This blog post provides a brief overview of Ranger KMS and how to migrate Keys from Hadoop KMS to Ranger KMS.
Ranger Key Management Service (Ranger KMS):
Ranger KMS is based on Hadoop KMS developed by the Apache community. The main difference between Hadoop KMS and Ranger KMS is that the Hadoop KMS stores keys in a file-based Java keystore where as Ranger allows you to store keys in a secure database. The centralized administration of the Ranger KMS is provided through the Ranger admin portal.
There are three main functions within the Ranger KMS: Key management, Access control policies for key management, and audit. To know how to set up and configure Ranger KMS, visit our knowledge center.
In the next section, we will talk about how to migrate the keys from hadoop keystore to Ranger.
NOTE: The following steps are for migrating the keystore in JCEKS format only.
- Installed Hadoop
- Installed and setup Ranger
- Kerberized cluster
Migrating keys from Hadoop KMS to Ranger KMS:
- Create keys and store them in a keystore in hadoop. To learn more about how to create keys in hadoop keystore go to enabling transparent data encryption in hadoop.
- Once you have created keys, a keystore file will be generated with the name “kms.keystore” under the user id that you have used to create the keys. For eg. /root/kms.keystore
- For more protection, you can create a password for the keystore file using the command:
keytool -storepasswd -keystore kms.keystore -storetype jceks -storepass current_password -new new_password
keytool -storepasswd -keystore kms.keystore -storetype jceks -storepass none -new temppass
Make a note of this password. This will be used in the later steps.
NOTE: If you do not provide or create a password for the keystore, then the default password “none” will be used ie. the word none is the password for the keystore.
- Go to console and stop the Hadoop KMS using the command:
service kms stopor
- Now go ahead and install and set up Ranger KMS following the steps in the knowledge center. This will cause the HDFS key provider configurations to be updated to point to Ranger KMS, as shown below.
- This would trigger Hadoop services to restart, you can restart them from Ambari.
- In a multinode environment, you must first copy the keys from the Hadoop KMS server to the node where Ranger KMS is installed. You can perform that using the regular scp command on the node where Ranger KMS is installed.
scp email@example.com:/root/kms.keystore /root/hadoop-keys/
- Now on the Ranger KMS node, go to the command line or console and find the location or path where Ranger KMS is installed and issue the following commands. The default location is /usr/iop/current/ranger-kms/.
[root@ranger_kms_node]# cd $RANGER_KMS_HOME
[root@ranger_kms_node ranger-kms]# ./importJCEKSKeys.sh [/path/to/hadoop/keystore]
[root@ranger_kms_node]# cd /usr/iop/current/ranger-kms/
[root@ranger_kms_node ranger-kms]# ./importJCEKSKeys.sh /root/kms.keystoreor
[root@ranger_kms_node ranger-kms]# ./importJCEKSKeys.sh /root/hadoop-keys/kms.keystore
When prompted for the keystore password, enter the password that you have created for the hadoop keystore (in step-3 above) or “none” if you have not entered a password. You will be prompted the password for the individual keys. Here enter the word “none” (the default password for the keys).
[root@ranger_kms_node ranger-kms]# ./importJCEKSKeys.sh /root/kms.keystore
Enter Password for the keystore FILE : none
Enter Password for the KEY(s) stored in the keystore: none
Keys from /root/kms.keystore has been successfully imported into RangerDB.
- To verify the key migration was done successfully, go to Ranger admin web interface and login as the keyadmin/keyadmin (the default keyadmin userid and password.) Select the KMS service in the drop down list. Then you should see the list of the migrated keys.
This concludes the migrating the Hadoop keys to Ranger KMS.