You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Sungwoo Park <gl...@gmail.com> on 2019/07/22 12:17:47 UTC
Using a KeyStore file instead of db_root_password
Hello,
I have a question on installing Ranger. Currently we specify the password
for Ranger database (which is MySQL) with db_root_password in
ranger-admin-install.properties, e.g.:
db_root_user=root
db_root_password=passwd
I wonder if there is an alternative way of specifying the password with a
KeyStore file (jceks). Or, it the file ranger-admin-install.properties just
supposed to be removed after installing Ranger?
Thanks,
--- Sungwoo Park
Re: Using a KeyStore file instead of db_root_password
Posted by Mehul Parikh <xs...@gmail.com>.
Hi Sungwoo,
Sorry for delayed reply, was caught up on few other tasks.
Thanks for the suggestion. Looks like lot of work has been done in this
direction. It will be helpful if you can share your solution on review
board.
On Thu, Aug 1, 2019 at 6:36 PM Sungwoo Park <gl...@gmail.com> wrote:
> Hi Mehul,
>
> Thanks for clarifying this. As you pointed out, deleting
> install.properties after starting Ranger looks like a reasonable solution.
> However, there are situations in which deleting install.properties is not a
> complete solution.
>
> 1. Some organizations have an internal policy prohibiting the deployment
> of any software system that requires passwords written in text form
> somewhere (not because of the security issue but because of rogue users).
>
> 2. In our case, we are running Ranger as a Kubernetes Pod. We mount
> install.properties inside a Pod, which is not deleted automatically. We
> decided to mount it as a Kubernetes Secret (instead of a ConfigMap) to
> alleviate the security issue. You can find our solution at:
> https://mr3.postech.ac.kr/hivek8s/guide/run-ranger/
>
> A complete solution to this problem would be to require the user to submit
> a KeyStore file that contains all the passwords. (This is what we really
> need, because we would like to launch a Ranger service for each user, and
> thus we cannot really ask for the password in text form.) With the current
> release of Ranger 2.0.0-SNAPSHOT, it seems that this is easy to implement,
> except that it does not work for db_root_password, unfortunately. (I think
> the current code reads db_root_password in text form to communicate with
> the database.) If you think this is feasible with a simple fix, please let
> me know, so that we could give it a try.
>
> Cheers,
>
> --- Sungwoo
>
> On Thu, Aug 1, 2019 at 4:43 PM Mehul Parikh <xs...@gmail.com> wrote:
>
>> Hi Sungwoo,
>>
>> Are you installing Ranger Manually ?
>>
>> - Ranger saves these passwords in Keystore file only, and replaces
>> all password values with _ value in ranger-admin-site.xml.
>> - You can backup install.properties and then delete that file after
>> installing and starting Ranger service.
>>
>>
>>
>> On Mon, Jul 22, 2019 at 5:48 PM Sungwoo Park <gl...@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I have a question on installing Ranger. Currently we specify the
>>> password for Ranger database (which is MySQL) with db_root_password in
>>> ranger-admin-install.properties, e.g.:
>>>
>>> db_root_user=root
>>> db_root_password=passwd
>>>
>>> I wonder if there is an alternative way of specifying the password with
>>> a KeyStore file (jceks). Or, it the file ranger-admin-install.properties
>>> just supposed to be removed after installing Ranger?
>>>
>>> Thanks,
>>>
>>> --- Sungwoo Park
>>>
>>
>>
>> --
>>
>> Thanks and regards,
>> Mehul Parikh
>> ----------------------------
>> M: +91 98191 54446
>> E: xsmehul@gmail.com
>>
>
--
Thanks and regards,
Mehul Parikh
----------------------------
M: +91 98191 54446
E: xsmehul@gmail.com
Re: Using a KeyStore file instead of db_root_password
Posted by Sungwoo Park <gl...@gmail.com>.
Hi Mehul,
Thanks for clarifying this. As you pointed out, deleting install.properties
after starting Ranger looks like a reasonable solution. However, there are
situations in which deleting install.properties is not a complete solution.
1. Some organizations have an internal policy prohibiting the deployment of
any software system that requires passwords written in text form somewhere
(not because of the security issue but because of rogue users).
2. In our case, we are running Ranger as a Kubernetes Pod. We mount
install.properties inside a Pod, which is not deleted automatically. We
decided to mount it as a Kubernetes Secret (instead of a ConfigMap) to
alleviate the security issue. You can find our solution at:
https://mr3.postech.ac.kr/hivek8s/guide/run-ranger/
A complete solution to this problem would be to require the user to submit
a KeyStore file that contains all the passwords. (This is what we really
need, because we would like to launch a Ranger service for each user, and
thus we cannot really ask for the password in text form.) With the current
release of Ranger 2.0.0-SNAPSHOT, it seems that this is easy to implement,
except that it does not work for db_root_password, unfortunately. (I think
the current code reads db_root_password in text form to communicate with
the database.) If you think this is feasible with a simple fix, please let
me know, so that we could give it a try.
Cheers,
--- Sungwoo
On Thu, Aug 1, 2019 at 4:43 PM Mehul Parikh <xs...@gmail.com> wrote:
> Hi Sungwoo,
>
> Are you installing Ranger Manually ?
>
> - Ranger saves these passwords in Keystore file only, and replaces all
> password values with _ value in ranger-admin-site.xml.
> - You can backup install.properties and then delete that file after
> installing and starting Ranger service.
>
>
>
> On Mon, Jul 22, 2019 at 5:48 PM Sungwoo Park <gl...@gmail.com> wrote:
>
>> Hello,
>>
>> I have a question on installing Ranger. Currently we specify the password
>> for Ranger database (which is MySQL) with db_root_password in
>> ranger-admin-install.properties, e.g.:
>>
>> db_root_user=root
>> db_root_password=passwd
>>
>> I wonder if there is an alternative way of specifying the password with a
>> KeyStore file (jceks). Or, it the file ranger-admin-install.properties just
>> supposed to be removed after installing Ranger?
>>
>> Thanks,
>>
>> --- Sungwoo Park
>>
>
>
> --
>
> Thanks and regards,
> Mehul Parikh
> ----------------------------
> M: +91 98191 54446
> E: xsmehul@gmail.com
>
Re: Using a KeyStore file instead of db_root_password
Posted by Mehul Parikh <xs...@gmail.com>.
Hi Sungwoo,
Are you installing Ranger Manually ?
- Ranger saves these passwords in Keystore file only, and replaces all
password values with _ value in ranger-admin-site.xml.
- You can backup install.properties and then delete that file after
installing and starting Ranger service.
On Mon, Jul 22, 2019 at 5:48 PM Sungwoo Park <gl...@gmail.com> wrote:
> Hello,
>
> I have a question on installing Ranger. Currently we specify the password
> for Ranger database (which is MySQL) with db_root_password in
> ranger-admin-install.properties, e.g.:
>
> db_root_user=root
> db_root_password=passwd
>
> I wonder if there is an alternative way of specifying the password with a
> KeyStore file (jceks). Or, it the file ranger-admin-install.properties just
> supposed to be removed after installing Ranger?
>
> Thanks,
>
> --- Sungwoo Park
>
--
Thanks and regards,
Mehul Parikh
----------------------------
M: +91 98191 54446
E: xsmehul@gmail.com