Hi Sungwoo, Sorry for delayed reply, was caught up on few other tasks. Thanks for the suggestion. Looks like lot of work has been done in this direction. It will be helpful if you can share your solution on review board.
On Thu, Aug 1, 2019 at 6:36 PM Sungwoo Park <glap...@gmail.com> wrote: > Hi Mehul, > > Thanks for clarifying this. As you pointed out, deleting > install.properties after starting Ranger looks like a reasonable solution. > However, there are situations in which deleting install.properties is not a > complete solution. > > 1. Some organizations have an internal policy prohibiting the deployment > of any software system that requires passwords written in text form > somewhere (not because of the security issue but because of rogue users). > > 2. In our case, we are running Ranger as a Kubernetes Pod. We mount > install.properties inside a Pod, which is not deleted automatically. We > decided to mount it as a Kubernetes Secret (instead of a ConfigMap) to > alleviate the security issue. You can find our solution at: > https://mr3.postech.ac.kr/hivek8s/guide/run-ranger/ > > A complete solution to this problem would be to require the user to submit > a KeyStore file that contains all the passwords. (This is what we really > need, because we would like to launch a Ranger service for each user, and > thus we cannot really ask for the password in text form.) With the current > release of Ranger 2.0.0-SNAPSHOT, it seems that this is easy to implement, > except that it does not work for db_root_password, unfortunately. (I think > the current code reads db_root_password in text form to communicate with > the database.) If you think this is feasible with a simple fix, please let > me know, so that we could give it a try. > > Cheers, > > --- Sungwoo > > On Thu, Aug 1, 2019 at 4:43 PM Mehul Parikh <xsme...@gmail.com> wrote: > >> Hi Sungwoo, >> >> Are you installing Ranger Manually ? >> >> - Ranger saves these passwords in Keystore file only, and replaces >> all password values with _ value in ranger-admin-site.xml. >> - You can backup install.properties and then delete that file after >> installing and starting Ranger service. >> >> >> >> On Mon, Jul 22, 2019 at 5:48 PM Sungwoo Park <glap...@gmail.com> wrote: >> >>> Hello, >>> >>> I have a question on installing Ranger. Currently we specify the >>> password for Ranger database (which is MySQL) with db_root_password in >>> ranger-admin-install.properties, e.g.: >>> >>> db_root_user=root >>> db_root_password=passwd >>> >>> I wonder if there is an alternative way of specifying the password with >>> a KeyStore file (jceks). Or, it the file ranger-admin-install.properties >>> just supposed to be removed after installing Ranger? >>> >>> Thanks, >>> >>> --- Sungwoo Park >>> >> >> >> -- >> >> Thanks and regards, >> Mehul Parikh >> ---------------------------- >> M: +91 98191 54446 >> E: xsme...@gmail.com >> > -- Thanks and regards, Mehul Parikh ---------------------------- M: +91 98191 54446 E: xsme...@gmail.com
