Skip to main content

Apache Ranger Integration

Apache Ranger is an open-source authorization solution that provides access control and audit capabilities for big data platforms through centralized security administration.

Apache Ranger’s open data governance model and plugin architecture enables the extension of access control to projects beyond the Hadoop ecosystem, and the platform is widely accepted among major cloud vendors including AWS, Azure, and GCP.

Ahana-managed Presto clusters can use Apache Ranger to enforce access control policies defined in Apache Ranger, including:

  • role level
  • group level
  • table level
  • column level

and others. You can enable Apache Ranger integration with a Hive Metastore or an AWS Glue data source to apply and audit fine-grained data access control across these catalogs.

To create an Apache Ranger Service Name in Apache Ranger to use with Ahana:

To work with authorization services in Ahana:

Requirements

Apache Ranger integration is supported for Ahana-managed Presto clusters in an Ahana Compute Plane of version 3.0 or above.

Apache Ranger must be version 2.1.x or above.

Only Hive connector-based catalogs such as Hive and AWS Glue are supported.

The Apache Ranger plugin for Hive is required. For more information see Apache Hive plugin.

The coordinator and worker nodes in an Ahana-managed Presto cluster must have network access to Apache Ranger. The default port is 6080. If SSL is enabled, the default port is 6182.

Create Users in Apache Ranger

Presto users must be created in Apache Ranger with the same names as the Presto users attached to the Ahana-managed Presto cluster.

  1. To see the Presto users attached to the Ahana-managed Presto cluster, in the Ahana SaaS Console select Clusters, select Manage next to the Presto cluster, then the Presto Users pane. See View Presto Clusters.

  2. Log in to the Ranger Admin Service Manager.

  3. Select Settings, then User/Group/Roles.

  4. In User List, select Add New User.

  5. In User Detail:

    1. In User Name, enter the Presto user name defined in Ahana.

    2. In New Password and Password Confirm, enter a password. This password does not need to be the same as the Presto user's password defined in Ahana.

    3. In First Name, enter a name.

    4. In Select Role, use the drop-down to assign the user a Role.

    5. Select Save.

  6. Repeat step 5 for all Presto users in step 1.

Create a Ranger Service Name

  1. Log in to the Ranger Admin Service Manager.

  2. In Service Manager, select the plus + in the Hadoop SQL resource.

note

If Hadoop SQL is not present, select the plus + in the Hive resource.

  1. In Service Details, enter the new Ranger Service Name.

  2. In Config Properties, enter the Username and Password of the Ranger Admin account.

note

The Ranger Admin account information is the same as the Ranger Admin Username and Ranger Admin Password in the Apache Ranger service definition in Ahana SaaS Console. See Add an Apache Ranger Authorization Service.

  1. In jdbc.url, enter the JDBC connection string to use when connecting to HiveServer2. This enables metadata browsing for resource names when creating policies.
note

If there is no HiveServer2 running then enter the following value in jdbc.url as a placeholder.

jdbc:hive2://hive-server:10000/;serviceDecoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2
  1. Select Test Connection and revise until it is succcesful.
note

If you used the placeholder value in jdbc.url, then Test Connection will return the following message:

Connection Failed.

Unable to retrieve any files using given parameters, You can still save the repository and start creating policies, but you would not be able to use autocomplete for resource names. Check ranger_admin.log for more info.

This is not a failure of the Apache Ranger Service Name, it is a failure of only the autocomplete for resource names feature. This message is a successful test result.

  1. Select Add to add the Ranger Service Name.

In the Ranger Service Name you have just created, create access control policies.