Apache Ranger KMS 部署文档

创建库

create database rangerkms;
alter database rangerkms character set latin1; 
create user 'rangerkms'@'%' identified by '1q2w3eROOT!';
GRANT ALL PRIVILEGES ON rangerkms.* TO 'rangerkms'@'%' IDENTIFIED BY '1q2w3eROOT!';
flush privileges;

解压，修改配置文件

tar -vxf ranger-2.2.0-kms.tar.gz
cd ranger-2.2.0-kms
vim install.properties

SQL_CONNECTOR_JAR=/opt/ranger-admin/mysql-connector-java-5.1.45.jar

db_root_user=...
db_root_password=...
db_host=...

# DB UserId used for the Ranger KMS schema
db_name=rangerkms
db_user=rangerkms
db_password=xxxxxx

# Location of Policy Manager URL
POLICY_MGR_URL=http://$RANGER_ADMIN_HOST:6080

# This is the repository name created within policy manager
REPOSITORY_NAME=kmsdev

# Custom log directory path
RANGER_KMS_LOG_DIR=/home/admin/output/ranger/kms/logs

#PID file path
RANGER_KMS_PID_DIR_PATH=/home/admin/var/ranger/kms/run


#------------------------- Ranger KMS Kerberos Configuration ---------------------------
[email protected]
kms_keytab=/opt/keytabs/xxxx.keytab

保存后进行安装

#安装Ranger-KMS
./setup.sh
./enable-kms-plugin.sh

#启动 ranger-kms
ranger-kms start

#检查
[root@henghe38 ranger-2.0.0-kms]# netstat -ntpl |grep 9292
tcp6       0      0 :::9292                 :::*                    LISTEN      89000/java 

设置权限

使用 keyadmin/keyadmin 登陆 webui(http://xxx:6080)，添加 kms 服务，服务名为 kms-site.xml 中REPOSITORY_NAME 设置的值，此处为 kmsdev

Service Name ：kmsdev
KMS URL ：kms://http@xxxx:9292/kms
#高可用的时候
#KMS URL ：kms://http@xxx:9292/kms
Username ：keyadmin
Password ：keyadmin

创建key

#创建key
[root@henghe38 ranger-2.0.0-kms]  curl -i -v -s --negotiate -u:  http://henghe38:9292/kms/v1/keys  -H "Content-Type: application/json" -X POST -d '{"length": 128,"cipher": "AES/CTR/NoPadding","name": "key1","description": "","attributes": {}}' 

#查看key
[root@henghe38 ranger-2.0.0-kms]  curl -i -v -s --negotiate -u: "http://192.168.103.138:9292/kms/v1/keys/names"

#查看key
[root@henghe39 ranger-2.0.0-kms] hadoop key list -metadata -provider "kms://http@henghe38;henghe39:9292/kms"

配置core-site.xml,和hadoop kms一样，可以通过 # hadoop key

   
        hadoop.security.key.provider.path
        kms://http@henghe38:9292/kms
    

[root@henghe38 logs]# hadoop key list -metadata
Listing keys for KeyProvider: org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@6c1a5b54
key1 : cipher: AES/CTR/NoPadding, length: 128, description: , created: Mon Dec 06 16:50:42 CST 2021, version: 1, attributes: [key.acl.name=key1] 

添加代理权限

vim /opt/ranger-2.0.0-kms/ews/webapp/WEB-INF/classes/conf/kms-site.xml

 
        hadoop.kms.proxyuser.henghe.groups
        *
  

  
        hadoop.kms.proxyuser.henghe.hosts
        *
  

  
        hadoop.kms.proxyuser.henghe.users
        *
  

拷贝配置

 scp /opt/hadoop/etc/hadoop/core-site.xml  ews/webapp/WEB-INF/classes/conf