The Ranger introduction topic describes how to create an E-MapReduce cluster with the Ranger service started and the preparations. E-MapReduce V3.25.0 and later versions support integrating Presto with Ranger. This topic describes how to integrate Presto with Ranger.

Prerequisites

The Ranger and Presto services are configured for the target cluster.

Integrate Presto with Ranger

  1. Enable Presto in Ranger.
    1. Log on to the Alibaba Cloud E-MapReduce console.
    2. In the top navigation bar, select the region where your cluster resides. Select the resource group as required. By default, all resources of the account appear.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page that appears, find the target cluster and click Details in the Actions column.
    5. In the left-side navigation pane, choose Cluster Service > RANGER.
    6. Select EnabledPresto from the Actions drop-down list in the upper-right corner.
    7. In the Cluster Activities dialog box that appears, set related parameters and click OK.
      Click History in the upper-right corner to view the task progress.
  2. Add the Presto service on the Web UI of Ranger.
    1. Log on to Ranger. For more information, see Overview.
    2. Add the Presto service.
      presto
    3. Set the required parameters.
      Presto
      Parameter Description
      Service Name Set the value to emr-presto.
      Username Set the value to hadoop.
      Password Leave this parameter empty.
      jdbc.driverClassName Set the value to io.prestosql.jdbc.PrestoDriver.
      jdbc.url Set the value to jdbc:presto://emr-header-1:9090.
      Add New Configurations
      • Name: Set the value to policy.download.auth.users.
      • Value: Set the value to hadoop.
    4. Click Add.
  3. Restart PrestoMaster.
    1. In the left-side navigation pane, choose Cluster Service > Presto.
    2. Select Restart PrestoMaster from the Actions drop-down list in the upper-right corner.
    3. In the Cluster Activities dialog box that appears, set related parameters and click OK.
      Click History in the upper-right corner to view the task progress.

Permission configuration example

After Presto is integrated with Ranger, you can configure Presto permissions in Ranger.

Different from Hive and HBase permissions, you must configure Presto permissions based on a hierarchical permission control policy.
Notice
  • If you configure permissions at incorrect levels, the permissions do not work.
  • When Presto checks the permissions of a user, it first checks whether the user has access permissions on the target catalog and then checks the permissions involved in the current access.
Example 1: Grant user liu the Select permission on column a in the Hive table testdb.test
  1. Click the emr-presto service that has been configured.shili1
  2. Click Add New Policy in the upper-right corner.
  3. Configure policies.

    Create a policy to configure access permissions on the target catalog first. In this example, the catalog is hive. You only need to configure the permissions at the catalog level for this policy.

    edit_presto

    Then, create another policy to configure the Select permission on column a of the testdb.test table for user liu. The Select permission is a column-level permission. Therefore, you need to click Add level policy to specify the schema, table, and column after you select the catalog.

    Configure permission at the column level for user liu
    Parameter Description
    Policy Name The name of the policy. You can customize a policy name, such as catalog_hive.
    Presto Catalog The name of the catalog. You can customize a catalog name, such as hive.
    schema The name of the schema, such as testdb. You can set this parameter to an asterisk (*) to indicate all schemas.
    table The name of the table, such as test. You can set this parameter to an asterisk (*) to indicate all tables.
    column The name of the column, such as a. You can set this parameter to an asterisk (*) to indicate all columns.
    Select User The user to which permissions are granted, such as liu.
    Permissions The permissions to be granted, such as Select.
  4. Click Add.

    After the policies are created, user liu can access column a of the testdb.test table.

Example 2: Grant user chen the Create permission on the Hive table testdb.test

Create a policy to grant the catalog access permission to user chen first. In this example, the catalog is hive. Two scenarios may occur:
  • If you have created a policy for configuring the access permission on the hive catalog, edit the policy to add user chen in Select User.
  • If you have not created a policy for configuring the access permission on hive catalog, create such a policy for user chen with the method described in example 1. Then, create another policy to grant the Create permission to user chen.
add_condition

The Create permission is a table-level permission. Therefore, you need to click Add level policy to specify the schema and table after you select the catalog.

add_table

Share Hive permissions configured in Ranger with Presto

You can configure permissions for Presto in Ranger by following the steps described in the previous section. However, you may need to use the same permissions for Presto and Hive in some business scenarios. In this case, you do not need to configure the permissions for Presto separately because E-MapReduce allows you to share the permissions for Hive in Ranger.

Note the following points before configuration:
  • Make sure that you have integrated Hive with Ranger. For more information, see Hive.
  • Make sure that you have added the Presto service on the Web UI of Ranger.
  • To allow users to use commands such as show schemas and show tables, you must grant users the Select permission on database=information_schema,table=*,column=* for the Hive service, which is similar to the Presto service.

Follow these steps to enable the permission sharing:

  1. Log on to the header-1 node of the cluster and change the value of ranger.plugin.hive.authorization.enable to true in the /etc/ecm/presto-conf/ranger-presto-security.xml configuration file.
  2. In the left-side navigation pane, choose Cluster Service > Presto.
  3. Select Restart PrestoMaster from the Actions drop-down list in the upper-right corner.
    After you restart PrestoMaster, the permissions for Hive in Ranger are shared with Presto.