This topic describes how to integrate HDFS with Ranger and how to configure related permissions.

Background information

The permissions you configured on HDFS by using Ranger take effect together with the HDFS access control list (ACL)-based permissions, but the priority of the configured permissions is lower than that of the HDFS ACL-based permissions. The permissions you configured on HDFS by using Ranger are verified only if the HDFS ACL-based permissions fail to be verified. The following figure shows the authentication process. HDFS Config

Prerequisites

An E-MapReduce (EMR) cluster is created, and Ranger is selected from the optional services when you create the cluster. For more information, see Create a cluster.

Integrate HDFS with Ranger

  1. Go to the Cluster Overview page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
  2. Enable HDFS in Ranger.
    1. In the left-side navigation pane, click Cluster Service and then RANGER.
    2. On the page that appears, choose Actions > EnabledHDFS in the upper-right corner.
      Enable HDFS PLUGIN
    3. Perform the following operations on the cluster:
      1. In the Cluster Activities dialog box, specify Description and click OK.
      2. In the Confirm message, click OK.
      3. Click History in the upper-right corner to view the task progress.
  3. Add the HDFS service on the web UI of Ranger.
    1. Log on to Ranger. For more information, see Overview.
    2. On the Ranger web UI, click the Add icon in the row where HDFS is located to add the HDFS service.
      Ranger UI
    3. Configure the parameters that are described in the following table.
      hdfs
      Parameter Description
      Service Name The value is emr-hdfs and cannot be changed.
      Username The value is hadoop and cannot be changed.
      Password You can customize a password.
      Namenode URL
      • Enter hdfs://emr-header-1:9000 for a non-HA cluster.
      • Enter hdfs://emr-header-1:8020 for an HA cluster.
      Authorization Enabled Select No for a standard cluster and Yes for a high-security cluster.
      Authentication Type
      • Select Simple for a standard cluster.
      • Select Kerberos for a high-security cluster.
      dfs.datanode.kerberos.principal These parameters are required only for a high-security cluster. Set the value to hdfs/_HOST@EMR.${id}.com.
      Note You can log on to the host and run the hostname command to obtain the value of ${id}. The number in hostname is the value of ${id}.
      dfs.namenode.kerberos.principal
      dfs.secondary.namenode.kerberos.principal
      Add New Configurations
      • Name: Set the value to policy.download.auth.users.
      • Value: Set the value to hdfs.
    4. Click Add.
  4. Restart HDFS.
    1. In the left-side navigation pane, choose Cluster Service > HDFS.
    2. Select Restart NameNode from the Actions drop-down list in the upper-right corner.
    3. Perform the following operations on the cluster:
      1. In the Cluster Activities dialog box, specify Description and click OK.
      2. In the Confirm message, click OK.
      3. Click History in the upper-right corner to view the task progress.

Example of permission configurations

For example, you can perform the following steps to grant the test user the WRITE or EXECUTE permission on resources in the /user/foo directory.

  1. Log on to Ranger. For more information, see Overview.
  2. Click emr-hdfs.
    Configure permissions
  3. Click Add New Policy in the upper-right corner.
  4. Configure the parameters that are described in the following table.
    Parameter Description
    Policy Name The name of the policy. You can customize a name.
    Resoure Path The path of the resources.
    recursive Specifies whether the permissions take effect on subdirectories or files.
    Select Group The user group to which you want to add this policy.
    Select User The user to whom you want to add this policy.
    Permissions The permissions that you want to grant.
  5. Click Add.
    After the policy is added, the test user is granted the permissions. The test user can access the /user/foo directory.
    Note After you add, remove, or modify a policy, it takes about one minute for the configuration to take effect.