Enable Yarn for SSL - stanislawbartkowski/hdpwiredencryption GitHub Wiki
Very similar steps like HDFS plugin by tailored for Hive component
On Resource Manager node, prepare Ranger plugin keystore.
To avoid overlapping with HDFS Plugin keystores, create a separate directory for Yarn related security stuff.
mkdir /etc/hadoop/conf/yarnssl
cd /etc/hadoop/conf/yarnssl
Important: keep in mind CN name, do not use FQDN hostname, the CN name should be different than all other plugins CN names.
keytool -genkey -keyalg RSA -alias rangerYarnAgent -keystore ranger-plugin-keystore.jks -validity 360 -keysize 2048
Enter keystore password:
What is your first and last name?
[Unknown]: rangeryarnplugin
What is the name of your organizational unit?
[Unknown]: AA
What is the name of your organization?
[Unknown]: BB
Create Yarn Ranger Plugin truststore, import Ranger Admin certificate
keytool -import -file /root/ranger-admin-trust.cer -alias rangeradmintrust -keystore ranger-plugin-truststore.jks
Secure stores
chown yarn: *.jks
chmod 400 *jks
Export Ranger Plugin certificate
keytool -export -keystore ranger-plugin-keystore.jks -alias rangerYarnAgent -file ranger-yarnAgent-trust.cer
On Ranger Admin node, import certificate into Ranger Admin trustore, use a different alias name.
cd /etc/ranger/admin/conf
keytool -import -file /root/ranger-yarnAgent-trust.cer -alias rangerYarnAgentTrust -keystore ranger-admin-truststore.jks
On all Yarn RM nodes.
Export HDFS SSL certificate (shared with Yarn RM).
Ranger->HDFS->Conigs->Advanced->Advanced ssl-server
Property ssl.server.keystore.location (usually /etc/security/serverKeys/keystore.jks).
Export Yarn certificate.
/etc/security/serverKeys
keytool -export -keystore keystore.jks -alias cert -file cert.cer
On Ranger Admin node.
cd /etc/ranger/admin/conf
keytool -import -keystore ranger-admin-truststore.jks -file /root/cert.ver -alias yarnrmcert<node_id>
Yarn->Configs->Advanced->Advanced
ranger-yarn-policymgr-ssl
| Property | Sample value |
|---|---|
| xasecure.policymgr.clientssl.keystore | /etc/hadoop/conf/yarnssl/ranger-plugin-keystore.jks |
| xasecure.policymgr.clientssl.keystore.password | secret |
| xasecure.policymgr.clientssl.truststore | /etc/hadoop/conf/yarnssl/ranger-plugin-truststore.jks |
| xasecure.policymgr.clientssl.truststore.password | secret |
Restart Yarn and Ranger
Ranger Admin UI-> Access Manager -> <cluster_name>_yarn
Enter DN of Ranger Atlas Plugin certificate (rangeryarnplugin) to Common Name for Certificate property.
Make sure that YARN REST URL points to Yarn RM secure REST/AIP url (https://hdm1.sb.com:8090). In the case of HA, enter the list urls of all RM instances separated by a comma.
Click "Test Connection" button. "Connected Successfully" is expected to be reported.
Analyze /var/log/ranger/admin/xa_portal.log log file.
Make sure that Yarn RM REST/API is responding on secure HTTP.
openssl s_client -connect hdm1.sb.com:8090
Try to query Yarn RM REST/API
wget https://hdm1.sb.com:8090/ws/v1/cluster/scheduler --no-check-certificate
Make sure that HDFS SSL certificate on RM Yarn node is imported into Ranger Admin truststore as described above.
Enable SSL debug for Ranger Admin. It produces volumes of output and impacts the performance so should be disabled when not needed.
Ranger->Config->Advanced->Advanced admin-log4j
ranger-env template
# remove when not needed
export JAVA_OPTS=" ${JAVA_OPTS} -Djavax.net.debug=all -Djava.security.debug=scl,access,failure "
Restart Ranger and refer to /var/log/ranger/admin/catalina.out
Audit-> Plugins
<cluster>_yarn should declare HTTP Response Code 200 with fresh date.