The Ranger introduction topic describes how to create an E-MapReduce cluster with the Ranger service started and the preparations. This topic describes how to integrate HDFS with Ranger.

Integrate HDFS with Ranger

  1. Enable HDFS in Ranger.
    1. Log on to the Alibaba Cloud E-MapReduce console.
    2. In the top navigation bar, select the region where your cluster resides. Select the resource group as required. By default, all resources of the account appear.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page that appears, find the target cluster and click Details in the Actions column.
    5. In the left-side navigation pane, choose Cluster Service > RANGER.
    6. Select EnabledHDFS from the Actions drop-down list in the upper-right corner.
      Enable HDFS PLUGIN
    7. In the Cluster Activities dialog box that appears, set related parameters and click OK.
      Click History in the upper-right corner to view the task progress.
  2. Add the HDFS service on the Web UI of Ranger.
    1. Log on to Ranger. For more information, see Overview.
    2. Add the HDFS service.
      Ranger UI
    3. Set the required parameters.
      hdfs
      Parameter Description
      Service Name Set the value to emr-hdfs.
      Username Set the value to hadoop.
      Password Enter a custom value.
      Namenode URL Set the parameter as follows:
      • Standard cluster: Enter hdfs://emr-header1:9000.
      • High-security cluster: Enter hdfs://emr-header1:8020.
      Authorization Enabled Select No for a standard cluster and Yes for a high-security cluster.
      Authentication Type Set the parameter as follows:
      • Standard cluster: Select Simple.
      • High-security cluster: Select Kerberos.
      dfs.datanode.kerberos.principal These parameters are required only for a high-security cluster. Set the value to hdfs/_HOST@EMR.${id}.com.
      Note ${id}: You can log on to the host and run the hostname command. The number in hostname is the value of ${id}.
      dfs.namenode.kerberos.principal
      dfs.secondary.namenode.kerberos.principal
      Add New Configurations Set the parameters as follows:
      • Name: Set the value to policy.download.auth.users.
      • Value: Set the value to hdfs.
  3. Restart HDFS.
    1. In the left-side navigation pane, choose Cluster Service > HDFS.
    2. Select Restart All Components from the Actions drop-down list in the upper-right corner.
    3. In the Cluster Activities dialog box that appears, set related parameters and click OK.
      Click History in the upper-right corner to view the task progress.

Permission configuration example

After HDFS is integrated with Ranger, you can configure HDFS permissions in Ranger. For example, you can grant user test the Read or Write permission on resources in the path /user/foo.

  1. Click the emr-hdfs service that has been configured.
    Permission configuration example
  2. Click Add New Policy in the upper-right corner.
  3. Set the required parameters.
    Parameter Description
    Policy Name The name of the policy, which can be customized.
    Resoure Path The path of the resources.
    Recursive Specifies whether the permissions take effect on subdirectories or files.
    Select Group The user or group to which permissions are granted. It takes about one minute to synchronize the user and group information of the cluster.
    Select User
    Permissions The permissions to be granted.
  4. Click Add.
    After the policy is created, user test can access resources in the HDFS path /user/foo.