger_client.create_service(kms)
+ print('KMS service created!')
diff --git
a/dev-support/ranger-docker/scripts/ranger-kms-install-mysql.properties
b/dev-support/ranger-docker/scripts/ranger-kms-install-mysql.properties
new file mode 100755
index 000000000..ed7ab2d82
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/ranger-kms-install-mysql.properties
@@ -0,0 +1,225 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# This file provides a list of the deployment variables for the Ranger KMS Web
Application
+#
+
+PYTHON_COMMAND_INVOKER=python3
+DB_FLAVOR=MYSQL
+SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar
+
+db_root_user=root
+db_root_password=rangerR0cks!
+db_host=ranger-db
+
+db_name=rangerkms
+db_user=rangerkms
+db_password=rangerR0cks!
+
+mysql_core_file=db/mysql/kms_core_db.sql
+postgres_core_file=db/postgres/kms_core_db_postgres.sql
+
+#SSL config
+db_ssl_enabled=false
+db_ssl_required=false
+db_ssl_verifyServerCertificate=false
+#db_ssl_auth_type=1-way|2-way, where 1-way represents standard one way ssl
authentication and 2-way represents mutual ssl authentication
+db_ssl_auth_type=2-way
+javax_net_ssl_keyStore=
+javax_net_ssl_keyStorePassword=
+javax_net_ssl_trustStore=
+javax_net_ssl_trustStorePassword=
+javax_net_ssl_trustStore_type=jks
+javax_net_ssl_keyStore_type=jks
+
+# For postgresql db
+db_ssl_certificate_file=
+
+#For over-riding the jdbc url.
+is_override_db_connection_string=false
+db_override_connection_string=
+
+
+#------------------------- DB CONFIG - END ----------------------------------
+#KMS Server config
+ranger_kms_http_enabled=true
+ranger_kms_https_keystore_file=
+ranger_kms_https_keystore_keyalias=rangerkms
+ranger_kms_https_keystore_password=
+
+#------------------------- RANGER KMS Install Dir ------------------
+COMPONENT_INSTALL_DIR_NAME=/opt/ranger/kms
+
+#------------------------- RANGER KMS Master Key Crypt Key ------------------
+KMS_MASTER_KEY_PASSWD=Str0ngPassw0rd
+
+#------------------------- Ranger KMS Kerberos Configuration
---------------------------
+kms_principal=
+kms_keytab=
+hadoop_conf=
+
+#------------------------- Ranger KMS HSM CONFIG ------------------------------
+HSM_TYPE=LunaProvider
+HSM_ENABLED=false
+HSM_PARTITION_NAME=par19
+HSM_PARTITION_PASSWORD=S@fenet123
+
+#------------------------- Ranger SAFENET KEYSECURE CONFIG
------------------------------
+KEYSECURE_ENABLED=false
+KEYSECURE_USER_PASSWORD_AUTHENTICATION=true
+KEYSECURE_MASTERKEY_NAME=safenetkeysecure
+KEYSECURE_USERNAME=user1
+KEYSECURE_PASSWORD=t1e2s3t4
+KEYSECURE_HOSTNAME=SunPKCS11-keysecurehn
+KEYSECURE_MASTER_KEY_SIZE=256
+KEYSECURE_LIB_CONFIG_PATH=/opt/safenetConf/64/8.3.1/sunpkcs11.cfg
+
+#------------------------- Ranger Azure Key Vault
------------------------------
+AZURE_KEYVAULT_ENABLED=false
+AZURE_KEYVAULT_SSL_ENABLED=false
+AZURE_CLIENT_ID=50fd7ca6-fd4f-4785-a13f-1a6cc4e95e42
+AZURE_CLIENT_SECRET=<AzureKeyVaultPassword>
+AZURE_AUTH_KEYVAULT_CERTIFICATE_PATH=/home/machine/Desktop/azureAuthCertificate/keyvault-MyCert.pfx
+# Initialize below prop if your certificate file has any password
+#AZURE_AUTH_KEYVAULT_CERTIFICATE_PASSWORD=certPass
+AZURE_MASTERKEY_NAME=RangerMasterKey
+# E.G. RSA, RSA_HSM, EC, EC_HSM, OCT
+AZURE_MASTER_KEY_TYPE=RSA
+# E.G. RSA_OAEP, RSA_OAEP_256, RSA1_5, RSA_OAEP
+ZONE_KEY_ENCRYPTION_ALGO=RSA_OAEP
+AZURE_KEYVAULT_URL=https://shahkeyvault.vault.azure.net/
+
+#------------------------- Ranger Google Cloud HSM
------------------------------
+IS_GCP_ENABLED=false
+GCP_KEYRING_ID=
+GCP_CRED_JSON_FILE=/full/path/to/credfile.json
+GCP_PROJECT_ID=
+GCP_LOCATION_ID=
+GCP_MASTER_KEY_NAME=MyMasterKeyNameChangeIt
+
+#------------------------- Ranger Tencent KMS ------------------------------
+TENCENT_KMS_ENABLED=false
+TENCENT_MASTERKEY_ID=b756b016-6e11-11ec-a735-525400fe0300
+TENCENT_CLIENT_ID=AKIDrXx6ybx2qNdiaBWaNs76pGQJvFJ6crpW
+TENCENT_CLIENT_SECRET=<TencentSecretKey>
+TENCENT_CLIENT_REGION=ap-beijing
+
+# ------- UNIX User CONFIG ----------------
+#
+unix_user=rangerkms
+unix_user_pwd=kms
+unix_group=ranger
+
+# Following variables are referenced in db_setup.py. Do not remove these
+oracle_core_file=
+sqlserver_core_file=
+sqlanywhere_core_file=
+cred_keystore_filename=
+
+#
+# ------- UNIX User CONFIG - END ----------------
+#
+
+POLICY_MGR_URL=http://ranger:6080
+REPOSITORY_NAME=dev_kms
+
+# AUDIT configuration with V3 properties
+XAAUDIT.SOLR.IS_ENABLED=true
+XAAUDIT.SOLR.MAX_QUEUE_SIZE=1
+XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000
+XAAUDIT.SOLR.SOLR_URL=http://ranger-solr:8983/solr/ranger_audits
+XAAUDIT.SUMMARY.ENABLE=true
+
+# Following properties are needed to get past installation script! Please
don't remove
+XAAUDIT.HDFS.IS_ENABLED=false
+XAAUDIT.HDFS.DESTINATION_DIRECTORY=/ranger/audit
+XAAUDIT.HDFS.DESTINTATION_FILE=hive
+XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS=900
+XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS=86400
+XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS=60
+XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=/var/log/hive/audit
+XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=/var/log/hive/audit/archive
+XAAUDIT.HDFS.LOCAL_BUFFER_FILE=%time:yyyyMMdd-HHmm.ss%.log
+XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS=60
+XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS=600
+XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT=10
+
+XAAUDIT.SOLR.ENABLE=true
+XAAUDIT.SOLR.URL=http://ranger-solr:8983/solr/ranger_audits
+XAAUDIT.SOLR.USER=NONE
+XAAUDIT.SOLR.PASSWORD=NONE
+XAAUDIT.SOLR.ZOOKEEPER=NONE
+XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hive/audit/solr/spool
+
+XAAUDIT.ELASTICSEARCH.ENABLE=false
+XAAUDIT.ELASTICSEARCH.URL=NONE
+XAAUDIT.ELASTICSEARCH.USER=NONE
+XAAUDIT.ELASTICSEARCH.PASSWORD=NONE
+XAAUDIT.ELASTICSEARCH.INDEX=NONE
+XAAUDIT.ELASTICSEARCH.PORT=NONE
+XAAUDIT.ELASTICSEARCH.PROTOCOL=NONE
+
+XAAUDIT.HDFS.ENABLE=true
+XAAUDIT.HDFS.HDFS_DIR=hdfs://ranger-hadoop:9000/ranger/audit
+XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hive/audit/hdfs/spool
+
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
+XAAUDIT.LOG4J.ENABLE=false
+XAAUDIT.LOG4J.IS_ASYNC=false
+XAAUDIT.LOG4J.ASYNC.MAX.QUEUE.SIZE=10240
+XAAUDIT.LOG4J.ASYNC.MAX.FLUSH.INTERVAL.MS=30000
+XAAUDIT.LOG4J.DESTINATION.LOG4J=false
+XAAUDIT.LOG4J.DESTINATION.LOG4J.LOGGER=xaaudit
+
+XAAUDIT.AMAZON_CLOUDWATCH.ENABLE=false
+XAAUDIT.AMAZON_CLOUDWATCH.LOG_GROUP=NONE
+XAAUDIT.AMAZON_CLOUDWATCH.LOG_STREAM_PREFIX=NONE
+XAAUDIT.AMAZON_CLOUDWATCH.FILE_SPOOL_DIR=NONE
+XAAUDIT.AMAZON_CLOUDWATCH.REGION=NONE
+
+SSL_KEYSTORE_FILE_PATH=/etc/hive/conf/ranger-plugin-keystore.jks
+SSL_KEYSTORE_PASSWORD=myKeyFilePassword
+SSL_TRUSTSTORE_FILE_PATH=/etc/hive/conf/ranger-plugin-truststore.jks
+SSL_TRUSTSTORE_PASSWORD=changeit
+
+
+# Custom log directory path
+RANGER_KMS_LOG_DIR=/var/log/ranger/kms
+
+#PID file path
+RANGER_KMS_PID_DIR_PATH=/var/run/ranger_kms
+# ################# DO NOT MODIFY ANY VARIABLES BELOW
#########################
+#
+# --- These deployment variables are not to be modified unless you understand
the full impact of the changes
+#
+################################################################################
+KMS_DIR=$PWD
+app_home=$PWD/ews/webapp
+TMPFILE=$PWD/.fi_tmp
+LOGFILE=$PWD/logfile
+
+JAVA_BIN='java'
+JAVA_VERSION_REQUIRED='1.8'
+JAVA_ORACLE='Java(TM) SE Runtime Environment'
+
+
+cred_keystore_filename=$app_home/WEB-INF/classes/conf/.jceks/rangerkms.jceks
+
+KMS_BLACKLIST_DECRYPT_EEK=hdfs
diff --git
a/dev-support/ranger-docker/scripts/ranger-kms-install-postgres.properties
b/dev-support/ranger-docker/scripts/ranger-kms-install-postgres.properties
new file mode 100755
index 000000000..35a369007
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/ranger-kms-install-postgres.properties
@@ -0,0 +1,225 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# This file provides a list of the deployment variables for the Ranger KMS Web
Application
+#
+
+PYTHON_COMMAND_INVOKER=python3
+DB_FLAVOR=POSTGRES
+SQL_CONNECTOR_JAR=/usr/share/java/postgresql.jar
+
+db_root_user=postgres
+db_root_password=rangerR0cks!
+db_host=ranger-db
+
+db_name=rangerkms
+db_user=rangerkms
+db_password=rangerR0cks!
+
+mysql_core_file=db/mysql/kms_core_db.sql
+postgres_core_file=db/postgres/kms_core_db_postgres.sql
+
+#SSL config
+db_ssl_enabled=false
+db_ssl_required=false
+db_ssl_verifyServerCertificate=false
+#db_ssl_auth_type=1-way|2-way, where 1-way represents standard one way ssl
authentication and 2-way represents mutual ssl authentication
+db_ssl_auth_type=2-way
+javax_net_ssl_keyStore=
+javax_net_ssl_keyStorePassword=
+javax_net_ssl_trustStore=
+javax_net_ssl_trustStorePassword=
+javax_net_ssl_trustStore_type=jks
+javax_net_ssl_keyStore_type=jks
+
+# For postgresql db
+db_ssl_certificate_file=
+
+#For over-riding the jdbc url.
+is_override_db_connection_string=false
+db_override_connection_string=
+
+
+#------------------------- DB CONFIG - END ----------------------------------
+#KMS Server config
+ranger_kms_http_enabled=true
+ranger_kms_https_keystore_file=
+ranger_kms_https_keystore_keyalias=rangerkms
+ranger_kms_https_keystore_password=
+
+#------------------------- RANGER KMS Install Dir ------------------
+COMPONENT_INSTALL_DIR_NAME=/opt/ranger/kms
+
+#------------------------- RANGER KMS Master Key Crypt Key ------------------
+KMS_MASTER_KEY_PASSWD=Str0ngPassw0rd
+
+#------------------------- Ranger KMS Kerberos Configuration
---------------------------
+kms_principal=
+kms_keytab=
+hadoop_conf=
+
+#------------------------- Ranger KMS HSM CONFIG ------------------------------
+HSM_TYPE=LunaProvider
+HSM_ENABLED=false
+HSM_PARTITION_NAME=par19
+HSM_PARTITION_PASSWORD=S@fenet123
+
+#------------------------- Ranger SAFENET KEYSECURE CONFIG
------------------------------
+KEYSECURE_ENABLED=false
+KEYSECURE_USER_PASSWORD_AUTHENTICATION=true
+KEYSECURE_MASTERKEY_NAME=safenetkeysecure
+KEYSECURE_USERNAME=user1
+KEYSECURE_PASSWORD=t1e2s3t4
+KEYSECURE_HOSTNAME=SunPKCS11-keysecurehn
+KEYSECURE_MASTER_KEY_SIZE=256
+KEYSECURE_LIB_CONFIG_PATH=/opt/safenetConf/64/8.3.1/sunpkcs11.cfg
+
+#------------------------- Ranger Azure Key Vault
------------------------------
+AZURE_KEYVAULT_ENABLED=false
+AZURE_KEYVAULT_SSL_ENABLED=false
+AZURE_CLIENT_ID=50fd7ca6-fd4f-4785-a13f-1a6cc4e95e42
+AZURE_CLIENT_SECRET=<AzureKeyVaultPassword>
+AZURE_AUTH_KEYVAULT_CERTIFICATE_PATH=/home/machine/Desktop/azureAuthCertificate/keyvault-MyCert.pfx
+# Initialize below prop if your certificate file has any password
+#AZURE_AUTH_KEYVAULT_CERTIFICATE_PASSWORD=certPass
+AZURE_MASTERKEY_NAME=RangerMasterKey
+# E.G. RSA, RSA_HSM, EC, EC_HSM, OCT
+AZURE_MASTER_KEY_TYPE=RSA
+# E.G. RSA_OAEP, RSA_OAEP_256, RSA1_5, RSA_OAEP
+ZONE_KEY_ENCRYPTION_ALGO=RSA_OAEP
+AZURE_KEYVAULT_URL=https://shahkeyvault.vault.azure.net/
+
+#------------------------- Ranger Google Cloud HSM
------------------------------
+IS_GCP_ENABLED=false
+GCP_KEYRING_ID=
+GCP_CRED_JSON_FILE=/full/path/to/credfile.json
+GCP_PROJECT_ID=
+GCP_LOCATION_ID=
+GCP_MASTER_KEY_NAME=MyMasterKeyNameChangeIt
+
+#------------------------- Ranger Tencent KMS ------------------------------
+TENCENT_KMS_ENABLED=false
+TENCENT_MASTERKEY_ID=b756b016-6e11-11ec-a735-525400fe0300
+TENCENT_CLIENT_ID=AKIDrXx6ybx2qNdiaBWaNs76pGQJvFJ6crpW
+TENCENT_CLIENT_SECRET=<TencentSecretKey>
+TENCENT_CLIENT_REGION=ap-beijing
+
+# ------- UNIX User CONFIG ----------------
+#
+unix_user=rangerkms
+unix_user_pwd=kms
+unix_group=ranger
+
+# Following variables are referenced in db_setup.py. Do not remove these
+oracle_core_file=
+sqlserver_core_file=
+sqlanywhere_core_file=
+cred_keystore_filename=
+
+#
+# ------- UNIX User CONFIG - END ----------------
+#
+
+POLICY_MGR_URL=http://ranger:6080
+REPOSITORY_NAME=dev_kms
+
+# AUDIT configuration with V3 properties
+XAAUDIT.SOLR.IS_ENABLED=true
+XAAUDIT.SOLR.MAX_QUEUE_SIZE=1
+XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000
+XAAUDIT.SOLR.SOLR_URL=http://ranger-solr:8983/solr/ranger_audits
+XAAUDIT.SUMMARY.ENABLE=true
+
+# Following properties are needed to get past installation script! Please
don't remove
+XAAUDIT.HDFS.IS_ENABLED=false
+XAAUDIT.HDFS.DESTINATION_DIRECTORY=/ranger/audit
+XAAUDIT.HDFS.DESTINTATION_FILE=hive
+XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS=900
+XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS=86400
+XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS=60
+XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=/var/log/hive/audit
+XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=/var/log/hive/audit/archive
+XAAUDIT.HDFS.LOCAL_BUFFER_FILE=%time:yyyyMMdd-HHmm.ss%.log
+XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS=60
+XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS=600
+XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT=10
+
+XAAUDIT.SOLR.ENABLE=true
+XAAUDIT.SOLR.URL=http://ranger-solr:8983/solr/ranger_audits
+XAAUDIT.SOLR.USER=NONE
+XAAUDIT.SOLR.PASSWORD=NONE
+XAAUDIT.SOLR.ZOOKEEPER=NONE
+XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hive/audit/solr/spool
+
+XAAUDIT.ELASTICSEARCH.ENABLE=false
+XAAUDIT.ELASTICSEARCH.URL=NONE
+XAAUDIT.ELASTICSEARCH.USER=NONE
+XAAUDIT.ELASTICSEARCH.PASSWORD=NONE
+XAAUDIT.ELASTICSEARCH.INDEX=NONE
+XAAUDIT.ELASTICSEARCH.PORT=NONE
+XAAUDIT.ELASTICSEARCH.PROTOCOL=NONE
+
+XAAUDIT.HDFS.ENABLE=true
+XAAUDIT.HDFS.HDFS_DIR=hdfs://ranger-hadoop:9000/ranger/audit
+XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hive/audit/hdfs/spool
+
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
+XAAUDIT.LOG4J.ENABLE=false
+XAAUDIT.LOG4J.IS_ASYNC=false
+XAAUDIT.LOG4J.ASYNC.MAX.QUEUE.SIZE=10240
+XAAUDIT.LOG4J.ASYNC.MAX.FLUSH.INTERVAL.MS=30000
+XAAUDIT.LOG4J.DESTINATION.LOG4J=false
+XAAUDIT.LOG4J.DESTINATION.LOG4J.LOGGER=xaaudit
+
+XAAUDIT.AMAZON_CLOUDWATCH.ENABLE=false
+XAAUDIT.AMAZON_CLOUDWATCH.LOG_GROUP=NONE
+XAAUDIT.AMAZON_CLOUDWATCH.LOG_STREAM_PREFIX=NONE
+XAAUDIT.AMAZON_CLOUDWATCH.FILE_SPOOL_DIR=NONE
+XAAUDIT.AMAZON_CLOUDWATCH.REGION=NONE
+
+SSL_KEYSTORE_FILE_PATH=/etc/hive/conf/ranger-plugin-keystore.jks
+SSL_KEYSTORE_PASSWORD=myKeyFilePassword
+SSL_TRUSTSTORE_FILE_PATH=/etc/hive/conf/ranger-plugin-truststore.jks
+SSL_TRUSTSTORE_PASSWORD=changeit
+
+
+# Custom log directory path
+RANGER_KMS_LOG_DIR=/var/log/ranger/kms
+
+#PID file path
+RANGER_KMS_PID_DIR_PATH=/var/run/ranger_kms
+# ################# DO NOT MODIFY ANY VARIABLES BELOW
#########################
+#
+# --- These deployment variables are not to be modified unless you understand
the full impact of the changes
+#
+################################################################################
+KMS_DIR=$PWD
+app_home=$PWD/ews/webapp
+TMPFILE=$PWD/.fi_tmp
+LOGFILE=$PWD/logfile
+
+JAVA_BIN='java'
+JAVA_VERSION_REQUIRED='1.8'
+JAVA_ORACLE='Java(TM) SE Runtime Environment'
+
+
+cred_keystore_filename=$app_home/WEB-INF/classes/conf/.jceks/rangerkms.jceks
+
+KMS_BLACKLIST_DECRYPT_EEK=hdfs
diff --git a/dev-support/ranger-docker/scripts/ranger-kms.sh
b/dev-support/ranger-docker/scripts/ranger-kms.sh
new file mode 100755
index 000000000..0424f832b
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/ranger-kms.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+if [ ! -e ${RANGER_HOME}/.setupDone ]
+then
+ SETUP_RANGER=true
+else
+ SETUP_RANGER=false
+fi
+
+if [ "${SETUP_RANGER}" == "true" ]
+then
+ cd "${RANGER_HOME}"/kms || exit
+ if ./setup.sh;
+ then
+ touch "${RANGER_HOME}"/.setupDone
+ else
+ echo "Ranger KMS Setup Script didn't complete proper execution."
+ fi
+fi
+
+cd ${RANGER_HOME}/kms && ./ranger-kms-services.sh start
+
+RANGER_KMS_PID=`ps -ef | grep -v grep | grep "Dproc_rangerkms" | awk '{print
$2}'`
+
+# prevent the container from exiting
+if [ -z "$RANGER_KMS_PID" ]
+then
+ echo "Ranger KMS process probably exited, no process id found!"
+else
+ tail --pid=$RANGER_KMS_PID -f /dev/null
+fi
