The Ranger introduction topic describes how to create an E-MapReduce cluster with the Ranger service started and the preparations. E-MapReduce V3.25.0 and later versions support integrating Presto with Ranger. This topic describes how to integrate Presto with Ranger.
Prerequisites
Integrate Presto with Ranger
- Enable Presto in Ranger.
- Add the Presto service on the Web UI of Ranger.
- Add the Presto service.
- Set the required parameters.
Parameter Description Service Name Set the value to emr-presto. Username Set the value to hadoop. Password Leave this parameter empty. jdbc.driverClassName Set the value to io.prestosql.jdbc.PrestoDriver. jdbc.url Set the value to jdbc:presto://emr-header-1:9090. Add New Configurations - Name: Set the value to policy.download.auth.users.
- Value: Set the value to hadoop.
- Add the Presto service.
- Restart PrestoMaster.
Permission configuration example
After Presto is integrated with Ranger, you can configure Presto permissions in Ranger.
- If you configure permissions at incorrect levels, the permissions do not work.
- When Presto checks the permissions of a user, it first checks whether the user has access permissions on the target catalog and then checks the permissions involved in the current access.
- Click the emr-presto service that has been configured.
- Click Add New Policy in the upper-right corner.
- Configure policies.
Create a policy to configure access permissions on the target catalog first. In this example, the catalog is hive. You only need to configure the permissions at the catalog level for this policy.
Then, create another policy to configure the Select permission on column a of the testdb.test table for user liu. The Select permission is a column-level permission. Therefore, you need to click
to specify the schema, table, and column after you select the catalog.
Parameter Description Policy Name The name of the policy. You can customize a policy name, such as catalog_hive. Presto Catalog The name of the catalog. You can customize a catalog name, such as hive. schema The name of the schema, such as testdb. You can set this parameter to an asterisk (*) to indicate all schemas. table The name of the table, such as test. You can set this parameter to an asterisk (*) to indicate all tables. column The name of the column, such as a. You can set this parameter to an asterisk (*) to indicate all columns. Select User The user to which permissions are granted, such as liu. Permissions The permissions to be granted, such as Select. - Click Add.
After the policies are created, user liu can access column a of the testdb.test table.
Example 2: Grant user chen the Create permission on the Hive table testdb.test
- If you have created a policy for configuring the access permission on the hive catalog, edit the policy to add user chen in Select User.
- If you have not created a policy for configuring the access permission on hive catalog, create such a policy for user chen with the method described in example 1. Then, create another policy to grant the Create permission to user chen.
The Create permission is a table-level permission. Therefore, you need to click to specify the schema and table after you select the catalog.
Share Hive permissions configured in Ranger with Presto
You can configure permissions for Presto in Ranger by following the steps described in the previous section. However, you may need to use the same permissions for Presto and Hive in some business scenarios. In this case, you do not need to configure the permissions for Presto separately because E-MapReduce allows you to share the permissions for Hive in Ranger.
- Make sure that you have integrated Hive with Ranger. For more information, see Hive.
- Make sure that you have added the Presto service on the Web UI of Ranger.
- To allow users to use commands such as
show schemasandshow tables, you must grant users the Select permission ondatabase=information_schema,table=*,column=*for the Hive service, which is similar to the Presto service.
Follow these steps to enable the permission sharing: