Apache Ranger is a centralized security framework that implements fine-grained access control across Hadoop components, such as HDFS, Hive, YARN, Kafka, Storm, and Solr. You can manage access policies on the Ranger UI.

Architecture

Ranger

Ranger consists of three modules:

  • Ranger Admin

    You can use Ranger Admin to create and update access policies. The policies are stored in a database. The plug-ins for Hadoop components poll these policies on a regular basis.

  • Ranger Plug-ins

    The plug-ins for Hadoop components are embedded in cluster processes as lightweight Java programs. For example, the Hive plug-in is embedded in the Hiveserver2 process. The plug-ins obtain policies from Ranger Admin and store them in local files. When Ranger receives a request from a user of a Hadoop component, the plug-in for this component obtains the request and evaluates it based on the access policies.

  • Ranger UserSync

    UserSync is a user information synchronization tool. It is used to fetch user and user group information from the UNIX system or an LDAP server. The information is stored in the database of Ranger Admin and is used to define policies.

Install Ranger

  • If you are creating a cluster of EMR V2.9.2, EMR V3.9.0, or later, select Ranger from optional services in the Software Settings step.create_cluster
  • If you want to enable Ranger for an existing cluster of EMR V2.9.2, EMR V3.9.0, or later, add the Ranger service on the Cluster Management tab.add_service
    Note
    • After Ranger is enabled, applications are not affected until you configure access policies.
    • You can configure policies for Linux users and LDAP users in your cluster in Ranger.

Access the Ranger UI

  1. Check configurations.

    Before you access the Ranger UI, ensure that a security group is configured, which indicates that you are allowed to access the Hadoop cluster on the current network. For more information, see Access links and ports.

  2. Log on to the Ranger UI.
    1. Log on to the Alibaba Cloud E-MapReduce console.
    2. Click the Cluster Management tab.
    3. Find the target cluster and click Details in the Actions column.
    4. In the left-side navigation pane, click Access Links and Ports.
    5. On the Access Links and Ports page that appears, click the link for RANGER UI.
    6. On the Ranger UI logon page, log on with the default username (admin) and password.Ranger UI
  3. Change the password.
    1. When you log on to the Ranger UI for the first time, click Settings in the top navigation bar.Change password
    2. Change the password of the admin user.Change password
    3. In the upper-right corner, choose admin > Log Out.

      Log on to the Ranger UI with the new password.

Integrate components with Ranger

You can use plug-ins to integrate the open source components in the cluster with Ranger. After a component is integrated, you can use Ranger to implement fine-grained access control on the component. The following table lists the components that can be integrated with Ranger, as well as the supported EMR versions.

Component EMR version
HDFS V2.9.2, V3.9.0, or later
Hive V2.9.2, V3.9.0, or later
HBase V2.9.2, V3.9.0, or later
YARN V2.9.2, V3.9.0, or later
Kafka V3.12.0 or later
Spark V3.24.0 or later
Presto V3.25.0 or later

For information about how to integrate the components in your cluster with Ranger, see the following topics:

Manage users

You can use Ranger to manage the permissions of users or user groups, which include users and user groups from an LDAP server (recommended) or the local UNIX system.