How to Create HDFS policies in Ranger

Apache Ranger is an application that enables data architects to implement security policies on a big data ecosystem. The goal of this project is to provide a unified way for all Hadoop applications to adhere to the security guidelines that are defined.
Here are some of the features of Apache Ranger:
  • Centralized administration
  • Fine-grained authorization
  • Standardized authorization
  • Multiple authorization methods
  • Centralized auditing

Enable Ranger HDFS plugin

1. To enable Ranger Hive Plugin goto Services > Ranger > Configs > Ranger Plugin. Enable the Ranger HDFS Plugin on this page.
enable Ranger HDFS plugin using ambari
2. Save the config by providing an appropriate description note.
save config enabling Ranger HDFS plugin
save config with appropriate description note - HDPCA Ranger HDFS policy configuration
3. Ambari will prompt for some recommended changes to be done in order to enable the Ranger HDFS Plugin. Accept the changes and proceed.
recommended property changes Ranger HDFS plugin configuration
4. We need to restart the few Services like HDFS, YARN for the changes to take effect.
Service restart after enabling Ranger HDFS plugin

Overview of Ranger Admin UI and pre-configured policies for HDFS

You can log in to the Ranger Admin UI and check if the Ranger HDFS Plugin is enabled and you can create policies for HDFS users. To login to the Ranger Dashboard use the default username/password of admin/admin.
Ranger Admin UI from ambari
You can also goto the Ranger Admin UI with below URL:
http://rangerserver:6080
When you log in to the Ranger UI, the home page lists the various menus and types of policies that can be created using Ranger. As we can see the Ranger HDFS Plugin is enabled and we can view the pre-configured policies for HDFS.
Ranger Admin UI - Service Manager Page HDPCA exam
You can edit the pre-configured policies as shown below.
edit preconfigured Ranger HDFS policy - HDPCA
This particular policy provides ALL permissions (read, write, execute) to user “hdfs” and “ambari-qa” on all the filesystems under root ( /* ). You can add a new user/group and also modify the permissions on this page.
Edit policy in Ranger Admin UI - Ranger GDFS policy configuration
Set permissions to users in Ranger Admin UI - Ranger HDFS policy configuration

Creating a new Ranger HDFS Policy

Let’s create a new Ranger HDFS Policy to allow access to a particular mount point (/user/test) to the user “sandeep”. The user will have all the permissions (rwx) on the mount point.
1. Click on the policy group name under HDFS.
Ranger Admin UI - Service Manager Page HDPCA exam
2. Now click on Add New Policy to open a new page, similar to the one shown below:
add new HDFS Ranger Policy HDPCA exam
Provide the Policy Name, Resource Path (/user/test) and suitable description for the policy. We would also enable the recursive permission on the filesystem.
3. In the “Allow Conditions” section, we will assign all the permission (read, write and execute) to the user “sandeep” and save the policy.
User and group permissions create a new HDFS Ranger policy

Verify the Ranger HDFS Policy

Let’s test the policy we have created. Before creating the policy I have already tried creating a directory in the /user/test directory with user “sandeep”. It failed by giving a permission denied error as shown below.
permission denied Ranger HDFS policy configuration
Before creating of HDFS Ranger Policy
Now, after the creation of the policy, if I try to create the directory again, it went successfully. This verifies the functionality of the policy we just created.
create directory after creating HDFS Ranger policy creation
After creating HDFS Ranger Policy

No comments:

Post a Comment