Dremio Community

Ranger Based Authorization

The Dremio Ranger Based authorization is a Hive authorization client which checks the Ranger policy permissions and then allows/disallows access as defined by the Ranger policy.

Enterprise Edition only

When adding a new Hive source, you have the following options for Hive authorization clients:

Note

The Hive authorization option is set when a new Hive source is added.

  • Storage Based with User Impersonation
  • SQL Based
  • Ranger Based

Enabling Ranger Based Authorization

To enable Ranger policy support:

  1. Add a new Hive Source.
  2. Select the Ranger Based authorization button.
  3. Provide the following information:
    • Ranger Service Name - This field corresponds to the security profile in Ranger. Example: hivedev
    • Ranger Host URL - This field is the path to the actual Ranger server. Example: http://yourhostname.com:6080

Ranger Security Framework

Apache Ranger (Ranger) offers a centralized security framework to manage fine-grained access control over Hadoop and related components such as Apache Hive.

Using the Ranger administration console, you can:

  • Manage policies around accessing a resource (file, folder, database, table, etc) for a particular set of users and/or groups and enforce the policies within Hadoop.
  • Enable audit tracking and policy analytics for deeper control of the environment.
  • Manage data access by providing the ability to delegate administration of certain data to other group owners, with an aim of decentralizing data ownership.

Ranger Configuration Policies

The Ranger policies are configure in the Ranger Console for the selected databases.
The Ranger Admin creates policies to set permissions at the user/group level on the selected table(s). Access to the tables can be allowed or disallowed as defined in the Ranger policy for the given user/group.

Reflections access

In order for Reflections to be created successfully, you must ensure that the Dremio service user (the user running the Dremio process on the host) has access to all relevant databases and tables. This is done by defining Ranger policies that establishes access permission for the Dremio service user on the selected databases and tables.

Ranger Auditing

Auditing is enabled through Ranger. When auditing is enabled, Dremio-related access requests show up in the audit log as ranger-acl-dremio in the Access Enforcer column.

To enable additional Ranger audit properties, add the properties via one of the following methods:

  • Select Advanced Options and add the properties.
  • Copy the Ranger configuration file into the <dremio-root>/plugins/connectors/<hive-plugin-id>.d/ on all coordinator nodes. (See Hive Configuration for more details).

Example: /plugins/connectors/hive3-ee.d/ranger-hive-audit.xml

Using Kerberos with Ranger

If you are using Kerberos with Ranger, ensure that the Dremio user (the user associated with the Dremio service principal) is configured to interact (as an Admin) with a Kerberized Ranger instance.

Dremio service user can be configuration via the Ranger UI through one of the following methods:

  • Ranger User/Groups
  • Ranger Service Manager

Configure via Ranger User/Groups

If the Dremio service user is given Admin privileges via the Ranger User/Groups, you are not required to configure via the Ranger Service Manager.

  1. In the Ranger Admin UI, navigate to the User/Groups page.
  2. Find and edit the Dremio user.
  3. Select the Admin role for the Dremio user.

Configure via Ranger Service Manager

If the Dremio service user is configured via the Ranger Service Manager, you are not required to give Admin privileges via the Ranger User/Groups.

  1. In the Ranger Admin UI, navigate to Access Manager > Service Manager > Edit Service.
  2. In the Service configuration section, add the Dremio service user to the policy.download.auth.users property. For example:
Configuration Name Configuration Value
policy.download.auth.users hive,dremio

Note

In this example configuraton, the hive configuration value is for the Hive service user. This setting may not be applicable for your environment; it is not a requirement for Dremio.

Troubleshooting

Access denied

If access is denied when attempting to query a Hive data source under the following circumstances:

  • Ranger Based authorization is configured
  • Dremio logs a “FileNotFoundException */xasecure-audit.xml (No such file or directory)” error.

This behavior is triggered within the Ranger plugin libraries when hdfs-site.xml, hive-site.xml, or hbase-site.xml are present in the Hive plugin’s configuration path (eg a sub-directory under <dremio-root>/plugins/connectors/<hive-plugin-id>.d/. See Hive Configuration for more details).

To fix this environment issue, rename the ranger-hive-audit.xml configuration file generated by the Ranger Hive plugin installer to xasecure-audit.xml and copy it to the Dremio configuration path on all coordinator nodes.

PolicyRefesher Error

If Dremio is deployed in a Kerberized environment and the Hive data source is unable to retrieve it’s policies from Ranger, it is possible that the user running Dremio isn’t configured to pull policies from the Ranger Admin host. If the Dremio service user doesn’t have the permissions to download the desired service’s policies, you may receive a failed to refresh policies error message in the Dremio logs.

To resolved this issue, ensure that the Dremio service user is present in the list of users that have the permission to pull down a specific policy:

  1. On the Ranger Admin UI, edit the Hive service used by Dremio.
  2. In the Add New Configurations section, ensure policy.download.auth.users contains the Dremio service user.

Limitations

  • Dremio’s support for Ranger is specific to policies that define table-level access. There is no support for Ranger policies that include column-level masking or row filtering.

  • Dremio does not support tag-based policies in Apache Ranger-based authorization for Hive data sources.

  • If you only have column or row access permissions for a table, then you cannot view the table within Dremio (access is denied).

  • Dremio integrates Apache Ranger version 1.1.0

  • The Ranger plug-in supports only one audit server (this is a limitation with how Ranger handles auditing).

  • Ranger properties defined in any of the standard ranger-hive-yyyy.xml configuration files are stored in the dremio-root/conf directory. Example: conf/ranger-hive-audit.xml

Note Ranger properties that do not have the ranger.plugin.hive prefix will overwrite one another.

  • If users and groups are defined in LDAP or Active Directory (AD), then the Dremio Coordinator host operating system (OS) must be configured to perform user lookup through LDAP/AD. This is a requirement of the Ranger plug-in, which defers the lookup to the host OS where the plug-in resides (in this case, the same host that the Dremio Coordinator is using to handle the query). If the host is incorrectly configured, then Ranger cannot lookup the correct user and group information.