All Products
Search

This Product

    E-MapReduce:Enable Ranger access control for OSS and OSS-HDFS

    Document Center

    E-MapReduce:Enable Ranger access control for OSS and OSS-HDFS

    Last Updated:Mar 26, 2026

    Apache Ranger provides fine-grained access control for components in the Hadoop ecosystem. This topic explains how to enable Ranger access control for Alibaba Cloud Object Storage Service (OSS) and OSS-HDFS in an EMR cluster, and how to create Ranger policies that grant users access to specific paths.

    Prerequisites

    Before you begin, ensure that you have:

    • An EMR cluster running EMR V5.15.0 or later, or EMR V3.49.0 or later, with Ranger and Ranger-plugin selected during cluster creation. For details, see Create a cluster

    Enable OSS/OSS-HDFS in Ranger

    Complete the following three steps to integrate OSS or OSS-HDFS with Ranger.

    Step 1: Turn on the enableOSS switch

    1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.

    2. Find the target cluster and click Services in the Actions column.

    3. On the Services page, click Status in the Ranger-plugin service area.

    4. In the Service Overview section, turn on the enableOSS switch.

    5. In the dialog box that appears, click OK.

    Step 2: Deploy the client configuration

    1. On the Services page, click more > HADOOP-COMMON.

    2. Click the Configure tab, then click Deploy Client Configuration.

    3. In the dialog box that appears, enter an Execution Reason and click OK.

    4. In the Confirm dialog box, click OK.

    Step 3: Restart long-running components

    Restart HiveServer2 and other long-running SQL engine components to apply the changes:

    1. On the Services page, click more > Hive.

    2. Click the Status tab.

    3. In the Components area, click Restart in the Actions column for HiveServer.

    4. In the dialog box that appears, enter an Execution Reason and click OK.

    5. In the Confirm dialog box, click OK.

    Note

    In addition to HiveServer2, restart all other long-running components — including Spark ThriftServer, KyuubiServer, and TrinoMaster — before the changes take effect.

    Permission configuration example

    This example uses an EMR V5.17.1 cluster to show how to grant a user named test access to a specific OSS path. The UI may vary across cluster versions.

    Create a user

    How you create a user depends on the cluster type.

    Standard clusters

    1. Log on to the master node as the root user over Secure Shell (SSH). For details, see Log on to a cluster.

    2. Create the test user:

      useradd test

    High-security clusters (Kerberos enabled)

    For high-security clusters, create both a Kerberos principal and a local OS user.

    Create a principal:

    1. Log on to the master node as the root user over SSH. For details, see Log on to a cluster.

    2. Open the Kerberos admin tool:

      kadmin.local

    3. Create a principal named test. In this example, the password is 123456:

      addprinc -pw 123456 test

    4. Exit the Kerberos admin tool:

      quit

    Create a Ticket-Granting Ticket (TGT):

    1. As the root user, create the OS user:

      useradd test

    2. Switch to the test user:

      su - test

    3. Generate a TGT by running kinit. Enter the password 123456 when prompted.

    4. (Optional) Verify the TGT with klist. The output looks like this:

      Ticket cache: FILE:/tmp/krb5cc_1025
Default principal: test@EMR.C-24DF259BB32****.COM

Valid starting       Expires              Service principal
01/04/2026 10:13:45  01/05/2026 10:13:45  krbtgt/EMR.C-24DF259BB32****.COM@EMR.C-24DF259BB32****.COM
        renew until 01/11/2026 10:13:45

    Configure permissions

    1. Go to the Ranger UI. For details, see Access the Ranger UI.

    2. On the Ranger UI, click the emr-oss service.

      image

    3. In the upper-right corner, click Add New Policy.

    4. On the Create Policy page, configure the parameters:

      Parameter Description
      Policy Name A name for the policy.
      Resource Path The OSS or OSS-HDFS path without the oss:// prefix. Use the format <bucketname>/<path>. Example: bucket-test/user. The path must not end with /.
      recursive Controls whether permissions apply to subdirectories and files under the specified path. Keep this switch on.
      Select User The user to grant access to. Set to test in this example.
      Permissions The permissions to grant. Set to ALL (Read, Write, and Execute) in this example.
      Important

      Do not turn off the recursive switch.

    5. Click Add.

      Note

      After you add, delete, or modify a policy, wait approximately one minute for the changes to take effect.

    Verify access

    1. Connect to the master node over SSH. For details, see Log on to a cluster.

    2. Switch to the test user:

      su - test

    3. Run the following commands to access an OSS or OSS-HDFS directory.

      • Access an OSS directory:

        hadoop fs -ls oss://bucket-test/user

      • Access an OSS-HDFS directory:

        hadoop fs -ls oss://bucket-test.cn-hangzhou.oss-dls.aliyuncs.com/user

        If you try to access a path for which you are not authorized in Ranger, the following error is returned:

        org.apache.hadoop.security.AccessControlException: Permission denied: user=test, access=READ_EXECUTE, resourcePath="bucket-test/"

    Usage notes

    Topic Details
    Resource path format Omit the oss:// prefix. Use the format <bucketname>/<path> (example: bucket-test/user). Paths must not end with /.
    Recursive switch Keep the recursive switch on. When it is on, permissions apply to the path and all its subdirectories and files.
    Policy propagation delay After creating, modifying, or deleting a policy, allow approximately one minute for the changes to take effect across the cluster.
    Component restarts Enabling Ranger for OSS requires restarting all long-running SQL engine components (HiveServer2, Spark ThriftServer, KyuubiServer, and TrinoMaster).