Ranger is a framework to enable, monitor and manage comprehensive data security across the Hadoop platform.
The vision with Ranger is to provide comprehensive security across the Apache Hadoop ecosystem. With the advent of Apache YARN, the Hadoop platform can now support a true data lake architecture. Enterprises can potentially run multiple workloads, in a multi tenant environment. Data security within Hadoop needs to evolve to support multiple use cases for data access, while also providing a framework for central administration of security policies and monitoring of user access.
Apache Ranger provides a centralized security management framework and addresses authorization and auditing. It can perform fine-grained data access control on Hadoop ecological components such as HDFS, Yarn, Hive, Hbase, etc. By operating the Ranger console, administrators can easily configure policies to control user access rights.
Apache Ranger has the following goals:
Centralized security administration to manage all security related tasks in a central UI or using REST APIs.
Fine grained authorization to do a specific action and/or operation with Hadoop component/tool and managed through a central administration tool
Standardize authorization method across all Hadoop components.
Enhanced support for different authorization methods - Role based access control, attribute based access control etc.
Centralize auditing of user access and administrative actions (security related) within all the components of Hadoop.
Apache Ranger provides a centralized security management framework, which enables fine-grained data access control for Hadoop ecosystem components such as Hive and Hbase. By operating the Ranger console, administrators can easily configure policies to control user access to HDFS folders , HDFS file, database, table, field permissions. These policies can be set for different users and groups, and permissions can be seamlessly integrated with hadoop.
Ranger authentication is essentially by reading the configuration file generated when the component is installed and the jar package that comes with the component, and calling each component service through hooks to achieve permission management. In the process of installing the service component plug-in, when ./enable-xxx-plugin.sh is executed, the following three steps are mainly executed: first, update the conf that comes with the plug-in to the service conf installed by the system; second, Update the lib that comes with the plug-in to the service lib installed by the system; third, generate a .xml file from install.properties and update it to the service conf installed by the system.
Installation Host Information
1.Ranger Admin Tool Component (ranger-%version-number%-admin.tar.gz) should be installed on a host where Policy Admin Tool web application runs on port 6080 (default).
2. Ranger User Synchronization Component (ranger-%version-number%-usersync.tar.gz) should be installed on a host to synchronize the external user/group information into Ranger database via Ranger Admin Tool.
3. Ranger Component plugin should be installed on the component boxes:
(a) HDFS Plugin needs to be installed on Name Node hosts
(b) Hive Plugin needs to be installed on HiveServer2 hosts
(c) HBase Plugin needs to be installed on both Master and Regional Server nodes.
(d) Knox Plugin needs to be installed on Knox hosts.
(e) Storm Plugin needs to be installed on Storm hosts.
Apache Ranger supports authentication, authorization, auditing, data encryption, and security management of the following HDP components:
Apache HadoopHDFS
Apache Hive
Apache HBase
Apache Storm
Apache Knox
Apache Solr
Apache Kafka
YARN
Installation Process
1. Download the tar.gz file into a temporary folder in the box where it needs to be installed.
2. Expand the tar.gz file into /usr/lib/ranger/ folder
3. Go to the component name under the expanded folder (e.g. /usr/lib/ranger/ranger-%version-number%-admin/)
4. Modify the install.properties file with appropriate variables
5. If the module has setup.sh,