This topic describes how to integrate Presto with Ranger and how to configure Presto permissions.
Prerequisites
Integrate Presto with Ranger
- Enable Presto in Ranger.
- Add the Presto service on the web UI of Ranger.
- Restart Presto Master.
Permission configuration examples
Different from Hive and HBase permissions, you must configure Presto permissions based
on a hierarchical permission control policy.
Notice
- Make sure that the hierarchical levels you specify match the permissions you want to configure. Otherwise, the permissions do not take effect.
- Presto checks the permissions of a user twice. It first checks whether the user has access permissions on a catalog and then checks the permissions involved in the current access.
Example 1: Grant user liu the Select permission on column a in the Hive table testdb.test
- Log on to the Ranger web UI. For more information, see Overview.
- Click emr-presto.
- Click Add New Policy in the upper-right corner.
Create a policy to control access to a catalog. Only access permissions on a catalog are required. You do not need to specify the levels lower than catalog. In the Allow Conditions section, set Select User to liu and Permissions to Use. This way, you can grant user liu the Use permission on the specified catalog.
- Click Add.
- Click Add New Policy in the upper-right corner.
Configure the Select permission on column a of table testdb.test for user liu. The Select permission on tables is a column-level permission. You must click the
icon to specify schema, table, and column in sequence.
Parameter Description Policy Name The name of the policy. You can customize a policy name, such as testdb. catalog The name of the catalog. You can customize a catalog name, such as hive. schema The name of the schema, such as testdb. You can set this parameter to an asterisk (*) to indicate all schemas. table The name of the table, such as test. You can set this parameter to an asterisk (*) to indicate all tables. column The name of the column, such as a. You can set this parameter to an asterisk (*) to indicate all columns. Select User The user to whom you want to add this policy, such as liu. Permissions The permission you want to grant, such as Select. - Click Add.
After the policy is configured, the authorization is complete. User liu can access column a of table testdb.test.Note After you add, remove, or modify a policy, it takes about one minute for the configuration to take effect.
Example 2: Grant user chen the Create permission on Hive table testdb.test
- Log on to the Ranger web UI. For more information, see Overview.
- Create a policy to control access to a catalog. In this example, the catalog is hive.
- If such a policy already exists, you only need to add user chen in the Select User
column.
- Click emr-presto.
- Find the catalog_hive policy and click the
icon in the Action column.
- In the Allow Conditions section, add chen in the Select User column. This way, you
can grant user chen the Use permission on the specified catalog.
- Click Add.
- If no catalog-level policy is available, perform the operations in Example 1 to grant user chen the Use permission on the specified catalog.
- If such a policy already exists, you only need to add user chen in the Select User
column.
- Click Add New Policy in the upper-right corner.
The Create permission on tables is a schema-level permission. You only need to specify schema. Click the
icon to specify schema.
Example 3: Configure the permissions to run the
show schemas
and show tables
commands
- EMR versions earlier than V3.28.1
Configure the Select permission with a hierarchy of
schema=information_schema,table=schemate,column=*
. This allows you to obtain the execution results of theshow schemas
command. Configure the Select permission with a hierarchy ofschema=information_schema,table=tables,column=*
. This allows you to obtain the execution results of theshow tables
command. You can configure the two permissions in the same policy, as shown in the following figure. - EMR V3.28.1 and later 3.X versions, and EMR V4.4.1
To run the
show schemas
command, you must be granted the Show permission on the catalog to which the schemas belong. To run theshow tables
command, you must be granted the Show permission on the schema to which the tables belong.After Presto authentication is completed, Presto filters the obtained schemas and tables to display only the schemas and tables on which you have the Select permission. Therefore, you must also be granted the Select permission on schemas and tables. When you run a show command, only the schemas or tables on which you have the Select permission are displayed.
Share Hive permissions configured in Ranger with Presto
In some business scenarios, you may need to use the same permissions for Presto and
Hive. In this case, you do not need to separately configure the permissions for Presto
because EMR allows you to share the permissions for Hive in Ranger.
Note Hive permissions can be shared with Presto in Ranger only when the catalog is hive.
Take note of the following items before you enable permission sharing:
- Make sure that you have integrated Hive with Ranger. For more information, see Hive.
- Make sure that you have added the Presto service on the Ranger web UI.
- To allow users to use the
show schemas
orshow tables
command, you must grant users the Select permission with a hierarchy ofdatabase=information_schema,table=*,column=*
for the Hive service. This operation is similar to that in the Presto service.
Perform the following steps to enable permission sharing: