This article describes how to integrate JindoFS to Ranger and configure permissions.

Prerequisites

An E-MapReduce (EMR) Hadoop cluster is created, and Ranger is selected from the optional services during the cluster creation. For more information about how to create a cluster, see Create a cluster.

Enable Ranger-based permission management

  1. Go to the SmartData service.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides. Select the resource group as required. By default, all resources of the account appear.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page that appears, find the target cluster and click Details in the Actions column.
    5. In the left-side navigation pane, click Cluster Service and then SmartData.
  2. Configure Ranger as a permission management method in JindoFS.
    1. On the namespace tab for the SmartData service, click Custom Configuration.
    2. In the Add Configuration Item dialog box, set Key to jfs.namespaces.<namespace>.permission.method and Value to ranger, and click OK.
    3. Save the configurations.
      1. In the upper-right corner of the Service Configuration section, click Save.
      2. In the Confirm Changes dialog box, specify Description and turn on Auto-update Configuration.
      3. Click OK.
    4. Restart Namespace Service.
      1. Choose Actions > Restart Jindo Namespace Service in the upper-right corner.
      2. In the Cluster Activities dialog box, specify Description and click OK. In the Confirm message, click OK.
  3. Add the HDFS service on the web UI of Ranger and configure related parameters.
    1. Log on to the Ranger web UI.
      For more information, see Overview.
    2. Add the HDFS service on the web UI of Ranger.
      Ranger UI
    3. Configure the parameters that are described in the following table.
      Parameter Description
      Service Name Set this parameter in the format of jfs-{namespace_name}.

      Example: jfs-test.

      Username Customize a username.
      Password Customize a password.
      Namenode URL Set this parameter in the format of jfs://{namespace_name}/.
      Authorization Enabled Retain the default value No.
      Authentication Type Retain the default value Simple.
      dfs.datanode.kerberos.principal Leave this parameter empty.
      dfs.namenode.kerberos.principal
      dfs.secondary.namenode.kerberos.principal
      Add New Configurations
    4. Click Add.

Enable synchronization of user groups from an LDAP server in JindoFS

If you have enabled synchronization of user groups from an LDAP server in Ranger Usersync, you must also enable this feature in JindoFS. Otherwise, JindoFS cannot obtain the information about user groups that are synchronized from the LDAP server and cannot verify the permissions of the user groups.

  1. On the namespace tab for the SmartData service, click Custom Configuration.
  2. In the Add Configuration Item dialog box, configure the LDAP parameters described in the following table and click OK.
    Configure the parameters based on the configurations in open source HDFS. For more information, see core-default.xml.
    Parameter Example
    hadoop.security.group.mapping org.apache.hadoop.security.CompositeGroupsMapping
    hadoop.security.group.mapping.providers shell4services,ad4users
    hadoop.security.group.mapping.providers.combined true
    hadoop.security.group.mapping.provider.shell4services org.apache.hadoop.security.ShellBasedUnixGroupsMapping
    hadoop.security.group.mapping.provider.ad4users org.apache.hadoop.security.LdapGroupsMapping
    hadoop.security.group.mapping.ldap.url ldap://emr-header-1:10389
    hadoop.security.group.mapping.ldap.search.filter.user (&(objectClass=person)(uid={0}))
    hadoop.security.group.mapping.ldap.search.filter.group (objectClass=groupOfNames)
    hadoop.security.group.mapping.ldap.base o=emr
  3. Save the configurations.
    1. In the upper-right corner of the Service Configuration section, click Save.
    2. In the Confirm Changes dialog box, specify Description and turn on Auto-update Configuration.
    3. Click OK.
  4. Restart all components of the SmartData service.
    1. Choose Actions > Restart All Components in the upper-right corner.
    2. In the Cluster Activities dialog box, specify Description and click OK. In the Confirm message, click OK.
  5. Log on to the emr-header-1 node of the EMR cluster in SSH mode and connect Ranger Usersync to the LDAP server.