Atlas Metadata SSL - stanislawbartkowski/hdpwiredencryption GitHub Wiki
On Atlase Metadata node, create keystore using CA-signed certificates or prepare self-signed certificates.
cd /etc/atlas/conf
keytool -genkey -alias cert -keystore atlas-keystore-ui.jks -validity 360
Create trustore. If client authentication is set to false then keystore can be used as truststore also.
keytool -export -keystore atlas-keystore-ui.jks -alias cert -file atlas.cer
keytool -import -file atlas.cer -alias cert -keystore atlas-truststore-ui.jks
chown atlas: *jks
chmod 400 *jks
Next step is to create jceks file containing encrypted password protecting access to keystore and trustore.
As "credential provider" use jceks://file/etc/atlas/conf/atlas-ssl.jceks
/usr/hdp/current/atlas-server/bin/cputil.py
or
python2 /usr/hdp/current/atlas-server/bin/cputil.py
Please enter the full path to the credential provider: jceks://file/etc/atlas/conf/atlas-ssl.jceks
0 [main] WARN org.apache.hadoop.util.NativeCodeLoader - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
Please enter the password value for keystore.password:<keypass>
Please enter the password value for keystore.password again:<keypass>
chown atlas: /etc/atlas/conf/atlas-ssl.jceks
chmod 400 /etc/atlas/conf/atlas-ssl.jceks
Ambari->Atlas->Configs->Advanced
Advanced application-properties
| Property | Value |
|---|---|
| atlas.enableTLS | true |
Custom application-properties > Add Property
| Property | Value |
|---|---|
| keystore.file | /etc/atlas/conf/atlas-keystore-ui.jks |
| truststore.file | /etc/atlas/conf/atlas-truststore-ui.jks |
| client.auth.enabled | true |
| cert.stores.credential.provider.path | jceks://file/etc/atlas/conf/atlas-ssl.jceks |
| atlas.ssl.exclude.cipher.suites | .NULL., .RC4., .MD5., .DES., .DSS. |
Verify also that atlas.rest.address property is defined as secure HTTP. https://<host name>:21443
Restart Atlas Metadata service.
Very similar steps like HDFS plugin only tailored for Atlas Metadata component
On Atlas Metadata node, prepare Ranger plugin keystore
cd /etc/atlas/conf
Important: keep in mind CN name, do not use FQDN hostname, the CN name should be different than all other plugins CN names.
keytool -genkey -keyalg RSA -alias rangerAtlasAgent -keystore ranger-plugin-keystore.jks -validity 360 -keysize 2048
Enter keystore password:
What is your first and last name?
[Unknown]: rangeratlasplugin
What is the name of your organizational unit?
[Unknown]: AA
What is the name of your organization?
[Unknown]: BB
Create Atlas Ranger Plugin truststore, import Ranger Admin certificate
keytool -import -file /root/ranger-admin-trust.cer -alias rangeradmintrust -keystore ranger-plugin-truststore.jks
Secure stores
chown atlas: *.jks
chmod 400 *jks
Export Ranger Plugin certificate
keytool -export -keystore ranger-plugin-keystore.jks -alias rangerAtlasAgent -file ranger-atlasAgent-trust.cer
On Ranger Admin node, import certificate into Ranger Admin trustore, use a different alias name.
cd /etc/ranger/admin/conf
keytool -import -file /root/ranger-atlasAgent-trust.cer -alias rangerAtlasAgentTrust -keystore ranger-admin-truststore.jks
Atlas->Configs->Advanced->Advanced ranger-stlas-policymgr-ssl
| Property | Sample value |
|---|---|
| xasecure.policymgr.clientssl.keystore | /etc/atlas/conf/ranger-plugin-keystore.jks |
| xasecure.policymgr.clientssl.keystore.password | secret |
| xasecure.policymgr.clientssl.truststore | /etc/atlas/conf/ranger-plugin-truststore.jks |
| xasecure.policymgr.clientssl.truststore.password | secret |
Restart Atlas and Ranger
Ranger Admin UI-> Access Manager -> <cluster_name>_atlas
Provide DN of Ranger Atlas Plugin certificate to Common Name for Certificate field.
Make sure that atlas.rest.address contains secure URL, here https://hdm2.sb.com:21443. The secure port is atlas.server.https.port property in Atlas configuration.
Audit-> Plugins
<cluster>_atlas should declare HTTP Response Code 200 with fresh date.