This topic describes how to integrate HDFS with Ranger and how to configure related permissions.

Integrate HDFS with Ranger

  1. Enable HDFS in Ranger.
    1. Log on to the Alibaba Cloud E-MapReduce console.
    2. In the top navigation bar, select the region where your cluster resides. Select the resource group as required. By default, all resources of the account appear.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page that appears, find the target cluster and click Details in the Actions column.
    5. In the left-side navigation pane, click Cluster Service and then RANGER.
    6. Select EnabledHDFS from the Actions drop-down list in the upper-right corner.
      Enable HDFS PLUGIN
    7. In the Cluster Activities dialog box that appears, set related parameters and click OK.
      Click History in the upper-right corner to view the task progress.
  2. Add the HDFS service on the web UI of Ranger.
    1. Log on to Ranger. For more information, see Overview.
    2. Add the HDFS service.
      Ranger UI
    3. Configure required parameters.
      hdfs
      Parameter Description
      Service Name Set the value to emr-hdfs.
      Username Set the value to hadoop.
      Password Enter a custom password.
      Namenode URL
      • Enter hdfs://emr-header-1:9000 for a standard cluster.
      • Enter hdfs://emr-header-1:8020 for a high-security cluster.
      Authorization Enabled Select No for a standard cluster and Yes for a high-security cluster.
      Authentication Type
      • Select Simple for a standard cluster.
      • Select Kerberos for a high-security cluster.
      dfs.datanode.kerberos.principal These parameters are required only for a high-security cluster. Set the value to hdfs/_HOST@EMR.${id}.com.
      Note You can log on to the host and run the hostname command to obtain the value of ${id}. The number in hostname is the value of ${id}.
      dfs.namenode.kerberos.principal
      dfs.secondary.namenode.kerberos.principal
      Add New Configurations Configure the following parameters:
      • Name: Set the value to policy.download.auth.users.
      • Value: Set the value to hdfs.
  3. Restart HDFS.
    1. In the left-side navigation pane, click Cluster Service and then HDFS.
    2. Select Restart All Components from the Actions drop-down list in the upper-right corner.
    3. In the Cluster Activities dialog box that appears, set related parameters and click OK.
      Click History in the upper-right corner to view the task progress.

Permission configuration example

After HDFS is integrated with Ranger, you can configure HDFS permissions in Ranger. For example, you can perform the following steps to grant user test the Write or Execute permission on resources in the /user/foo directory.

  1. Click emr-hdfs.
    Permission configuration example
  2. Click Add New Policy in the upper-right corner.
  3. Configure required parameters.
    Parameter Description
    Policy Name The name of the policy. You can customize a name.
    Resoure Path The path of the resources.
    Recursive Specifies whether the permissions take effect on subdirectories or files.
    Select Group The user group to which you want to add this policy.
    Select User The user to whom you want to add this policy.
    Permissions The permissions to be granted.
  4. Click Add.
    After the policy is added, authorization is completed. User test can access the /user/foo directory.
    Note After you add, remove, or modify a policy, it can take up to one minute for the configuration to take effect.