Setting up access control with Ranger plugin

Available in VPC

You can implement security rules for your big data ecosystem using Apache Ranger. The Ranger project enables you to consistently define and implement security guidelines throughout all Hadoop applications.

Activate Ranger plugin

1. Access the Ambari UI, click Services > Ranger > [CONFIGS] > Ranger Plugin, and then change the settings.

   • Plugins that can be enabled are determined by the services installed in the cluster. (Default: Plugin enabled)
   • Change the plugin's status to ON to manage security policies using Ranger. Here, enable HDFS, Hive and YARN plugins and save the changes.
   • HDFS Plugin Activation Example
     

2. Please set the value of dfs.permissions.enabled in the Advanced hdfs-site item to true. This setting must be reflected in the Ranger Audit to be recorded.
   

3. You need to activate the plugin in the [RANGER PLUGIN] tab of the Ranger service to enable permission management using the Ranger. Please enable HDFS Ranger Plugin.
   

4. HDFS, HIVE, YARN and PRESTO services require restart. Click [ACTIONS] > Restart All in the upper right corner, and then click [CONFIRM RESTART ALL] in the pop-up window to apply the changed settings.
   

5. When the Dependent Configurations prompt appears, click the [OK] button.
   

Ranger Admin UI

1. Access SSL VPN.

   • For more information about SSL VPN, refer to Connecting to cluster nodes through SSH.

2. Select the cluster to access the Ranger admin UI from the Cloud Hadoop console's cluster list, and then click [View by application] > Ranger.

   • Please refer to View by application for more information.

After checking the domain address in the cluster details, you can directly access the Ranger Admin UI with the following URL.

https://{DOMAIN ADDRESS}:6182/

3. Once you access the Ranger admin UI, check on which service the policies are applied to.

   • You can see the HDFS, Hive, and YARN policies are there for which the plugins have been enabled in the preparation stage.
     

4. Click HDFS's plugin, and view the rules of the policy created as a default in the List of Policies page.
   

• Action > You can see that Select User has Read, Write, and Execute permissions for all paths.
  

Create Ranger policy

1. On the first screen of the Ranger Admin UI, click the [{cluster name}_hadoop] Policy that is exposed by default to the HDFS plug-in.
   

2. Select the [Add New Policy] button as shown below and insert the policy.

   • You can enter a different path for Resource Path. Here we used the HDFS home directory of the administrator account. If you want the permission to be applied to all files or subdirectories under a specific directory, set the [Recursive] button state to Enabled.
   • Select sshuser in Select User so that the SSH connection account sshuser can access this path.
   • Here, I have given all permissions Read, Write, and Execute.

   

   

3. Check whether the rule created with the ls command is applied.
   • You can connect to any node in the cluster.
   • Connect to the node with SSH and use the mkdir command to create a new directory in the /user/{Cluster Account Name} directory of the sshuser account as shown below, and test whether the directory is created properly with the ls command.

$ hadoop fs -mkdir /user/{Cluster Account Name}/tmp
$ hadoop fs -ls /user/{Cluster Account Name}

4. You can check the log of attempted access through the Ranger Audit UI.