Aneela, Benjamin is correct. Hadoop supports pluggable KMS. Apache Ranger extends the Hadoop KMS, so you should be able to just plugin easily later.
Just FYI, Ranger KMS stores the keys in database and optionally HSM. It also uses Ranger Plugin for authorization and audit. In addition to the URL Benjamin mentioned, you might have to configure the ACLs also. There few defaults policies you will need to get started. There is a good blog (I think from Colm) http://coheigea.blogspot.in/2016/08/installing-apache-ranger-key-management.html which you could refer for installing and configuring Ranger KMS. I don’t think it talks about the policies, but if you have configured the Ranger Audits, then you should be able to find out from the audit logs. Another note is, regular Ranger “admin” user can’t access the Key Management tab. You will have to use the user with “keyadmin” role. This is to provide separation of duty feature. Bosco From: Aneela Saleem <ane...@platalytics.com> Reply-To: <user@ranger.incubator.apache.org> Date: Tuesday, December 6, 2016 at 8:42 PM To: <user@ranger.incubator.apache.org> Cc: <br...@lattice-engines.com> Subject: Re: Pre-requisite for KMS Thanks Benjamin, I will try it today and come back to you if I need some help. I am sure, you will help me in case of some issues. Thanks On Wed, Dec 7, 2016 at 8:22 AM, Benjamin Ross <br...@lattice-engines.com> wrote: Sure. Hadoop has a concept of a pluggable kms. You can even just tell Hadoop to use a local Java keystore for your kms, if say you had a local single-node cluster. You generally just have to set hadoop.kms.key.provider.uri to point at Ranger. I would look here for more information. Once the KMS is running you should be able to simply point Hadoop at the URL and that's it. No need to configure Kerberos: https://hadoop.apache.org/docs/stable/hadoop-kms/index.html ________________________________________ From: Aneela Saleem [ane...@platalytics.com] Sent: Tuesday, December 06, 2016 2:27 PM To: user@ranger.incubator.apache.org Subject: Re: Pre-requisite for KMS Thanks Benjamin for the quick response, Yeah, this is exactly that I want to achieve. But, I am not using ambari or cloudera. I have installed simple Hadoop from apache distribution and know want to configure it with Ranger KMS. Any guide will be much appreciated. Thanks On Wed, Dec 7, 2016 at 12:05 AM, Benjamin Ross <br...@lattice-engines.com<mailto:br...@lattice-engines.com>> wrote: Despite what Ambari seems to enforce, Ranger KMS definitely does not require Kerberos. I take it that you just want to use encryption and not authorization (via Kerberos)? I've set up exactly that system. Let me know and I'll give some more details. ________________________________ From: Aneela Saleem [ane...@platalytics.com<mailto:ane...@platalytics.com>] Sent: Tuesday, December 06, 2016 1:51 PM To: user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org> Subject: Pre-requisite for KMS Hi, It may be silly to ask you guys but I 'm just curious about KMS. I want to give it a try with Ranger KMS. I want to know what are the pre-requisite of ranger KMS. 1. Do I need to setup Kerberos also with Hadoop 2. Do I need to enable Ranger HDFS plugin also for authorization I should do above two steps for a complete solution but for the time being, I want just to have KMS. So, your thoughts about the minimal components to get it working will be appreciated. Looking forward the guidance. Thanks Click here<https://www.mailcontrol.com/sr/MZbqvYs5QwJvpeaetUwhCQ==> to report this email as spam. This message has been scanned for malware by Websense. www.websense.com<http://www.websense.com/>
