Ranger KMS/Hadoop KMS
- ZooKeeper Usage: - If multiple instances of KMS are configured, both Ranger KMS and Hadoop KMS use zookeeper znode /hadoop-kms to store HTTP cookie signature secret. See “Http Authentication Signature” section here. - /hadoop-kms-- <HTTP cookie signature secret>
 
- Default ACLs: - /hadoop-kms-- world:anyone:cdrwa
 
- Security Best Practice ACLs/Permissions and Required Steps: - /hadoop-kms-- sasl:rangerkms:cdrwa
- Ranger KMS uses the user - rangerkms. Only KMS needs access to this znode. This path (- hadoop.kms.authentication.signer.secret.provider.zookeeper.path) can be configured in Ambari for Ranger KMS. Set the ACL using these steps:- SSH to the cluster where Ranger KMS is present. 
- Go to - /usr/hdp/- <version>/zookeeper/bin
- Run - ./zkCli.sh -server- <FQDN of Ranger KMS host>:2181”
- After it connects, run: - ls /
- Verify there is a folder as specified in - hadoop.kms.authentication.signer.secret.provider.zookeeper.pathproperty of Ranger KMS configuration.
- Execute - getAcl /hadoop-kmsand if the permission is for- world,- anyone: cdrwa, restrict the permission to- sasl:rangerkms:cdrwausing this command:- setAcl /hadoop-kms sasl:rangerkms:cdrwa.
- Repeat the above step for all the clusters where Ranger KMS is installed. 
 - [zk: dk-test-0706-3.openstacklocal:2181(CONNECTED) 0] getAcl /hadoop-kms 'world,'anyone : cdrwa [zk: dk-test-0706-3.openstacklocal:2181(CONNECTED) 4] setAcl /hadoop-kms sasl:rangerkms:cdrwa cZxid = 0x20000001e ctime = Tue Jun 07 12:22:58 UTC 2016 mZxid = 0x20000001e mtime = Tue Jun 07 12:22:58 UTC 2016 pZxid = 0x20000001f cversion = 1 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 0 numChildren = 1 [zk: dk-test-0706-3.openstacklocal:2181(CONNECTED) 5] getAcl /hadoop-kms 'sasl,'rangerkms : cdrwa [zk: dk-test-0706-3.openstacklocal:2181(CONNECTED) 6] 
 

