Setting up access control with Ranger plugin
    • PDF

    Setting up access control with Ranger plugin

    • PDF

    Article Summary

    Available in VPC

    You can implement security rules for your big data ecosystem using Apache Ranger. The Ranger project enables you to consistently define and implement security guidelines throughout all Hadoop applications.

    Activate Ranger plugin

    1. Access the Ambari UI, click Services > Ranger > [CONFIGS] > Ranger Plugin, and then change the settings.

      • Plugins that can be enabled are determined by the services installed in the cluster. (Default: Plugin enabled)
      • Change the plugin's status to ON to manage security policies using Ranger. Here, enable HDFS, Hive and YARN plugins and save the changes.
      • HDFS Plugin Activation Example
    2. Please set the value of dfs.permissions.enabled in the Advanced hdfs-site item to true. This setting must be reflected in the Ranger Audit to be recorded.

    3. You need to activate the plugin in the [RANGER PLUGIN] tab of the Ranger service to enable permission management using the Ranger. Please enable HDFS Ranger Plugin.

    4. HDFS, HIVE, YARN and PRESTO services require restart. Click [ACTIONS] > Restart All in the upper right corner, and then click [CONFIRM RESTART ALL] in the pop-up window to apply the changed settings.


    You can also restart components that require restart at once by clicking [...] > Restart All Required in the left sidebar.

    1. When the Dependent Configurations prompt appears, click the [OK] button.

    Ranger Admin UI

    1. Access SSL VPN.

    2. Select the cluster to access the Ranger admin UI from the Cloud Hadoop console's cluster list, and then click [View by application] > Ranger.

    After checking the domain address in the cluster details, you can directly access the Ranger Admin UI with the following URL.

    https://{DOMAIN ADDRESS}:6182/



    The ID and password for the Ranger UI account in Cloud Hadoop version 1.3 or earlier are set to admin and admin respectively.
    The ID and password of the Ranger UI account in Cloud Hadoop version 1.4 or later are set to admin and {password entered by the user} respectively.

    1. Once you access the Ranger admin UI, check on which service the policies are applied to.

      • You can see the HDFS, Hive, and YARN policies are there for which the plugins have been enabled in the preparation stage.
    2. Click HDFS's plugin, and view the rules of the policy created as a default in the List of Policies page.

    • Action > chadoop-3-8-icon-vpc_ko.png You can see that Select User has Read, Write, and Execute permissions for all paths.

    Create Ranger policy

    1. On the first screen of the Ranger Admin UI, click the [{cluster name}_hadoop] Policy that is exposed by default to the HDFS plug-in.

    2. Select the [Add New Policy] button as shown below and insert the policy.

      • You can enter a different path for Resource Path. Here we used the HDFS home directory of the administrator account. If you want the permission to be applied to all files or subdirectories under a specific directory, set the [Recursive] button state to Enabled.
      • Select sshuser in Select User so that the SSH connection account sshuser can access this path.
      • Here, I have given all permissions Read, Write, and Execute.




    Cloud Hadoop creates an HDFS home directory by default for the cluster administrator account (e.g. df-test17) set during installation.

    1. Check whether the rule created with the ls command is applied.
      • You can connect to any node in the cluster.
      • Connect to the node with SSH and use the mkdir command to create a new directory in the /user/{Cluster Account Name} directory of the sshuser account as shown below, and test whether the directory is created properly with the ls command.
    $ hadoop fs -mkdir /user/{Cluster Account Name}/tmp
    $ hadoop fs -ls /user/{Cluster Account Name}


    1. You can check the log of attempted access through the Ranger Audit UI.
    • Cloud Hadoop version 1.8 provides additional PRESTO plugin.
    • Cloud Hadoop version 1.8 additionally provides Presto Ranger Plugin.

    Was this article helpful?