Set up access control with the Ranger plugin

Available in VPC

Implementing security rules for the big data ecosystem with Apache Ranger is possible. The Ranger project enables security guidelines to be defined and enforced in a uniform way across all Hadoop applications.

Enabling the Ranger plugin

1. After accessing the Ambari UI, enabling the plugin in the Services > Ranger > [CONFIGS] > RANGER PLUGIN tab is mandatory to manage permissions using Ranger. HDFS Ranger Plugin to the ON state and save the configuration.
   

2. When the HDFS Ranger Plugin is enabled, the Enable Ranger for HDFS checkbox is automatically checked in Services > HDFS > [CONFIGS] > ADVANCED > Advanced ranger-hdfs-plugin-properties.
   

3. Set the value of dfs.permissions.enabled in the Advanced hdfs-site item to true. This setting must be included in Ranger Audit to leave a history.
   

4. HDFS, HIVE, YARN, and PRESTO services require a restart. Click [ACTIONS] > Restart All in the top right corner and click [CONFIRM RESTART ALL] in the popup window to apply the changed settings.
   

5. When the Dependent Configurations prompt appears, click [OK].
   

Ranger Admin UI

1. Access SSL VPN.
   • For SSL VPN information, see Access a cluster node with SSH.
2. Select a Cloud Hadoop cluster to access the Ranger Admin UI and click [View by Application] > Ranger Web UI.
   • For more information about accessing the Ranger UI, see View by application.

Alternatively, check the domain address in the Cluster details in the console. You can also access the Ranger Admin UI directly using the URL below:

 https://{Domain address}:8443/ranger

3. Access the Ranger Admin UI to see which services the policy is applied to.

   • When you access the Ranger Admin UI, you'll see that the HDFS, HIVE, and YARN Policy exist with the plugin enabled as a preliminary task.
     

4. After clicking plugins in HDFS, check the List of Policies interface to see the rules in the Policy created by default.
   

• Click Action > . You can verify that the Select User has Read, Write, and Execute permissions for all paths.
  

Create a Ranger Policy

1. On the first interface of the Ranger Admin UI, click [{Cluster name}_hadoop] Policy, which is exposed by default in the HDFS plugin.
   

2. Select [Add New Policy] and add a policy as shown below.

   • You can enter a different path for Resource Path. Here, we used the HDFS home directory of the administrator account. Set the [Recursive] button status to active to apply the permissions to all files or subdirectories under a specific directory.
   • Select sshuser for Select User so that the SSH connection account, sshuser, can access this path.
   • Here, we granted full Read, Write, and Execute permissions.

   

   

3. Verify that the rule created with the ls command is applied.
   • You can access any node in the cluster.
   • Access SSH into the node and use the mkdir command to create a new directory in the /user/{클러스터 계정명} directory of your sshuser account, as shown below.
   • Test that the directory was appropriately created with the ls command.

$ hadoop fs -mkdir /user/{Cluster account name}/tmp
$ hadoop fs -ls /user/{Cluster account name}

4. You can view access attempt logs through the Ranger Audit UI.
   

Trino access permissions management

You must configure Trino access control in the order of catalog, schema, and table levels. To control permissions at the schema level, you need to first establish access control at the catalog level. Create a policy at the catalog level before creating a separate policy for the schema level.

To control permissions at the catalog level:

1. Select Ranger Web UI > Trino > Add New Policy.
2. Enter hive in catalog.
3. Enter a new user to grant permission in Allow Conditions > Select User.