Walkthrough: Creating

encryption zone with

Ranger KMS
Launch main ambari
page
Click add-service option
Select Ranger and
Ranger KMS
Ensure that needful is
done
Select the nodes on
which service(s)
need to be installed
Fill in the appropriate
details
Check DB connectivity
for Ranger Metastore DB
Select DB type and enter
the credentials
Optional: Select the type
of auditing desired
Enter relevant details for
Ranger KMS tab
Click next
Wait for the setup to
complete
Setup looks completed!
In most occasions, the issue could be with user access to the DB and
host access, this varies between choice of Database (Postgres, Mysql
etc)
Complete the setup by
clicking on complete
Restart the services
which indicates that
service restart is required
(HDFS, MapReduce2,
YARN and Hive)
Wait for the restart of
services to complete
Enable the ranger plugin
(optional)
Save configuration
changes
Restart relevant services
Open ranger Admin UI
from drop down
Login user admin/admin
credentials
Select HDFS Policy
Edit HDFS policy
[hdfs@xlnode-242 ~]$ hdfs dfs -mkdir -p /apps/hive/warehouse/zencrypted
[hdfs@xlnode-242 ~]$ hdfs dfs -chown -R hive:hadoop
/apps/hive/warehouse/zencrypted

[hdfs@xlnode-242 ~]$ hdfs dfs -ls /apps/hive/warehouse

Found 1 items
drwxr-xr-x - hive hadoop 0 2017-03-14 18:31
/apps/hive/warehouse/zencrypted
[hdfs@xlnode-242 ~]$

Add the directory which

you wish to encrypt
Add hive as one of the
users and ensure that he
has all the permissions
for encrypted directory
Save the new policy
Install openssl-devel for
enabling encryption
Be sure to create the
crypto softlink on all the
nodes within the cluster
Verify if libraries are
accessiblae and ready
hadoop checknative
and create a key as
hive user, if you see
this error the follow
through
Login to ranger admin
with keyadmin as
username and password,
which is the default
username/password
Edit the KMS
Witness that users is
limited to keyadmin, thus
only he can created the
key by default
Edit the KMS
Add hive and hdfs in
the Select User section
and Save
Save the KMS
modifications
You should be able to
create the encryption key
Now add the encryption
zone as HDFS
(superuser) using the key
we created zencrypt on
the folder zencrypted
Ensure that you login to ranger again with
credentials admin/admin and make sure that
user hive has required privileges on database
and table.
This should allow you to
create the table in
default database within
the encrypted folder
Verify if the inserts and
selects are working as
hive
To verify if the data is
indeed encrypted, add a
new policy from ranger
UI (admin/admin) for a
random user centos
with SELECT privileges
only
Save the changes
You can see that from a
JDBC session, the user
centos can read the
data, however, cannot do
the same from HDFS
layer with the configured
permissions