Security
Also available as:
PDF
loading table of contents...

Using the Ranger Key Management Service

Ranger KMS can be accessed at the Ranger admin URL, http://<hostname>:6080. Note, however, that the login user for Ranger KMS is different than that for Ranger. Logging on as the Ranger KMS admin user leads to a different set of screens.

Role Separation

By default, Ranger admin uses a different admin user (keyadmin) to manage access policies and keys for Ranger KMS.

The person accessing Ranger KMS via the keyadmin user should be a different person than the administrator who works with regular Ranger access policies. This approach separates encryption work (encryption keys and policies) from Hadoop cluster management and access policy management.

Accessing the Ranger KMS Web UI

To access Ranger KMS, log in as user keyadmin, password keyadmin.

[Important]Important

Change the password after you log in.

After logging in, you will see the Service Manager screen. To view or edit Ranger KMS repository properties, click on the edit button next to the repository name:

You will see a list of service details and config properties for the repository:

Listing and Creating Keys

To list existing keys:

  1. Choose the Encryption tab at the top of the Ranger Web UI screen.

  2. Select the Ranger KMS service from the drop-down list.

To create a new key:

  1. Click on "Add New Key".

  2. Add a valid key name.

  3. Select the cipher name. Ranger supports AES/CTR/NoPadding as the cipher suite.

  4. Specify the key length, 128 or 256 bits.

  5. Add other attributes as needed, and then save the key.

Rolling Over an Existing Key

Rolling over (or "rotating") a key retains the same key name, but the key will have a different version. This operation re-encrypts existing file keys, but does not re-encrypt the actual file. Keys can be rolled over at any time.

After a key is rotated in Ranger KMS, new files will have the file key encrypted by the new master key for the encryption zone.

To rotate a key, click the edit button next to the key name in the list of keys, as shown in the following screen shot:

Edit the key information, and then press Save.

When asked to confirm the rollover, click "OK":

Deleting a Key

[Warning]Warning

Deleting a key associated with an existing encryption zone will result in data loss.

To delete an existing key:

  1. Choose the Encryption tab at the top of the Ranger Web UI screen.

  2. Select Ranger KMS service from the drop-down list.

  3. Click on the delete symbol next to the key.

  4. You will see a confirmation pop-up window; confirm or cancel.