【Apache 之Ranger 介绍】

Ranger is a framework to enable, monitor and manage comprehensive data security across the Hadoop platform.

 

The vision with Ranger is to provide comprehensive security across the Apache Hadoop ecosystem. With the advent of Apache YARN, the Hadoop platform can now support a true data lake architecture. Enterprises can potentially run multiple workloads, in a multi tenant environment. Data security within Hadoop needs to evolve to support multiple use cases for data access, while also providing a framework for central administration of security policies and monitoring of user access.

Apache Ranger提供一个集中式安全管理框架, 并解决授权和审计。它可以对Hadoop生态的组件如HDFS、Yarn、Hive、Hbase等进行细粒度的数据访问控制。通过操作Ranger控制台,管理员可以轻松的通过配置策略来控制用户访问权限。

 

Apache Ranger has the following goals:

Centralized security administration to manage all security related tasks in a central UI or using REST APIs.

Fine grained authorization to do a specific action and/or operation with Hadoop component/tool and managed through a central administration tool

Standardize authorization method across all Hadoop components.

Enhanced support for different authorization methods - Role based access control, attribute based access control etc.

Centralize auditing of user access and administrative actions (security related) within all the components of Hadoop.

Apache Ranger提供一个集中式安全管理框架,它可以对Hadoop生态的组件如Hive,Hbase进行细粒度的数据访问控制.通过操作Ranger控制台,管理员可以轻松的通过配置策略来控制用户访问HDFS文件夹、HDFS文件、数据库、表、字段权限.这些策略可以为不同的用户和组来设置,同时权限可与hadoop无缝对接.

 

 

Ranger鉴权本质上是通过读取安装组件时生成的配置文件以及组件自带的jar包，通过hook方式调用各个组件服务达到权限管理。在安装服务组件插件过程中，当执行./enable-xxx-plugin.sh时，主要执行了以下三个步骤：第一、将插件自带的conf更新到系统安装的服务conf下；第二、将插件自带的lib更新到系统安装的服务lib下；第三、将install.properties生成.xml文件，更新到系统安装的服务conf下。

Installation Host Information

1.Ranger Admin Tool Component (ranger-%version-number%-admin.tar.gz) should be installed on a host where Policy Admin Tool web application runs on port 6080 (default).

2. Ranger User Synchronization Component (ranger-%version-number%-usersync.tar.gz) should be installed on a host to synchronize the external user/group information into Ranger database via Ranger Admin Tool.

3. Ranger Component plugin should be installed on the component boxes:

(a) HDFS Plugin needs to be installed on Name Node hosts

(b) Hive Plugin needs to be installed on HiveServer2 hosts

(c) HBase Plugin needs to be installed on both Master and Regional Server nodes.

(d) Knox Plugin needs to be installed on Knox hosts.

(e) Storm Plugin needs to be installed on Storm hosts.

 

Apache Ranger 支持以下HDP组件的验证、授权、审计、数据加密、安全管理：

Apache HadoopHDFS

Apache Hive

Apache HBase

Apache Storm

Apache Knox

Apache Solr

Apache Kafka

YARN

 

Installation Process

1. Download the tar.gz file into a temporary folder in the box where it needs to be installed.

2. Expand the tar.gz file into /usr/lib/ranger/ folder

3. Go to the component name under the expanded folder (e.g. /usr/lib/ranger/ranger-%version-number%-admin/)

4. Modify the install.properties file with appropriate variables

5. If the module has setup.sh,