Getting Started with Ranger

Describes how to start using Apache Ranger with the HPE Ezmeral Data Fabric.

Using the following steps to install, configure, and integrate Ranger with HiveServer2 and create a policy that you can test:
  1. Install Ranger as described in Installing Ranger or Installing Ranger Using the Installer.
  2. Configure the Ranger Admin and Usersync services as described in Configuring Ranger.
  3. Configure and enable the Hive plug-in, and create the Hive service in Ranger, as described in Integrating HiveServer2 with Ranger.
  4. Open the Ranger Admin UI using the secure address:
    • Secure address: https://<FQDN>:6182
  5. In the Admin UI, navigate to the Hive service, remove all policies, and create a new policy such as the following. This policy provides mapruser1 with SELECT and CREATE permissions on any database, any table, and any column:
  6. Click Save to save the new policy.
  7. Check the logs to ensure that the policy refreshed successfully. After you create or update a policy, the Ranger-enabled HiveServer2 or Hive Metastore download the policy changes from the Admin service. To check the HiveServer2 log, navigate to /opt/mapr/hive/hive-3.1.3/logs/mapr/mapr-hiveserver2-node1.cluster.com.log. You should see something like this:
    2022-09-26T10:59:33,936  INFO [main] util.RangerRolesProvider: RangerRolesProvider(serviceName=hivedev): found updated version. lastKnownRoleVersion=-1; newVersion=1
2022-09-26T10:59:34,229  INFO [main] util.PolicyRefresher: PolicyRefresher(serviceName=hivedev): found updated version. lastKnownVersion=-1; newVersion=18
2022-09-26T10:59:34,244  INFO [main] policyengine.PolicyEngine: Policy engine will not perform in place update while processing policy-deltas.
2022-09-26T10:59:34,271  INFO [main] policyengine.RangerPolicyRepository: This policy engine contains 1 policy evaluators
  8. As the mapruser1, go to Beeline, and connect to HiveServer2:
    $ hive --service beeline
Beeline version 3.1.3.0-eep-900-SNAPSHOT by Apache Hive
beeline> !connect jdbc:hive2://node1.cluster.com:10000/default;auth=maprsasl;ssl=false
Connecting to jdbc:hive2://node1.cluster.com:10000/default;auth=maprsasl;ssl=false
22/09/26 11:18:24 [main]: WARN maprsasl.MaprSaslClient: SASL Server qopProperty: auth-confis different from Client: auth-conf,auth-int,auth.Using Server one
Connected to: Apache Hive (version 3.1.3.0-eep-900-SNAPSHOT)
Driver: Hive JDBC (version 3.1.3.0-eep-900-SNAPSHOT)
Transaction isolation: TRANSACTION_REPEATABLE_READ
  9. Try to run SELECT, CREATE, and DROP commands. SELECT and CREATE should succeed, but DROP should fail:
    0: jdbc:hive2://node1.cluster.com:10000/defau> SELECT * FROM web_log;
...
INFO  : OK
0: jdbc:hive2://node1.cluster.com:10000/defau> CREATE TABLE test(t int);
...
INFO  : OK
0: jdbc:hive2://node1.cluster.com:10000/defau> DROP TABLE test;
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [mapruser1] does not have [DROP] privilege on [default/test] (state=42000,code=40000)

For More Information

To learn about Ranger policies, users, groups, reports, and auditing, see the Ranger User Guide.

For a list of Ranger features, see Apache Ranger Features.

For information about REST API commands, see the Ranger REST API Resources page.