Apache 之Ranger 介紹
Ranger is a framework to enable, monitor and manage comprehensive data security across the Hadoop platform.
The vision with Ranger is to provide comprehensive security across the Apache Hadoop ecosystem. With the advent of Apache YARN, the Hadoop platform can now support a true data lake architecture. Enterprises can potentially run multiple workloads, in a multi tenant environment. Data security within Hadoop needs to evolve to support multiple use cases for data access, while also providing a framework for central administration of security policies and monitoring of user access.
Apache Ranger提供一個集中式安全管理框架, 並解決授權和審計。它可以對Hadoop生態的組件如HDFS、Yarn、Hive、Hbase等進行細粒度的數據訪問控制。通過操作Ranger控制檯,管理員可以輕鬆的通過配置策略來控制用戶訪問權限。
Apache Ranger has the following goals:
Centralized security administration to manage all security related tasks in a central UI or using REST APIs.
Fine grained authorization to do a specific action and/or operation with Hadoop component/tool and managed through a central administration tool
Standardize authorization method across all Hadoop components.
Enhanced support for different authorization methods - Role based access control, attribute based access control etc.
Centralize auditing of user access and administrative actions (security related) within all the components of Hadoop.
Apache Ranger提供一個集中式安全管理框架,它可以對Hadoop生態的組件如Hive,Hbase進行細粒度的數據訪問控制.通過操作Ranger控制檯,管理員可以輕鬆的通過配置策略來控制用戶訪問HDFS文件夾、HDFS文件、數據庫、表、字段權限.這些策略可以為不同的用戶和組來設置,同時權限可與hadoop無縫對接.
Ranger鑑權本質上是通過讀取安裝組件時生成的配置文件以及組件自帶的jar包,通過hook方式調用各個組件服務達到權限管理。在安裝服務組件插件過程中,當執行./enable-xxx-plugin.sh時,主要執行了以下三個步驟:第一、將插件自帶的conf更新到系統安裝的服務conf下;第二、將插件自帶的lib更新到系統安裝的服務lib下;第三、將install.properties生成.xml文件,更新到系統安裝的服務conf下。
Installation Host Information
1.Ranger Admin Tool Component (ranger-%version-number%-admin.tar.gz) should be installed on a host where Policy Admin Tool web application runs on port 6080 (default).
2. Ranger User Synchronization Component (ranger-%version-number%-usersync.tar.gz) should be installed on a host to synchronize the external user/group information into Ranger database via Ranger Admin Tool.
3. Ranger Component plugin should be installed on the component boxes:
(a) HDFS Plugin needs to be installed on Name Node hosts
(b) Hive Plugin needs to be installed on HiveServer2 hosts
(c) HBase Plugin needs to be installed on both Master and Regional Server nodes.
(d) Knox Plugin needs to be installed on Knox hosts.
(e) Storm Plugin needs to be installed on Storm hosts.
Apache Ranger 支持以下HDP組件的驗證、授權、審計、數據加密、安全管理:
Apache HadoopHDFS
Apache Hive
Apache HBase
Apache Storm
Apache Knox
Apache Solr
Apache Kafka
YARN
Installation Process
1. Download the tar.gz file into a temporary folder in the box where it needs to be installed.
2. Expand the tar.gz file into /usr/lib/ranger/ folder
3. Go to the component name under the expanded folder (e.g. /usr/lib/ranger/ranger-%version-number%-admin/)
4. Modify the install.properties file with appropriate variables
5. If the module has setup.sh,