This topic describes how to integrate Presto with Ranger and how to configure Presto permissions.

Prerequisites

An E-MapReduce (EMR) cluster is created, and Ranger and Presto are selected from the optional services during the cluster creation. For more information, see Create a cluster.

Integrate Presto with Ranger

  1. Enable Presto in Ranger.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the left-side navigation pane, choose Cluster Service > RANGER.
    6. Choose Actions > EnabledPresto in the upper-right corner.
    7. In the Cluster Activities dialog box, configure relevant parameters and click OK. In the Confirm message, click OK.
      Click History in the upper-right corner to view the task progress.
  2. Add the Presto service on the web UI of Ranger.
    1. Log on to the Ranger web UI. For more information, see Overview.
    2. Add the Presto service.
      presto
    3. Configure parameters.
      Presto
      Parameter Description
      Service Name Set the value to emr-presto.
      Username Set the value to presto.
      Password Leave this parameter empty.
      jdbc.driverClassName Set the value to io.prestosql.jdbc.PrestoDriver.
      jdbc.url Set this parameter based on the cluster where the Ranger and Presto services are deployed.
      • For a common cluster, set the value to jdbc:presto://emr-header-1:9090.
      • For a high-security cluster, set the value in the format of jdbc:presto://<your_hostname>:7778?SSL=true&SSLKeyStorePath=/etc/ecm/presto-conf/keystore&SSLKeyStorePassword=<your_keystore_password>&KerberosRemoteServiceName=presto&KerberosPrincipal=presto@EMR.<your_id>.COM&KerberosKeytabPath=/etc/ecm/presto-conf/jdbc.keytab.
        Involved parameters:
        • <your_hostname>: You can run the hostname command on the emr-header-1 node to obtain the value.
        • <your_keystore_password>: You can run the sed -n 's/http-server.https.keystore.key=\([^;]*\)/\1/p' /etc/ecm/presto-conf/config.properties command on the emr-header-1 node to obtain the value.
        • <your_id>: You can run the hostname | grep -Eo '[0-9]+$' command on the emr-header-1 node to obtain the value.
        • Steps to create a jdbc.keytab file:
          1. Run the sh /usr/lib/has-current/bin/admin-local.sh /etc/ecm/has-conf -k /etc/ecm/has-conf/admin.keytab command on the emr-header-1 node.
          2. Run the addprinc -randkey presto command to generate a principal.
          3. Run the xst -k /etc/ecm/presto-conf/jdbc.keytab presto command to export a keytab file.
      Add New Configurations
      • Name: Set the value to policy.download.auth.users.
      • Value: Set the value to presto.
    4. Click Add.
  3. Restart Presto Master.
    1. In the left-side navigation pane, choose Cluster Service > Presto.
    2. Choose Actions > Restart PrestoMaster in the upper-right corner.
    3. In the Cluster Activities dialog box, configure relevant parameters and click OK. In the Confirm message, click OK.
      Click History in the upper-right corner to view the task progress.

Examples of permission configurations

Different from Hive and HBase permissions, you must configure Presto permissions based on a hierarchical permission control policy.
Notice
  • Make sure that the hierarchical levels you specify match the permissions you want to configure. Otherwise, the permissions do not take effect.
  • Presto checks the permissions of a user twice. It first checks whether the user has access permissions on a catalog and then checks the permissions involved in the current access.
Example 1: Grant user liu the Select permission on column a in the Hive table testdb.test
  1. Log on to the Ranger web UI. For more information, see Overview.
  2. Click emr-presto. shili1
  3. Click Add New Policy in the upper-right corner.
    Create a policy to control access to a catalog. Only access permissions on a catalog are required. You do not need to specify the levels lower than catalog. In the Allow Conditions section, set Select User to liu and Permissions to Use. This way, you can grant user liu the Use permission on the specified catalog. catalog
  4. Click Add.
  5. Click Add New Policy in the upper-right corner.
    Configure the Select permission on column a of table testdb.test for user liu. The Select permission on tables is a column-level permission. You must click the Add a policy icon to specify schema, table, and column in sequence. Configure permissions on a column for user liu
    Parameter Description
    Policy Name The name of the policy. You can customize a policy name, such as testdb.
    catalog The name of the catalog. You can customize a catalog name, such as hive.
    schema The name of the schema, such as testdb. You can set this parameter to an asterisk (*) to indicate all schemas.
    table The name of the table, such as test. You can set this parameter to an asterisk (*) to indicate all tables.
    column The name of the column, such as a. You can set this parameter to an asterisk (*) to indicate all columns.
    Select User The user to whom you want to add this policy, such as liu.
    Permissions The permission you want to grant, such as Select.
  6. Click Add.
    After the policy is configured, the authorization is complete. User liu can access column a of table testdb.test.
    Note After you add, remove, or modify a policy, it takes about one minute for the configuration to take effect.
Example 2: Grant user chen the Create permission on Hive table testdb.test
  1. Log on to the Ranger web UI. For more information, see Overview.
  2. Create a policy to control access to a catalog. In this example, the catalog is hive.
    • If such a policy already exists, you only need to add user chen in the Select User column.
      1. Click emr-presto.
      2. Find the catalog_hive policy and click the edit icon in the Action column. chen
      3. In the Allow Conditions section, add chen in the Select User column. This way, you can grant user chen the Use permission on the specified catalog. add_condition
      4. Click Add.
    • If no catalog-level policy is available, perform the operations in Example 1 to grant user chen the Use permission on the specified catalog.
  3. Click Add New Policy in the upper-right corner.
    The Create permission on tables is a schema-level permission. You only need to specify schema. Click the Add a policy icon to specify schema. add_table
Example 3: Configure the permissions to run the show schemas and show tables commands
  • EMR versions earlier than V3.28.1
    Configure the Select permission with a hierarchy of schema=information_schema,table=schemate,column=*. This allows you to obtain the execution results of the show schemas command. Configure the Select permission with a hierarchy of schema=information_schema,table=tables,column=*. This allows you to obtain the execution results of the show tables command. You can configure the two permissions in the same policy, as shown in the following figure. eg3
  • EMR V3.28.1 and later 3.X versions, and EMR V4.4.1

    To run the show schemas command, you must be granted the Show permission on the catalog to which the schemas belong. To run the show tables command, you must be granted the Show permission on the schema to which the tables belong.

    After Presto authentication is complete, Presto filters the obtained schemas and tables to display only the schemas and tables on which you have the Select permission. Therefore, you must also be granted the Select permission on schemas and tables. When you run a show command, only the schemas or tables on which you have the Select permission are displayed. eg3-2

Share Hive permissions configured in Ranger with Presto

In some business scenarios, you may need to use the same permissions for Presto and Hive. In this case, you do not need to separately configure the permissions for Presto because EMR allows you to share the permissions for Hive in Ranger.
Note Hive permissions can be shared with Presto in Ranger only when the catalog is hive.
Take note of the following items before you enable permission sharing:
  • Make sure that you have integrated Hive with Ranger. For more information, see Hive.
  • Make sure that you have added the Presto service on the Ranger web UI.
  • To allow users to use the show schemas or show tables command, you must grant users the Select permission with a hierarchy of database=information_schema,table=*,column=* for the Hive service. This operation is similar to that in the Presto service.

Perform the following steps to enable permission sharing:

  1. Log on to the master node of the cluster, and change the value of the ranger.plugin.hive.authorization.enable parameter to true in the /etc/ecm/presto-conf/ranger-presto-security.xml configuration file.
  2. In the left-side navigation pane, choose Cluster Service > Presto.
  3. Choose Actions > Restart PrestoMaster in the upper-right corner.
    In the Cluster Activities dialog box, configure relevant parameters and click OK. In the Confirm message, click OK.