Apache Ranger KMS

Key management

You can create, update, or delete encryption key zones that control access to functionality.

Access control policies

You can administer access control policies for encryption keys. You can create or edit keys to control access by users to functionality.

Configuring Apache Ranger KMS

1. Create a user for Informatica.
The user is the same as the Data Integration Service user or the Kerberos SPN user.
2. Add the Informatica user to a new KMS repository, or to an existing KMS repository.
3. Grant permissions to the Informatica user.
4. Create and configure an encryption key.
5. Create an encryption zone that uses the encryption key you created.
For example:
hdfs dfs -mkdir /zone_encr_infa
hdfs crypto -createZone -keyName infa_key -path /zone_encr_infa

6. In the Ambari cluster administration utility, browse to the Custom KMS Site page and add the following properties:
hadoop.kms.proxyuser.<user>.groups=*
hadoop.kms.proxyuser.<user>.hosts=*
hadoop.kms.proxyuser.<user>.users=*
where <user> is the Informatica user name you configured in Step 1.
7. Browse to Ambari Agent > HDFS > Custom Core Site and update the following properties
hadoop.kms.proxyuser.<user>.hosts
hadoop.kms.proxyuser.<user>.groups
8. Browse to Ambari Agent > Ranger KMS > Configs and search for proxyuser in the Ranger KMS Configurations area. To register all Hadoop system users with Ranger KMS, add the following properties:
hadoop.kms.proxyuser.HTTP.hosts=*
hadoop.kms.proxyuser.HTTP.users=*
hadoop.kms.proxyuser.hive.hosts=*
hadoop.kms.proxyuser.hive.users=*
hadoop.kms.proxyuser.keyadmin.hosts=*
hadoop.kms.proxyuser.keyadmin.users=*
hadoop.kms.proxyuser.nn.hosts=*
hadoop.kms.proxyuser.nn.users=*
hadoop.kms.proxyuser.rm.hosts=*
hadoop.kms.proxyuser.rm.users=*
hadoop.kms.proxyuser.yarn.hosts=*
hadoop.kms.proxyuser.yarn.users=*