Disabling High Availability (HA) in ODP Ranger KMS
Disabling High Availability (HA) for Ranger KMS may be necessary in scenarios where a single-node setup is sufficient, or when troubleshooting and maintenance require reducing complexity. This ensures that only one KMS instance is actively handling encryption key requests, simplifying configuration and avoiding potential inconsistencies.
Here are the steps for disabling KMS HA:
Option 1
Stop the Ranger KMS service.
- Navigate to the Ambari UI.
- Select Ranger KMS.
- Click Action > Stop.
Run
deleteall /zkdtsm
using the Zookeeper Client.- Open a terminal
- Run the command:
deleteall /zkdtsm
- Update the Ranger KMS Configuration.
- Navigate to Ambari > Ranger KMS configuration.
- Set or update the following properties:
hadoop.kms.cache.enable=true
hadoop.kms.authentication.zk-dt-secret-manager.enable=false
hadoop.kms.cache.timeout.ms=600000
hadoop.kms.current.key.cache.timeout.ms=30000
hadoop.kms.authentication.signer.secret.provider=random
- Remove the Additional KMS Host.
- Navigate to Ambari > HDFS > Configs.
- Update the following configurations:
<property>
<name>hadoop.security.key.provider.path</name>
<value>kms://http@kms-host.example.com:9292/kms</value>
</property>
Save and Restart the Services.
- Save the configurations.
- Start only one KMS and HDFS service to ensure a single authoritative source for key management. Running multiple KMS instances can lead to inconsistencies in key resolution and cache synchronization. Keeping only one active KMS prevents conflicts and ensures stable encryption key distribution.
- Save the configurations.
- Start only one KMS and HDFS service.
Option 2
- Stop Ranger KMS and Delete the Ranger KMS Service: This disables KMS completely.
- Ambari Service Advisor Updates: Once deleted, the Ambari service advisor updates the recommended configuration accordingly.
- Impact Consideration: Ensure that no dependencies rely on KMS before deletion to avoid potential disruptions.
Important Notes
Update the Property: hadoop.kms.authentication.zk-dt-secret-manager.enable
<property>
<name>hadoop.kms.authentication.zk-dt-secret-manager.enable</name>
<value>true</value>
<description>
If true, Hadoop KMS uses ZKDelegationTokenSecretManager to persist
TokenIdentifiers and DelegationKeys in ZooKeeper.
</description>
</property>
Update the Property: hadoop.kms.authentication.signer.secret.provider
<property>
<name>hadoop.kms.authentication.signer.secret.provider</name>
<value>zookeeper</value>
<description>
Indicates how the secret to sign the authentication cookies will be
stored. Options are 'random' (default), 'file' and 'zookeeper'.
If using a setup with multiple KMS instances, 'zookeeper' should be used.
If using file, signature.secret.file should be configured and point to the secret file.
</description>
</property>
The Apache Hadoop KMS documentation provides more in-depth information on key management, authentication mechanisms, and best practices for configuring and troubleshooting KMS. It includes details on enabling and disabling HA, security considerations, and performance tuning. For additional details, refer to the official Apache Hadoop KMS documentation: Hadoop KMS Documentation.