Apache Ranger provides a centralized permission management framework that allows fine-grained
access control on multiple components in the Hadoop ecosystem. If you store data in
Alibaba Cloud Object Storage Service (OSS), you can create and manage RAM users in
the Alibaba Cloud Resource Access Management (RAM) console and manage the permissions
of the RAM users on the data in OSS. This topic describes how to integrate OSS with
Ranger and how to configure related permissions.
Prerequisites
A high-security E-MapReduce (EMR) cluster is created and the Ranger service is selected
when you create the cluster. For more information about how to create a cluster, see
Create a cluster.
Note You must turn on Kerberos Mode in the Advanced Settings section of the Software Settings step when you create the cluster. Otherwise, the cluster is not a high-security cluster.
Limits
The JindoFS OSS configuration feature applies to clusters of the following versions:
- EMR V5.4.2 or EMR V3.38.2
- EMR V5.6.0 or a later minor version, or EMR V3.40.0 or a later minor version
Integrate OSS with Ranger
- Go to the Cluster Overview page.
- Log on to the Alibaba Cloud EMR console.
- In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
- Click the Cluster Management tab.
- On the Cluster Management page, find your cluster and click Details in the Actions column.
- Enable OSS.
- In the left-side navigation pane, choose .
- In the upper-right corner of the RANGER service page, choose .
- In the Cluster Activities dialog box, configure Description and click OK.
- In the Confirm message, click OK.
- Deploy client configurations.
- EMR V5.6.0 or a later minor version, or EMR V3.40.0 or a later minor version
- In the left-side navigation pane, choose .
- On the HDFS service page, click the Configure tab. In the upper-right corner of the
Service Configuration section, click Deploy Client Configuration.
- In the Cluster Activities dialog box, configure Description and click OK.
- In the Confirm message, click OK.
You can click History in the upper-right corner to view the execution status and progress.
- EMR V5.4.2 or EMR V3.38.2
- In the left-side navigation pane, choose .
- On the SmartData service page, click the Configure tab. In the upper-right corner
of the Service Configuration section, click Deploy Client Configuration.
- In the Cluster Activities dialog box, configure Description and click OK.
- In the Confirm message, click OK.
You can click History in the upper-right corner to view the execution status and progress.
- Restart Jindofsx Namespace Service or Jindo Namespace Service.
- EMR V5.6.0 or a later minor version, or EMR V3.40.0 or a later minor version
- In the upper-right corner of the JindoData service page, choose .
- In the Cluster Activities dialog box, configure Description and click OK.
- In the Confirm message, click OK.
- EMR V5.4.2 or EMR V3.38.2
- In the upper-right corner of the SmartData service page, choose .
- In the Cluster Activities dialog box, configure Description and click OK.
- In the Confirm message, click OK.
- Restart HiveServer2.
- In the left-side navigation pane, choose .
- In the upper-right corner of the Hive service page, choose .
- In the Cluster Activities dialog box, configure Description and click OK.
- In the Confirm message, click OK.
- Create a principal.
- Log on to the emr-header-1 node of your cluster in SSH mode. For more information,
see Log on to a cluster.
- Run the following command to enable the Kerberos administration tool:
sh /usr/lib/has-current/bin/admin-local.sh /etc/ecm/has-conf -k /etc/ecm/has-conf/admin.keytab
- Run the following command to create a principal named test.
In this example, the password is 123456.
addprinc -pw 123456 test
Note You must record the username and password, which will be used to create a Ticket Granting
Ticket (TGT). If you do not want to record the username and password, you can perform
the next step to generate a keytab file and import the username and password of the
principal into the keytab file.
- Optional:Run the following command to generate a keytab file:
ktadd -k /root/test.keytab test
To exit the Kerberos administration tool, run the quit command.
- Create a TGT.
You can create a TGT on one of the nodes on which you want to run a Hive client.
- Run the following command as the root user to create a user named test:
- Run the following command to switch to the test user:
- Create a TGT.
- Method 1: Use a username and password to create a TGT.
Enter
kinit and press Enter. Then, enter the password 123456 of the test account.
- Method 2: Use a keytab file to create a TGT.
The
test.keytab file generated in
Step 6 is stored in the
/root/ directory of the emr-header-1 node. You must run the
cp /root/test.keytab /home/test/ command to copy the file to the
/home/test/ directory of the current node. Then, run the following command to create a TGT:
kinit -kt /home/test/test.keytab test
- View the information about the TGT.
Run the
klist command. The following information is returned:
Ticket cache: FILE:/tmp/krb5cc_1012
Default principal: test@EMR.23****.COM
Valid starting Expires Service principal
07/24/2021 13:20:44 07/25/2021 13:20:44 krbtgt/EMR.23****.COM@EMR.23****.COM
renew until 07/25/2021 13:20:44
Permission configuration example
In this topic, an EMR V3.38.2 cluster is used. For clusters of other versions, the
actual operations on the Ranger web UI prevail.
Perform the following steps to grant the test user all the access permissions on the
oss://bucket-test-hangzhou/user/test directory.
- Access the Ranger web UI. For more information, see Overview.
- On the Ranger web UI, click emr-oss.
- Grant all access permissions on the test directory.
- Click Add New Policy in the upper-right corner.
- On the Edit Policy page, configure the parameters that are described in the following table.
| Parameter |
Description |
| Policy Name |
The name of the policy. You can specify a custom name. |
| Path |
The OSS path. You do not need to start the path with the oss:// prefix. In this example,
set this parameter to bucket-test-hangzhou/user/test.
Notice
- No forward slash (/) is required at the end of the path.
- Do not turn off recursive.
|
| Select User |
The user to whom you want to attach this policy.
In this example, set this parameter to test.
|
| Permissions |
The permissions that you want to grant.
In this example, select ALL. ALL indicates the Read, Write, and Execute permissions.
|
- Click Add.
- Grant the Execute permission on the user directory, which is the parent directory of the test directory.
- Click Add New Policy in the upper-right corner.
- On the Edit Policy page, configure the parameters that are described in the following table.
| Parameter |
Description |
| Policy Name |
The name of the policy. You can specify a custom name. |
| Path |
The OSS path. You do not need to start the path with the oss:// prefix. In this example,
set this parameter to bucket-test-hangzhou/user.
Notice
- No forward slash (/) is required at the end of the path.
- Do not turn off recursive.
|
| Select User |
The user to whom you want to attach this policy.
In this example, set this parameter to test.
|
| Permissions |
The permissions that you want to grant.
In this example, set this parameter to Execute.
|
- Click Add.
- Access OSS.
- Log on to the emr-header-1 node of your cluster in SSH mode. For more information,
see Log on to a cluster.
- Run the following command to switch to the test user:
- Run the following command to access the OSS directory:
hadoop fs -ls oss://bucket-test-hangzhou/user/test
If you are not granted the permissions to access the OSS directory, the following
information is displayed:
org.apache.hadoop.security.AccessControlException: Permission denied: user=test, access=READ_EXECUTE, resourcePath="bucket-test-hangzhou/"
