Ranger Based Authorization

The Dremio Ranger Based authorization is a Hive authorization client which checks the Ranger policy permissions and then allows/disallows access as defined by the Ranger policy.

[info] Ranger Based authorization is an Enterprise Edition feature.

When adding a new Hive source, you have the following options for Hive authorization clients:

  • Storage Based with User Impersonation
  • SQL Based
  • Ranger Based

[info] Note

The Hive authorization option is set when a new Hive source is added.

Enabling Ranger Based Authorization

To enable Ranger policy support:

  1. Add a new Hive Source.
  2. Select the Ranger Based authorization button.
  3. Provide the following information:
    • Ranger Service Name - This field corresponds to the security profile in Ranger. Example: hivedev
    • Ranger Host URL - This field is the path to the actual Ranger server. Example: http://yourhostname.com:6080

Ranger Security Framework

Apache Ranger (Ranger) offers a centralized security framework to manage fine-grained access control over Hadoop and related components such as Apache Hive. Using the Ranger administration console, users can easily manage policies around accessing a resource (file, folder, database, table, etc) for a particular set of users and/or groups, and enforce the policies within Hadoop. They also can enable audit tracking and policy analytics for deeper control of the environment. Ranger also provides the ability to delegate administration of certain data to other group owners, with an aim of decentralizing data ownership.

Ranger Configuration Policies

The Ranger policies are configure in the Ranger Console for the selected databases.
The Ranger Admin creates policies to set permissions at the user/group level on the selected table(s). Access to the tables can be allowed or disallowed as defined in the Ranger policy for the given user/group.

[info] Reflections access

In order for Reflections to be created successfully, you must ensure that the Dremio service user (the user running the Dremio process on the host) has access to all relevant databases and tables. This is done by defining Ranger policies that establishes access permission for the Dremio service user on the selected databases and tables.

Ranger Auditing

Auditing is enabled through Ranger. When auditing is enabled, Dremio-related access requests show up in the audit log as ranger-acl-dremio in the Access Enforcer column.

To enable additional Ranger audit properties, add the properties via one of the following methods:

  • Select Advanced Options and add the properties.
  • Copy the Ranger configuration file into the /conf directory on all coordinator nodes. Example: conf/ranger-hive-audit.xml

Troubleshooting

Access denied

If access is denied when attempting to query a Hive data source under the following circumstances:

  • Ranger Based authorization is configured
  • Dremio logs a "FileNotFoundException */xasecure-audit.xml (No such file or directory)" error.

This behavior is triggered within the Ranger plugin libraries when hdfs-site.xml, hive-site.xml, or hbase-site.xml are present in the Dremio configuration path.

To fix this environment issue, rename the ranger-hive-audit.xml configuration file generated by the Ranger Hive plugin installer to xasecure-audit.xml and copy it to the Dremio configuration path on all coordinator nodes.

Limitations

  • Dremio’s support for Ranger is specific to policies that define table-level access. There is no support for Ranger policies that include column-level masking or row filtering.

  • If you only have column or row access permissions for a table, then you cannot view the table within Dremio (access is denied).

  • The Ranger plug-in supports only one audit server (this is a limitation with how Ranger handles auditing).

  • Ranger properties defined in any of the standard ranger-hive-yyyy.xml configuration files are stored in the dremio-root/conf directory. Example: conf/ranger-hive-audit.xml

    [info] Note Ranger properties that do not have the ranger.plugin.hive prefix will overwrite one another.

  • If users and groups are defined in LDAP or Active Directory (AD), then the Dremio Coordinator host operating system (OS) must be configured to perform user lookup through LDAP/AD. This is a requirement of the Ranger plug-in, which defers the lookup to the host OS where the plug-in resides (in this case, the same host that the Dremio Coordinator is using to handle the query). If the host is incorrectly configured, then Ranger cannot lookup the correct user and group information.


results matching ""

    No results matching ""