Configuring Wire Encryption Using SSL for the Presto Ranger Plugin

The Ranger Admin portal is a part of Apache Ranger that you use for central administration of your security policies. Follow the instructions on this page to enable SSL for Ranger Admin communication with Qubole. The config files described on this page are on the machine where the Ranger Admin service is running.

Note

Currently, Apache Ranger is only supported from Presto version 0.208.

Setting Configurations

  1. Set the following configuration settings in your Ranger Admin’s ranger-admin-site.xml file:

ranger.service.http.enabled = false
ranger.service.https.attrib.ssl.enabled = true
ranger.service.https.attrib.keystore.keyalias = <ALIAS for Server Certificate in keystore file>
ranger.service.https.attrib.keystore.pass = <Keystore password>
ranger.service.host = <IP Address, make sure this address is present in Server Certificate's SAN>
ranger.service.https.attrib.keystore.file = <Path to the keystore>
ranger.service.https.attrib.client.auth = want
  1. Create your Hive service in Ranger Admin running on SSL. Make sure that you provide the correct value for the field Common Name for Certificate. This should be the Common Name (CN) you got from your SSL certificate provider when you generated an SSL certificate for Ranger Admin.

Generating SSL context to be used in Presto

Your Presto Ranger plugin will need the following Ranger Admin information related to SSL:

  • The truststore containing the certificate of the CA that signed Ranger Admin’s certificate

  • The credentials file for this truststore

Run the following steps on any machine, preferably the Ranger Admin machine, as the required files will be present there:

  1. Create a truststore with the Ranger Admin’s CA certificate in it. This will be used in Ranger Client to validate Ranger-Admin’s certificate. In this example, assuming rangerAdminCA.cer is the certificate file of the CA that signed the Ranger Admin’s certificate, run:

    keytool -import -file rangerAdminCA.cer -alias rangerAdminCA -keystore rangerTrustStore

You will be asked to set a password for the truststore. For this example, we will set the password to rangerAdminCA_password

2. Upload the truststore to object storage, for example, at this location: <object store>://my-bucket/ranger/rangerTrustStore (where “<object store>” could mean S3 on AWS, or blob storage on Azure)

  1. Create a credential file for the truststore created above using the following command:

    java -cp "/usr/lib/ranger/ranger-1.1.0-admin/cred/lib/*" org.apache.ranger.credentialapi.buildks create sslTrustStore -value rangerAdminCA_password -provider jceks://file/media/ephemeral0/rangerssl/truststorecreds.jceks

    In this example, we used the password rangerAdminCA_password, which was set in the previous step. This creates the credentials file which will provide this password.

4. Upload this credentials file to object storage, at location similar to <object store>://my-bucket/ranger/truststorecreds.jceks (where “<object store>” could mean S3 on AWS, or blob storage on Azure).

5. Make note of the client’s keystore’s credential file: <object store>://public-qubole/presto/ranger/keystorecreds.jceks (where “<object store>” could mean S3 on AWS, or blob storage on Azure)

Setting up Presto to Use Ranger Admin over SSL

  1. Download the credential files and truststore using Presto Server bootstrap:

bootstrap.properties:
mkdir -p /media/ephemeral0/rangerssl/
pushd /media/ephemeral0/rangerssl/
hadoop fs -get <object store>://public-qubole/presto/ranger/keystorecreds.jceks
hadoop fs -get <object store>://my-bucket/ranger/truststorecreds.jceks
hadoop fs -get <object store>://my-bucket/ranger/rangerTrustStore

(where “<object store>” could mean S3 on AWS, or blob storage on Azure)

  1. Set up Ranger configs. Most of the configuration is similar to that defined in SQL Authorization through Ranger in Presto, with the following additions:

    1. Point to the correct host and port of Ranger Admin in the Ranger configuration file.

    2. Add the location of the ssl-configurations file in the Ranger configuration file.

    3. Setup the ssl-configuration file with the locations of the truststore, keystore, and credential files.

The following shows a sample configuration with these changes. If you have followed the steps above, you can use this as a template and replace <IP Address of Ranger Admin> in hive-ranger-ssl.xml with the actual address of your Ranger Admin to get started:

access-control.properties:
access-control.name=ranger-access-control
ranger.username=admin
ranger.password=admin
ranger.hive.security-config-xml=/usr/lib/presto/etc/hive-ranger-ssl.xml
hive-ranger-ssl.xml:
<configuration>
<property>
   <name>ranger.plugin.hive.service.name</name>
   <value>myServiceName</value>
</property>
<property>
   <name>ranger.plugin.hive.policy.pollIntervalMs</name>
   <value>5000</value>
</property>
<property>
   <name>ranger.service.store.rest.url</name>
   <value>https://<IP Address of Ranger Admin>:6182</value>
</property>
<property>
   <name>ranger.plugin.hive.policy.rest.url</name>
   <value>https://<IP Address of Ranger Admin>:6182</value>
</property>
<property>
   <name>ranger.service.store.rest.ssl.config.file</name>
   <value>/usr/lib/presto/etc/ranger-ssl.xml</value>
</property>
<property>
   <name>ranger.plugin.hive.policy.rest.ssl.config.file</name>
   <value>/usr/lib/presto/etc/ranger-ssl.xml</value>
</property>
</configuration>

ranger-ssl.xml:
<configuration>
<property>
   <name>xasecure.policymgr.clientssl.truststore</name>
   <value>/media/ephemeral0/rangerssl/rangerTrustStore</value>
</property>

<property>
   <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
   <value>jceks://file/media/ephemeral0/rangerssl/truststorecreds.jceks</value>
</property>
<property>
   <name>xasecure.policymgr.clientssl.keystore</name>
   <value>/media/ephemeral0/logs/ssl/clientkeystore</value>
</property>

<property>
   <name>xasecure.policymgr.clientssl.keystore.credential.file</name>
   <value>jceks://file/media/ephemeral0/rangerssl/keystorecreds.jceks</value>
</property>
</configuration>