Hi Bosco, Thank you for the reply. Hope to get more resolution to the following. Appreciate your help!!
"if the cluster/component is Kerberos enabled, then the call to get the Ranger polices from Ranger Admin will use Kerberos authentication. " "When Ranger plugin is making the call using Kerberos, then Ranger Admin needs to authenticate the request and for that you need to provide appropriate keytab to Ranger Admin. Which means, you will need a keytab, which very well could be rangeradmin keytab. But since Ranger is not running any YARN jobs, you don’t need to materialize the ranger user on all the nodes." -> First, I need to clarify that *My Ranger Admin is in a standalone VM that is not Kerberos-ed*, not same with where Kerberos-ed Hadoop and Ranger plugin is . My followup questions are: 1) "the call to get the Ranger polices from Ranger Admin will use Kerberos authentication" -> what components of "Kerberos authentication" does this "call" need? I currently have 1-kerberos principles for users who want to access HDFS & TGT for the users 2- kerberos principles and keytab for the HDFS & other Hadoop components such asmapred 2) Do I need to also create ranger-admin as unix user & kerberos principle & create/store keytab for rangeradmin in this Ranger VM. I currently don't have a ranger-admin unix user so I don't think I have this step done but I do have a Ranger admin working fine with the HDFS Ranger plugin 3) by "*provide* appropriate keytab *to Ranger Admin*" I think you are referring to users who want to access HDFS or other Hadoop components , etc, but not ranger-admin, right (as I am not supposed to *provide* rangeradmin keytab *to ranger admin*)? Why you later mentioned "Which means, you will need a keytab, which very well could be rangeradmin keytab" " if you already have Kerberos environment and you have KDC, then it is better to just create the keytabs for Ranger" -> I don't have Ranger Admin in Kerberos environment so guess I don't need to create principle for ranger-admin and store keytab in the standslone ranger-admin machine? (And also no principle and keytab for ranger-plugin either... the plugin seems to be a add-on the the HDFS component I feel). Also, who is the client who might be asking for check of this keytab for ranger-admin service? Woud appreciate if I can have some design document for how Ranger admin <> Plug works with HDFS. Thanks, Jessie On Wed, Jan 9, 2019 at 9:56 PM Don Bosco Durai <bo...@apache.org> wrote: > Hi Jessie > > > > By default, if the cluster/component is Kerberos enabled, then the call to > get the Ranger polices from Ranger Admin will use Kerberos authentication. > > > > - But my understanding is that if Ranger Admin is not in Kerberos-ed > environment but only Ranger plugin is (plugin is on a Kerberos-ed Hadoop > cluster where HDFS namenode is), then we don't need to add ranger as unix > user or create principle/ keytab for it. > > > > When Ranger plugin is making the call using Kerberos, then Ranger Admin > needs to authenticate the request and for that you need to provide > appropriate keytab to Ranger Admin. Which means, you will need a keytab, > which very well could be rangeradmin keytab. But since Ranger is not > running any YARN jobs, you don’t need to materialize the ranger user on all > the nodes. > > > > Similarly, the lookup user is used to get the list of folders/files/tables > while adding policies, it will also need a keytab, but you could use the > same Ranger Keytab (even though it is not recommended). > > > > - Ranger Admin is not in Kerberos-ed environment > > Kerberos environment seems intimating, but it just running the process > with the JAAS file as -D parameter or set the properties in the > application. JAAS contains the Keytab and Principal. Or some applications > take the keytab file location and principal from properties file (e.g. by > Ranger). In Hadoop, the auth_to_local rule helps in mapping the Kerberos > principal to unix friendly name. > > > > In short, if you already have Kerberos environment and you have KDC, then > it is better to just create the keytabs for Ranger. It will be more secure > and also very transparent in your deployment. > > > > Bosco > > > > > > *From: *Jessie Kao <gaojingxu....@gmail.com> > *Reply-To: *<user@ranger.apache.org> > *Date: *Wednesday, January 9, 2019 at 2:12 PM > *To: *<user@ranger.apache.org> > *Subject: *Question on necessity of adding "ranger" as kerberos principle > and unix user in Kerberos-ed Hadoop cluster > > > > Hi, > > I have a Kerberos-ed Hadoop cluster that has Ranger HDFS plugin enabled > and Ranger Admin is working fine with it. My question is: do I need to add > "ranger" as kerberos principle and unix user in this Kerberos-ed Hadoop > cluster or anywhere else? > > > > Would appreciate it if there are any recommended readings on the > mechanism/ architecture diagram how Ranger admin <> Ranger plugin <> Hadoop > (HDFS specifically) <> KDC works with each other. > > > > My current understanding is that we don't need to... The only place I saw > ranger-admin principle is in the below doc for scenario when we want to > install Ranger in Kerberos-ed environment. > > > https://cwiki.apache.org/confluence/display/RANGER/Ranger+installation+in+Kerberized++Environment#RangerinstallationinKerberizedEnvironment-Summary > > > > But my understanding is that if Ranger Admin is not in Kerberos-ed > environment but only Ranger plugin is (plugin is on a Kerberos-ed Hadoop > cluster where HDFS namenode is), then we don't need to add ranger as unix > user or create principle/ keytab for it. > > > > Would appreciate any advice on the question. > > > > Thanks, > > Jessie > > > > > > >
