This page explains how to set configurations for using Kerberos. We update the following files:

├── conf
   ├── core-site.xml
   └── krb5.conf
├── ranger-key
   ├── install.properties
   └── solr.in.sh
├── ranger-conf
   ├── core-site.xml
   ├── krb5.conf
   ├── ranger-admin-site.xml.append
   └── solr-security.json
└── timeline-conf
    ├── krb5.conf
    └── yarn-site.xml

conf/core-site.xml and ranger-conf/core-site.xml

Set the configuration key hadoop.security.authentication to kerberos.

$ vi conf/core-site.xml ranger-conf/core-site.xml

<property>
  <name>hadoop.security.authentication</name>
  <value>kerberos</value>
</property>

conf/krb5.conf, ranger-conf/krb5.conf, timeline-conf/krb5.conf

Update krb5.conf which contains the information for Kerberos configuration.

$ vi conf/krb5.conf ranger-conf/krb5.conf timeline-conf/krb5.conf

[libdefaults]
  dns_lookup_realm = false
  ticket_lifetime = 24h
  forwardable = true
  rdns = false
  default_realm = PL
  default_ccache_name = /tmp/krb5cc_%{uid}

[realms]
  PL = {
    admin_server = 1.1.1.1
    kdc = 1.1.1.1
  }

ranger-key/install.properties

Set the following variables to Kerberos principals for Ranger.

$ vi ranger-key/install.properties

spnego_principal=HTTP/orange1@PL
admin_principal=rangeradmin/orange1@PL
lookup_principal=rangerlookup@PL

ranger-key/solr.in.sh

The environment variable SOLR_AUTHENTICATION_OPTS should use the host running Ranger, the SPNEGO service principal, and its service keytab.

$ vi kubernetes/ranger-key/solr.in.sh

SOLR_AUTH_TYPE="kerberos"
SOLR_AUTHENTICATION_OPTS="\
-Djava.security.krb5.conf=/opt/mr3-run/ranger/conf/krb5.conf \
-Dsolr.kerberos.cookie.domain=orange1 \
-Dsolr.kerberos.principal=HTTP/orange1@PL \
-Dsolr.kerberos.keytab=/opt/mr3-run/ranger/key/spnego.service.keytab"

ranger-conf/ranger-admin-site.xml.append

Set the configuration key xasecure.audit.jaas.Client.option.principal to admin service principal for Ranger.

$ vi ranger-conf/ranger-admin-site.xml.append

  <property>
    <name>xasecure.audit.jaas.Client.option.principal</name>
    <value>rangeradmin/orange1@PL</value>
  </property>

ranger-conf/solr-security.json

This file sets the configuration for authentication and authorization in Solr used by Ranger. The user-role section should specify the service principal for HiveServer2 and the admin service principal for Ranger.

$ vi ranger-conf/solr-security.json

{
  "authentication": {
    "class": "org.apache.solr.security.KerberosPlugin"
  },
  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "permissions": [
      {
        "name": "update",
        "role": "updater"
      },
      {
        "name": "read",
        "role": "reader"
      },
      {
        "name": "*",
        "role": "admin"
      }
    ],
    "user-role": {
      "hive/orange1@PL": "updater",
      "rangeradmin/orange1@PL": "reader",
    }
  }
}

timeline-conf/yarn-site.xml

Set the configuration key yarn.timeline-service.http-authentication.type to kerberos. Use a Kerberos keytab file to configure authentication as shown below.

<property>
  <name>yarn.timeline-service.http-authentication.type</name>
  <value>kerberos</value>
</property>

<property>
  <name>yarn.timeline-service.http-authentication.kerberos.principal</name>
  <value>hive/orange1@PL</value>
</property>

<property>
  <name>yarn.timeline-service.http-authentication.kerberos.keytab</name>
  <value>/opt/mr3-run/ats/key/hive-orange1.keytab</value>
</property>
Using Kerberos-based authentication for MR3-UI is optional and can be disabled independently of the configuration of Hive on MR3. In order not to use Kerberos-based authentication for MR3-UI, set the configuration key yarn.timeline-service.http-authentication.type to simple.

Configuring Ranger

In the Ranger service, fill the JDBC URL field with:

  • jdbc:hive2://orange1:9852/;principal=hive/orange1@PL;

Running queries

For sending queries to the public HiveServer2, the user should obtain a valid Kerberos ticket and use JDBC URL:

  • jdbc:hive2://orange1:9852/;principal=hive/orange1@PL;

Accessing MR3-UI

To access MR3-UI, the web browser should be configured to establish a secure connection with the Timeline Server by passing a Kerberos ticket. See Running MR3-UI for details.