Hi Jessie
My responses are inline From: Jessie Kao <gaojingxu....@gmail.com> Reply-To: <user@ranger.apache.org> Date: Thursday, January 10, 2019 at 9:58 AM To: <user@ranger.apache.org> Subject: Re: Question on necessity of adding "ranger" as kerberos principle and unix user in Kerberos-ed Hadoop cluster Correction of ranger related identities I saw in my system on current state (Ranger admin is working fine with the HDFS ranger plugin). Bosco: If it is working, then good. - On Standalone Ranger admin VM (no Kerberos installed) unix user "ranger" - On Kerberos principle "rangeradmin" (yes the name is different... the auth_to_local property value I have in Hadoop is "DEFAULT" so I don't think this is actually functioning) Bosco: Not sure I understood this. Where is rangeradmin principal used? - On Hadoop namenode (Kerberosed) keytab for principle "rangeradmin" (My understanding is that this was incorrectly created and is not functioning as this keytab should be held on Ranger admin instead of on Hadoop namenode right?) Bosco: This should be HDFS keytab - On Ranger Admin users admin/admin is the ranger user for login to admin My question stays the same. I don't think the ranger-admin kerberos related settings is done correctly but it seems work fine for now... Would really hope to get to more details into the mechanism/ refer to some design documentation, etc. Best, Jessie On Thu, Jan 10, 2019 at 8:23 AM Jessie Kao <gaojingxu....@gmail.com> wrote: Hi Bosco, Thank you for the reply. Hope to get more resolution to the following. Appreciate your help!! "if the cluster/component is Kerberos enabled, then the call to get the Ranger polices from Ranger Admin will use Kerberos authentication. " "When Ranger plugin is making the call using Kerberos, then Ranger Admin needs to authenticate the request and for that you need to provide appropriate keytab to Ranger Admin. Which means, you will need a keytab, which very well could be rangeradmin keytab. But since Ranger is not running any YARN jobs, you don’t need to materialize the ranger user on all the nodes." -> First, I need to clarify that My Ranger Admin is in a standalone VM that is not Kerberos-ed, not same with where Kerberos-ed Hadoop and Ranger plugin is . My followup questions are: 1) "the call to get the Ranger polices from Ranger Admin will use Kerberos authentication" -> what components of "Kerberos authentication" does this "call" need? I currently have 1-kerberos principles for users who want to access HDFS & TGT for the users 2- kerberos principles and keytab for the HDFS & other Hadoop components such asmapred 2) Do I need to also create ranger-admin as unix user & kerberos principle & create/store keytab for rangeradmin in this Ranger VM. I currently don't have a ranger-admin unix user so I don't think I have this step done but I do have a Ranger admin working fine with the HDFS Ranger plugin 3) by "provide appropriate keytab to Ranger Admin" I think you are referring to users who want to access HDFS or other Hadoop components , etc, but not ranger-admin, right (as I am not supposed to provide rangeradmin keytab to ranger admin)? Why you later mentioned "Which means, you will need a keytab, which very well could be rangeradmin keytab" " if you already have Kerberos environment and you have KDC, then it is better to just create the keytabs for Ranger" -> I don't have Ranger Admin in Kerberos environment so guess I don't need to create principle for ranger-admin and store keytab in the standslone ranger-admin machine? (And also no principle and keytab for ranger-plugin either... the plugin seems to be a add-on the the HDFS component I feel). Also, who is the client who might be asking for check of this keytab for ranger-admin service? Woud appreciate if I can have some design document for how Ranger admin <> Plug works with HDFS. Thanks, Jessie On Wed, Jan 9, 2019 at 9:56 PM Don Bosco Durai <bo...@apache.org> wrote: Hi Jessie By default, if the cluster/component is Kerberos enabled, then the call to get the Ranger polices from Ranger Admin will use Kerberos authentication. But my understanding is that if Ranger Admin is not in Kerberos-ed environment but only Ranger plugin is (plugin is on a Kerberos-ed Hadoop cluster where HDFS namenode is), then we don't need to add ranger as unix user or create principle/ keytab for it. When Ranger plugin is making the call using Kerberos, then Ranger Admin needs to authenticate the request and for that you need to provide appropriate keytab to Ranger Admin. Which means, you will need a keytab, which very well could be rangeradmin keytab. But since Ranger is not running any YARN jobs, you don’t need to materialize the ranger user on all the nodes. Similarly, the lookup user is used to get the list of folders/files/tables while adding policies, it will also need a keytab, but you could use the same Ranger Keytab (even though it is not recommended). Ranger Admin is not in Kerberos-ed environment Kerberos environment seems intimating, but it just running the process with the JAAS file as -D parameter or set the properties in the application. JAAS contains the Keytab and Principal. Or some applications take the keytab file location and principal from properties file (e.g. by Ranger). In Hadoop, the auth_to_local rule helps in mapping the Kerberos principal to unix friendly name. In short, if you already have Kerberos environment and you have KDC, then it is better to just create the keytabs for Ranger. It will be more secure and also very transparent in your deployment. Bosco From: Jessie Kao <gaojingxu....@gmail.com> Reply-To: <user@ranger.apache.org> Date: Wednesday, January 9, 2019 at 2:12 PM To: <user@ranger.apache.org> Subject: Question on necessity of adding "ranger" as kerberos principle and unix user in Kerberos-ed Hadoop cluster Hi, I have a Kerberos-ed Hadoop cluster that has Ranger HDFS plugin enabled and Ranger Admin is working fine with it. My question is: do I need to add "ranger" as kerberos principle and unix user in this Kerberos-ed Hadoop cluster or anywhere else? Would appreciate it if there are any recommended readings on the mechanism/ architecture diagram how Ranger admin <> Ranger plugin <> Hadoop (HDFS specifically) <> KDC works with each other. My current understanding is that we don't need to... The only place I saw ranger-admin principle is in the below doc for scenario when we want to install Ranger in Kerberos-ed environment. https://cwiki.apache.org/confluence/display/RANGER/Ranger+installation+in+Kerberized++Environment#RangerinstallationinKerberizedEnvironment-Summary But my understanding is that if Ranger Admin is not in Kerberos-ed environment but only Ranger plugin is (plugin is on a Kerberos-ed Hadoop cluster where HDFS namenode is), then we don't need to add ranger as unix user or create principle/ keytab for it. Would appreciate any advice on the question. Thanks, Jessie
