THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
This document details how to use properly Apache Ranger in manage security in your cluster.
These instructions are for using Ranger on CentOS/RHEL (release 6).
This page is currently being written. Please help us by sending your remarks.
Prerequisites
Apache Ranger must have been installed on your cluster
- Ranger plugins need to be configured for the services you want to securize
- If you think you may have missed one or several steps, you can check this Ranger Installation Guide
...
HDFS Repository configuration
- Repository Name : name of the repository; required when configuring agents
- Description : a description of the repository
- Active status : Enabled or Disabled
- Repository Type : HDFS (cannot be modified)
- User Name : end system username that can be used for connection
- fs.default.name : location of the Hadoop HDFS service, as noted in the Hadoop configuration file core-site.xml OR (if this is a HA environment) the path for the primary NameNode
- hadoop.security.authorization : true or false, as specified in core-site.xml, to enable authorization for different protocols or not.
- hadoop.security.authentication : type of authorization authentication in use, as noted in the Hadoop configuration file core-site.xml. Can be either simple or Kerberos (required only if authorization is enabled)
- hadoop.security.auth_to_local : maps the login credential to a username with Hadoop. Use the value noted in the Hadoop configuration file, core core-site.xml
- dfs.datanode.kerberos.principal : principal associated with the DataNode where the repository resides, as noted in the Hadoop configuration file hdfs-site.xml (required only if Kerberos authentication is enabled)
- dfs.namenode.kerberos.principal : principal associated with the NameNode where the repository resides, as noted in the Hadoop configuration file hdfs-site.xml (required only if Kerberos authentication is enabled)
- dfs.secondary.namenode.kerberos.principal : principal associated with the secondary NameNode where the repository resides, as noted in the Hadoop configuration file hdfs-site.xml (required only if Kerberos authentication is enabled)
- hadoop.rpc.protection : a comma-separated list of protection values for secured SASL connections. Possible values are authentication, integrity and privacy.
- Common Name For Certificate : name of the certificate
...
- Enter Policy Name : a unique name for this policy. The name cannot be duplicated anywhere in the system
- Resource Path : the resource path for the policy folder/file. To avoid the need to supply the full path OR to enable the policy for all subfolders or files, you can either complete this path using wild cards (for example, /home*) or specify that the policy should be Recursive (see below)
- Description : (Optional) the purpose of the policy
- Recursive : select if all files or subfolders within the existing folder will be included in this policy. (Use this option if you have specified a specific Resource Path to the top level folder, but want all subfolders or files to be included)
- Audit Logging : whether this policy is audited by Ranger (de-select to disable auditing)
- Group Permissions : use the pick list to assign group permissions appropriate to this policy. If desired, assign the group Administration privileges for the chosen resource. To add users or groups to the list, click the + button (for further information, see Users)
- User Permissions : use the pick list to assign individual user permissions appropriate to this policy. If desired, designate on or more users as Administrators for the chosen resource
- Enable/Disable : policies are enabled by default. To restrict user/groupe access for a policy, disable the policy
Then, if you enabled both Knox and Kerberos to secure your cluster, it should work this way :
