The Dremio Ranger Based authorization is a Hive authorization client which checks the Ranger policy permissions and then allows/disallows access as defined by the Ranger policy.
Enterprise Edition only
When adding a new Hive source, you have the following options for Hive authorization clients:
The Hive authorization option is set when a new Hive source is added.
To enable Ranger policy support:
Ranger Basedauthorization button.
Apache Ranger (Ranger) offers a centralized security framework to manage fine-grained access control over Hadoop and related components such as Apache Hive.
Using the Ranger administration console, you can:
The Ranger policies are configure in the Ranger Console for the selected databases.
The Ranger Admin creates policies to set permissions at the user/group level on the selected table(s). Access to the tables can be allowed or disallowed as defined in the Ranger policy for the given user/group.
In order for Reflections to be created successfully, you must ensure that the Dremio service user (the user running the Dremio process on the host) has access to all relevant databases and tables. This is done by defining Ranger policies that establishes access permission for the Dremio service user on the selected databases and tables.
Auditing is enabled through Ranger.
When auditing is enabled, Dremio-related access requests show up in the audit log
ranger-acl-dremio in the Access Enforcer column.
To enable additional Ranger audit properties, add the properties via one of the following methods:
Advanced Optionsand add the properties.
If you are using Kerberos with Ranger, ensure that the Dremio user (the user associated with the Dremio service principal) is configured to interact (as an Admin) with a Kerberized Ranger instance.
Dremio service user can be configuration via the Ranger UI through one of the following methods:
If the Dremio service user is given Admin privileges via the Ranger User/Groups, you are not required to configure via the Ranger Service Manager.
If the Dremio service user is configured via the Ranger Service Manager, you are not required to give Admin privileges via the Ranger User/Groups.
policy.download.auth.usersproperty. For example:
|Configuration Name||Configuration Value|
In this example configuraton, the
hiveconfiguration value is for the Hive service user. This setting may not be applicable for your environment; it is not a requirement for Dremio.
If access is denied when attempting to query a Hive data source under the following circumstances:
This behavior is triggered within the Ranger plugin libraries when hdfs-site.xml, hive-site.xml, or hbase-site.xml are present in the Hive plugin’s configuration path (eg a sub-directory under <dremio-root>/plugins/connectors/<hive-plugin-id>.d/. See Hive Configuration for more details).
To fix this environment issue, rename the ranger-hive-audit.xml configuration file generated by the Ranger Hive plugin installer to xasecure-audit.xml and copy it to the Dremio configuration path on all coordinator nodes.
If Dremio is deployed in a Kerberized environment and the Hive data source is unable to retrieve it’s policies from Ranger,
it is possible that the user running Dremio isn’t configured to pull policies from the Ranger Admin host.
If the Dremio service user doesn’t have the permissions to download the desired service’s policies,
you may receive a
failed to refresh policies error message in the Dremio logs.
To resolved this issue, ensure that the Dremio service user is present in the list of users that have the permission to pull down a specific policy:
policy.download.auth.userscontains the Dremio service user.
Dremio’s support for Ranger is specific to policies that define table-level access. There is no support for Ranger policies that include column-level masking or row filtering.
Dremio does not support tag-based policies in Apache Ranger-based authorization for Hive data sources.
If you only have column or row access permissions for a table, then you cannot view the table within Dremio (access is denied).
Dremio integrates Apache Ranger version 1.1.0
The Ranger plug-in supports only one audit server (this is a limitation with how Ranger handles auditing).
Ranger properties defined in any of the standard ranger-hive-yyyy.xml configuration files are stored in the dremio-root/conf directory. Example: conf/ranger-hive-audit.xml
Note Ranger properties that do not have the ranger.plugin.hive prefix will overwrite one another.