Getting Started with Ranger
Describes how to start using Apache Ranger with the HPE Ezmeral Data Fabric.
Using the following steps to install, configure, and integrate Ranger with HiveServer2 and
create a policy that you can test:
- Install Ranger as described in Installing Ranger or Installing Ranger Using the Installer.
- Configure the Ranger Admin and Usersync services as described in Configuring Ranger.
- Configure and enable the Hive plug-in, and create the Hive service in Ranger, as described in Integrating HiveServer2 with Ranger.
- Open the Ranger Admin UI using the
secure address:
- Secure address:
https://<FQDN>:6182
- Secure address:
- In the Admin UI, navigate to the Hive service, remove all policies, and create a new
policy such as the following. This policy provides
mapruser1
with SELECT and CREATE permissions on any database, any table, and any column: - Click Save to save the new policy.
- Check the logs to ensure that the policy refreshed successfully. After you create or
update a policy, the Ranger-enabled HiveServer2 or Hive Metastore download the policy
changes from the Admin service. To check the HiveServer2 log, navigate to
/opt/mapr/hive/hive-3.1.3/logs/mapr/mapr-hiveserver2-node1.cluster.com.log
. You should see something like this:2022-09-26T10:59:33,936 INFO [main] util.RangerRolesProvider: RangerRolesProvider(serviceName=hivedev): found updated version. lastKnownRoleVersion=-1; newVersion=1 2022-09-26T10:59:34,229 INFO [main] util.PolicyRefresher: PolicyRefresher(serviceName=hivedev): found updated version. lastKnownVersion=-1; newVersion=18 2022-09-26T10:59:34,244 INFO [main] policyengine.PolicyEngine: Policy engine will not perform in place update while processing policy-deltas. 2022-09-26T10:59:34,271 INFO [main] policyengine.RangerPolicyRepository: This policy engine contains 1 policy evaluators
- As the mapruser1, go to Beeline, and connect to
HiveServer2:
$ hive --service beeline Beeline version 3.1.3.0-eep-900-SNAPSHOT by Apache Hive beeline> !connect jdbc:hive2://node1.cluster.com:10000/default;auth=maprsasl;ssl=false Connecting to jdbc:hive2://node1.cluster.com:10000/default;auth=maprsasl;ssl=false 22/09/26 11:18:24 [main]: WARN maprsasl.MaprSaslClient: SASL Server qopProperty: auth-confis different from Client: auth-conf,auth-int,auth.Using Server one Connected to: Apache Hive (version 3.1.3.0-eep-900-SNAPSHOT) Driver: Hive JDBC (version 3.1.3.0-eep-900-SNAPSHOT) Transaction isolation: TRANSACTION_REPEATABLE_READ
- Try to run SELECT, CREATE, and DROP commands. SELECT and CREATE should succeed, but
DROP should
fail:
0: jdbc:hive2://node1.cluster.com:10000/defau> SELECT * FROM web_log; ... INFO : OK 0: jdbc:hive2://node1.cluster.com:10000/defau> CREATE TABLE test(t int); ... INFO : OK 0: jdbc:hive2://node1.cluster.com:10000/defau> DROP TABLE test; Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [mapruser1] does not have [DROP] privilege on [default/test] (state=42000,code=40000)
For More Information
To learn about Ranger policies, users, groups, reports, and auditing, see the Ranger User Guide.
For a list of Ranger features, see Apache Ranger Features.
For information about REST API commands, see the Ranger REST API Resources page.