Apache Ranger is a centralized security administration solution for Hadoop that enables administrators to create and enforce security policies for HDFS and other Hadoop platform components.

Ranger configuration is based on the installation and configuration of HDFS Transparency. Therefore, HDFS transparency must be installed before configuring Ranger, Then installing Ranger in native HDFS .

Enable Ranger

After Apache Ranger and Hadoop have been installed, administers must perform the following steps to enable Ranger:

1 Change HDFS umask to 077 from 022. This will prevent any new files or folders to be accessed by anyone other than the owner. To change the umask, from the HDFS dashboard > Configs tab > search for umask, and change the value from 022 to 077.

2 Know which directory is managed by Ranger and which directory is managed by POSIX/HDFS/ACL. Let HDFS manage the permissions for the /tmp and the /user folders.
3 Do not configure a file to be controlled by both Ranger and POSIX/HDFS/ACL permissions. This creates confusion in permission control.
4 Do not deny permission to the owner if the file is controlled by Ranger.

Configure Raner

1 Check that /etc/hadoop/conf/hdfs-site.xml contains the value org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer for the dfs.namenode.inode.attributes.provider.class as org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer

Synchronize /usr/lpp/mmfs/hadoop/etc/hadoop/hdfs-site.xml for HDFS Transparency 2.7.3-x or /var/mmfs/hadoop/etc/hadoop/hdfs-site.xml for HDFS Transparency 3.0.0 to all the NameNodes and DataNodes.

mmhadoopctl connector syncconf /etc/hadoop/conf/hdfs-site.xml

2 Copy the following four files to /usr/lpp/mmfs/hadoop/etc/hadoop (for HDFS Transparency 2.7.3-x) or /var/mmfs/hadoop/etc/hadoop (for HDFS Transparency 3.0.0) on all the NameNode and DataNodes: ranger-hdfs-audit.xml, ranger-hdfs-security.xml, ranger-policymgr-ssl.xml, ranger-security.xml from the path /etc/hadoop/conf.

3 Edit the /usr/lpp/mmfs/hadoop/etc/hadoop/hadoop-env.sh (for HDFS Transparency 2.7.3-x) or /var/mmfs/hadoop/etc/hadoop/hadoop-env.sh (for HDFS Transparency 3.0.0) on the NameNode and add these two classes to CLASSPATH:

For IOP 4.2:

/usr/iop/4.2.0.0/ranger-hdfs-plugin/lib/*.jar

for f in /usr/iop/4.2.0.0/ranger-hdfs-plugin/lib/*.jar; do
export HADOOP_CLASSPATH=$HADOOP_CLASSPATH:$f
done

for f in /usr/share/java/mysql-connector-java.jar; do
export HADOOP_CLASSPATH=$HADOOP_CLASSPATH:$f
done

For IOP 4.2.5:

Change the above version string 4.2.0.0 into “4.2.5.0-0000”.

For HortonWorks 2.6 and 3.X:

for f in /usr/hdp//ranger-hdfs-plugin/lib/*.jar;
do
export HADOOP_CLASSPATH=$HADOOP_CLASSPATH:$f
done

export HADOOP_CLASSPATH=$HADOOP_CLASSPATH:/usr/share/java/mysql-connector-java.jar

for f in /usr/hdp//hadoop/client/jersey-client.jar;
do
export HADOOP_CLASSPATH=$HADOOP_CLASSPATH:$f
done

4 Ensure that the DB service is running on the DB host node. Run the command service mariadb restart or service mysqld restart if the database service is not running.

[root@c8f2n03kvm2 lib]# service mysqld status
mysqld (pid 2774) is running…

On the Ranger DB Host node, ensure that the rangerlogger user exists.

mysql -u rangerlogger –pYES

Disable Ranger

Ranger is supported by default since HDFS Transparency version 2.7.2-X. From HDFS Transparency version 2.7.2-1, Ranger support can be disabled by configuring the gpfs.ranger.enabled property field in the /usr/lpp/mmfs/hadoop/etc/hadoop/gpfs-site.xml.
To disable Ranger support, modify the /usr/lpp/mmfs/hadoop/etc/hadoop/gpfs-site.xml file on one of the HDFS transparency nodes to false

Synchronize the modified gpfs-site.xml into all the other HDFS Transparency nodes and restart the HDFS Transparency. When Ranger support is in disabled mode, Ranger will not work over HDFS Transparency.

If you did not install or are not using the Apache Ranger over HDFS Transparency version 2.7.2-1+, set the gpfs.ranger.enabled field value to false to get better performance over HDFS Transparency.

Testing the Ranger policy for HDFS Transparency

Log in to the Ranger UI http://:6080 (admin/admin).

service manager

Join The Discussion

Your email address will not be published. Required fields are marked *