Apache Ranger is a security framework that implements fine-grained access control across Hadoop components in a centralized manner. The Hadoop components include HDFS, Hive, YARN, Kafka, Storm, and Solr. You can manage access policies on the Ranger UI.

Architecture

Ranger
Ranger consists of three modules:
  • Ranger Admin

    You can use Ranger Admin to create and update access policies. The policies are stored in a database. The plug-ins for Hadoop components poll the access policies on a regular basis.

  • Ranger Plug-ins

    The plug-ins for Hadoop components are embedded in cluster processes as lightweight Java programs. For example, the Hive plug-in is embedded in the Hiveserver2 process. The plug-ins obtain policies from Ranger Admin and store the policies in local files. When Ranger receives a request from a user of a Hadoop component, the plug-in for the component obtains the request, and then evaluates the request based on the access policies.

  • Ranger UserSync

    UserSync is a user information synchronization tool. It is used to fetch user and user group information from the UNIX system or an LDAP server. The information is stored in the database of Ranger Admin and is used to define policies.

Add the Ranger service to a cluster

  • If you are creating a Hadoop cluster of EMR V2.9.2, EMR V3.9.0, or a later minor version, select Ranger from optional services in the Software Settings step. create_cluster
  • If you want to enable Ranger for an existing Hadoop cluster of EMR V2.9.2, EMR V3.9.0, or a later minor version, add the Ranger service on the Cluster Management page. add_service
    Note You can configure access policies for Linux users and LDAP users in your cluster in Ranger.

Access the Ranger UI

Before you access the Ranger UI, make sure that a security group is configured, which indicates that you are allowed to access the Hadoop cluster on the current network. For more information, see Access the web UIs of open source components.

  1. Log on to the Alibaba Cloud EMR console.
  2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
  3. Click the Cluster Management tab.
  4. On the Cluster Management page, find your cluster and click Details in the Actions column.
  5. In the left-side navigation pane of the Cluster Overview page, click Connect Strings.
  6. On the Public Connect Strings page, click the link for RANGER UI.
    You can visit the link to access the Ranger UI.
  7. On the Ranger UI logon page, enter your username and password. The default username and password are both admin.
    Ranger UI
    Note If the default password is changed and you cannot log on to the Ranger UI, follow the instructions that are described in FAQ.
  8. Change the password if it is the first time you log on to the Ranger UI.
    1. Click Settings in the top navigation bar.
      Change a password
    2. Change the password of the admin user.
      Change a password
    3. In the upper-right corner, choose admin > Log Out.
      Log on to the Ranger UI with the new password.

Integrate components with Ranger

You can use plug-ins to integrate the open source components in the cluster with Ranger. After a component is integrated, you can use Ranger to implement fine-grained access control on the component.

For information about how to integrate the components in your cluster with Ranger, see the following topics:

Manage users

You can use Ranger to manage the permissions of users or user groups, which include users and user groups from an LDAP server (recommended) or the local UNIX system.

FAQ

Q: What do I do if I cannot log on to the Ranger UI with the default password?

A: If the default password is changed, perform the following steps:
  1. Log on to the master node of your cluster. For more information, see Log on to a cluster.
  2. Run the following command to reset the password of the admin user:
    mysql -urangeradmin -prangeradmin
    update ranger.x_portal_user set password="ceb4f32325eda6142bd65215f4c0f371" where login_id="admin";