Centos7.6 + Apache Ranger 2.4.0编译(docker方式)

目录

一、Ranger简介

1、组件列表

2、支持的数据引擎服务

二、主机环境准备

1、关闭防火墙

2、关闭SELINUX

3、安装docker

4、下载Ranger源码包

5、下载Maven安装包

三、编译Ranger源码

1、修改官方包中的build_ranger_using_docker.sh

2、运行脚本编译

3、编译检查


一、Ranger简介

Apache Ranger提供一个集中式安全管理框架, 并解决授权和审计。它可以对Hadoop生态的组件如HDFS、Yarn、Hive、Hbase等进行细粒度的数据访问控制。通过操作Ranger控制台,管理员可以轻松的通过配置策略来控制用户访问权限。

1、组件列表

# Service Name Listen Port Core Ranger Service
1 ranger 6080/tcp Y (ranger engine - 3.0.0-SNAPSHOT version)
2 ranger-postgres 5432/tcp Y (ranger datastore)
3 ranger-solr 8983/tcp Y (audit store)
4 ranger-zk 2181/tcp Y (used by solr)
5 ranger-usersync - Y (user/group synchronization from Local Linux/Mac)
6 ranger-kms 9292/tcp N (needed only for Encrypted Storage / TDE)
7 ranger-tagsync - N (needed only for Tag Based Policies to be sync from ATLAS)

2、支持的数据引擎服务

# Service Name Listen Port Service Description
1 Hadoop 8088/tcp 9000/tcp Apache Hadoop 3.3.0 Protected by Apache Ranger's Hadoop Plugin
2 HBase 16000/tcp 16010/tcp 16020/tcp 16030/tcp Apache HBase 2.4.6 Protected by Apache Ranger's HBase Plugin
3 Hive 10000/tcp Apache Hive 3.1.2 Protected by Apache Ranger's Hive Plugin
4 Kafka 6667/tcp Apache Kafka 2.8.1 Protected by Apache Ranger's Kafka Plugin
5 Knox 8443/tcp Apache Knox 1.4.0 Protected by Apache Ranger's Knox Plugin

二、主机环境准备

1、关闭防火墙

systemctl stop firewalld.service

systemctl disable firewalld.service

2、关闭SELINUX

sed -i.bak$DATE '/^SELINUX=/c SELINUX=disabled' /etc/selinux/config

setenforce 0

3、安装docker

yum install -y docker

systemctl start docker

systemctl enable docker

4、下载Ranger源码包

Apache Ranger官网没有可以直接部署的安装包,必须通过源码进行编译。

官网地址:Apache Ranger - Download Apache Ranger?

wget https://www.apache.org/dist/ranger/2.4.0/apache-ranger-2.4.0.tar.gz --no-check-certificate

5、下载Maven安装包

wget https://dlcdn.apache.org/maven/maven-3/3.9.4/binaries/apache-maven-3.9.4-bin.tar.gz --no-check-certificate

三、编译Ranger源码

1、修改官方包中的build_ranger_using_docker.sh

#!/bin/bash

Licensed to the Apache Software Foundation (ASF) under one or more

contributor license agreements. See the NOTICE file distributed with

this work for additional information regarding copyright ownership.

The ASF licenses this file to You under the Apache License, Version 2.0

(the "License"); you may not use this file except in compliance with

the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software

distributed under the License is distributed on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License

#This script creates the Docker image (if not already created) and runs maven in the container

#1. Install Docker

#2. Checkout Ranger source and go to the root directory

#3. Run this script. If host is linux, then run this script as "sudo $0 ..."

#4. If you are running on Mac, then you don't need to use "sudo"

#5. To delete the image, run "[sudo] docker rmi ranger_dev"

#Usage: [sudo] ./build_ranger_using_docker.sh [-build_image] mvn <build params>

#Example 1 (default no param): (mvn -Pall -DskipTests=true clean compile package install)

#Example 2 (Regular build): ./build_ranger_using_docker.sh mvn -Pall clean install -DskipTests=true

#Example 3 (Recreate Docker image): ./build_ranger_using_docker.sh mvn -Pall -build_image clean install -DskipTests=true

#Notes: To remove build image manually, run "docker rmi ranger_dev" or "sudo docker rmi ranger_dev"

default_command="mvn -Pall -DskipTests=true clean compile package install"

build_image=0

if [ "$1" = "-build_image" ]; then

build_image=1

shift

fi

params=$*

if [ $# -eq 0 ]; then

params=$default_command

fi

image_name="ranger_dev"

remote_home="$HOME"

container_name="--name ranger_build"

if [ ! -d security-admin ]; then

echo "ERROR: Run the script from root folder of source. e.g. $HOME/git/ranger"

exit 1

fi

images=`docker images | cut -f 1 -d " "`

[[ $images =~ $image_name ]] && found_image=1 || build_image=1

if [ $build_image -eq 1 ]; then

echo "Creating image $image_name ..."

docker rmi -f $image_name

docker build -t $image_name - <<Dockerfile

FROM centos:centos7.6.1810

RUN mkdir /tools

WORKDIR /tools

#Install default services

RUN yum install -y wget git gcc bzip2 fontconfig python3 java-1.8.0-openjdk-devel.x86_64

RUN ln -sf /usr/bin/python3 /usr/bin/python

ENV JAVA_HOME /usr/lib/jvm/java-1.8.0-openjdk/

ENV PATH JAVA_HOME/bin:PATH

RUN wget https://dlcdn.apache.org/maven/maven-3/3.9.4/binaries/apache-maven-3.9.4-bin.tar.gz --no-check-certificate

RUN tar xfz apache-maven-3.9.4-bin.tar.gz

RUN ln -sf /tools/apache-maven-3.9.4 /tools/maven

ENV PATH /tools/maven/bin:$PATH

ENV MAVEN_OPTS "-Xmx2048m -XX:MaxPermSize=512m"

RUN mkdir -p /scripts

RUN echo "#!/bin/bash" > /scripts/mvn.sh

RUN echo 'set -x; exec "\$@" ' >> /scripts/mvn.sh

RUN chmod -R 777 /scripts

RUN chmod -R 777 /tools

ENTRYPOINT ["/scripts/mvn.sh"]

Dockerfile

fi

src_folder=`pwd`

LOCAL_M2="$HOME/.m2"

mkdir -p $LOCAL_M2

set -x

docker run --rm -v "{src_folder}:/ranger" -w "/ranger" -v "{LOCAL_M2}:${remote_home}/.m2" $container_name $image_name $params

说明:

考虑实验运行环境为centos7.6,且国内有部分外国源访问不到,所以做了一定修改和裁剪,本次实验中,使用root用户运行该脚本,容器内使用root用户进行编译操作。

1、原脚本的基础镜像为centos:lastest,其对应Centos 8.1,现修改为centos:centos7.6.1810;

2、原脚本安装jkd8时,使用AWS s3's docker-assets里的jdk-8u101-linux-x64.rpm,现修改为使用centos自带的openjdk1.8,即java-1.8.0-openjdk-devel.x86_64;

3、原脚本未安装python3,最终编译时会找不到python3包而报错,现增加安装python3,同时设置默认使用python3,即RUN ln -sf /usr/bin/python3 /usr/bin/python

4、原脚本安装maven时,使用ADD来获取apache-maven-3.6.3-bin.tar.gz并校验包,现修改为使用wget获得最新的apache-maven-3.9.4-bin.tar.gz,且不做额外的包正确性校验,即wget https://dlcdn.apache.org/maven/maven-3/3.9.4/binaries/apache-maven-3.9.4-bin.tar.gz --no-check-certificatewget

5、原脚本的启动脚本创建并使用了非root用户builder,但会与后面运行容器时映射本地卷组有权限限制,考虑到只是临时编译使用,剔除所有builder用户的内容,包含gosu安装、用户创建、用户判断等,只保留echo 'set -x; exec "\$@" ' >> /scripts/mvn.sh

6、原脚本中{remote_home}为空值,会将运行该脚本的用户Home下的.m2映射到容器内根目录的.m2,现修改为容器内工作用户的Home目录,即remote_home="HOME"

2、运行脚本编译

chmod +x build_ranger_using_docker.sh

./build_ranger_using_docker.sh

说明:

参照脚本使用说明

#Usage: [sudo] ./build_ranger_using_docker.sh [-build_image] mvn <build params>

#Example 1 (default no param): (mvn -Pall -DskipTests=true clean compile package install)

#Example 2 (Regular build): ./build_ranger_using_docker.sh mvn -Pall clean install -DskipTests=true

#Example 3 (Recreate Docker image): ./build_ranger_using_docker.sh mvn -Pall -build_image clean install -DskipTests=true

3、编译检查

[INFO] ------------------------------------------------------------------------

[INFO] Reactor Summary for ranger 2.4.0:

[INFO]

[INFO] ranger ............................................. SUCCESS [ 12.567 s]

[INFO] Jdbc SQL Connector ................................. SUCCESS [ 13.553 s]

[INFO] Credential Support ................................. SUCCESS [ 14.914 s]

[INFO] Audit Component .................................... SUCCESS [01:09 min]

[INFO] ranger-plugin-classloader .......................... SUCCESS [ 9.662 s]

[INFO] Common library for Plugins ......................... SUCCESS [02:03 min]

[INFO] ranger-intg ........................................ SUCCESS [ 40.185 s]

[INFO] Installer Support Component ........................ SUCCESS [ 8.196 s]

[INFO] Credential Builder ................................. SUCCESS [ 12.157 s]

[INFO] Embedded Web Server Invoker ........................ SUCCESS [ 33.355 s]

[INFO] Key Management Service ............................. SUCCESS [01:40 min]

[INFO] HBase Security Plugin Shim ......................... SUCCESS [ 52.109 s]

[INFO] HBase Security Plugin .............................. SUCCESS [01:25 min]

[INFO] Hdfs Security Plugin ............................... SUCCESS [ 36.159 s]

[INFO] Hive Security Plugin ............................... SUCCESS [ 41.491 s]

[INFO] Knox Security Plugin Shim .......................... SUCCESS [ 9.255 s]

[INFO] Knox Security Plugin ............................... SUCCESS [ 21.750 s]

[INFO] Storm Security Plugin .............................. SUCCESS [ 16.017 s]

[INFO] YARN Security Plugin ............................... SUCCESS [ 13.554 s]

[INFO] Ozone Security Plugin .............................. SUCCESS [ 12.752 s]

[INFO] Ranger Util ........................................ SUCCESS [ 11.776 s]

[INFO] Unix Authentication Client ......................... SUCCESS [ 11.990 s]

[INFO] User Group Synchronizer Util ....................... SUCCESS [ 6.909 s]

[INFO] Security Admin Web Application ..................... SUCCESS [08:54 min]

[INFO] KAFKA Security Plugin .............................. SUCCESS [01:17 min]

[INFO] SOLR Security Plugin ............................... SUCCESS [01:18 min]

[INFO] NestedStructure Security Plugin .................... SUCCESS [ 24.474 s]

[INFO] NiFi Security Plugin ............................... SUCCESS [ 12.265 s]

[INFO] NiFi Registry Security Plugin ...................... SUCCESS [ 11.211 s]

[INFO] Presto Security Plugin ............................. SUCCESS [ 24.201 s]

[INFO] Kudu Security Plugin ............................... SUCCESS [ 14.920 s]

[INFO] Unix User Group Synchronizer ....................... SUCCESS [02:08 min]

[INFO] Ldap Config Check Tool ............................. SUCCESS [ 11.640 s]

[INFO] Unix Authentication Service ........................ SUCCESS [ 11.348 s]

[INFO] KMS Security Plugin ................................ SUCCESS [01:13 min]

[INFO] Tag Synchronizer ................................... SUCCESS [ 45.784 s]

[INFO] Hdfs Security Plugin Shim .......................... SUCCESS [ 9.535 s]

[INFO] Hive Security Plugin Shim .......................... SUCCESS [01:23 min]

[INFO] YARN Security Plugin Shim .......................... SUCCESS [ 42.092 s]

[INFO] OZONE Security Plugin Shim ......................... SUCCESS [ 23.710 s]

[INFO] Storm Security Plugin shim ......................... SUCCESS [ 10.665 s]

[INFO] KAFKA Security Plugin Shim ......................... SUCCESS [ 10.838 s]

[INFO] SOLR Security Plugin Shim .......................... SUCCESS [ 22.091 s]

[INFO] Atlas Security Plugin Shim ......................... SUCCESS [ 28.752 s]

[INFO] KMS Security Plugin Shim ........................... SUCCESS [ 52.920 s]

[INFO] Presto Security Plugin Shim ........................ SUCCESS [ 26.065 s]

[INFO] ranger-examples .................................... SUCCESS [ 0.272 s]

[INFO] Ranger Examples - Conditions and ContextEnrichers .. SUCCESS [ 11.692 s]

[INFO] Ranger Examples - SampleApp ........................ SUCCESS [ 5.863 s]

[INFO] Ranger Examples - Ranger Plugin for SampleApp ...... SUCCESS [ 10.167 s]

[INFO] sample-client ...................................... SUCCESS [ 11.777 s]

[INFO] Apache Ranger Examples Distribution ................ SUCCESS [ 6.742 s]

[INFO] Ranger Tools ....................................... SUCCESS [ 35.518 s]

[INFO] Atlas Security Plugin .............................. SUCCESS [ 41.615 s]

[INFO] SchemaRegistry Security Plugin ..................... SUCCESS [03:02 min]

[INFO] Sqoop Security Plugin .............................. SUCCESS [ 53.693 s]

[INFO] Sqoop Security Plugin Shim ......................... SUCCESS [ 14.680 s]

[INFO] Kylin Security Plugin .............................. SUCCESS [03:33 min]

[INFO] Kylin Security Plugin Shim ......................... SUCCESS [ 41.171 s]

[INFO] Elasticsearch Security Plugin Shim ................. SUCCESS [ 22.381 s]

[INFO] Elasticsearch Security Plugin ...................... SUCCESS [ 37.204 s]

[INFO] Apache Ranger Distribution ......................... SUCCESS [02:26 min]

[INFO] Unix Native Authenticator .......................... SUCCESS [ 4.438 s]

[INFO] ------------------------------------------------------------------------

[INFO] BUILD SUCCESS

[INFO] ------------------------------------------------------------------------

[INFO] Total time: 49:17 min

[INFO] Finished at: 2023-08-07T10:43:31Z

[INFO] ------------------------------------------------------------------------

在target目录可以看到生成的程序包:

-rw-r--r-- 1 root root 579387182 Aug 7 18:42 ranger-2.4.0-admin.tar.gz

-rw-r--r-- 1 root root 43729654 Aug 7 18:43 ranger-2.4.0-atlas-plugin.tar.gz

-rw-r--r-- 1 root root 34172214 Aug 7 18:43 ranger-2.4.0-elasticsearch-plugin.tar.gz

-rw-r--r-- 1 root root 39122941 Aug 7 18:42 ranger-2.4.0-hbase-plugin.tar.gz

-rw-r--r-- 1 root root 37684529 Aug 7 18:42 ranger-2.4.0-hdfs-plugin.tar.gz

-rw-r--r-- 1 root root 37478412 Aug 7 18:42 ranger-2.4.0-hive-plugin.tar.gz

-rw-r--r-- 1 root root 56846325 Aug 7 18:42 ranger-2.4.0-kafka-plugin.tar.gz

-rw-r--r-- 1 root root 195376717 Aug 7 18:43 ranger-2.4.0-kms.tar.gz

-rw-r--r-- 1 root root 51454934 Aug 7 18:42 ranger-2.4.0-knox-plugin.tar.gz

-rw-r--r-- 1 root root 36625366 Aug 7 18:43 ranger-2.4.0-kylin-plugin.tar.gz

-rw-r--r-- 1 root root 34201 Aug 7 18:43 ranger-2.4.0-migration-util.tar.gz

-rw-r--r-- 1 root root 43393403 Aug 7 18:42 ranger-2.4.0-ozone-plugin.tar.gz

-rw-r--r-- 1 root root 57425250 Aug 7 18:43 ranger-2.4.0-presto-plugin.tar.gz

-rw-r--r-- 1 root root 16563346 Aug 7 18:43 ranger-2.4.0-ranger-tools.tar.gz

-rw-r--r-- 1 root root 36915 Aug 7 18:42 ranger-2.4.0-solr_audit_conf.tar.gz

-rw-r--r-- 1 root root 38256335 Aug 7 18:42 ranger-2.4.0-solr-plugin.tar.gz

-rw-r--r-- 1 root root 36860763 Aug 7 18:43 ranger-2.4.0-sqoop-plugin.tar.gz

-rw-r--r-- 1 root root 6376456 Aug 7 18:43 ranger-2.4.0-src.tar.gz

-rw-r--r-- 1 root root 51760282 Aug 7 18:42 ranger-2.4.0-storm-plugin.tar.gz

-rw-r--r-- 1 root root 31046503 Aug 7 18:42 ranger-2.4.0-tagsync.tar.gz

-rw-r--r-- 1 root root 20128101 Aug 7 18:42 ranger-2.4.0-usersync.tar.gz

-rw-r--r-- 1 root root 35792990 Aug 7 18:42 ranger-2.4.0-yarn-plugin.tar.gz

参考文档:

Ranger Installation Guide - Ranger - Apache Software Foundation

相关推荐
开心工作室_kaic5 小时前
springboot461学生成绩分析和弱项辅助系统设计(论文+源码)_kaic
开发语言·数据库·vue.js·php·apache
cr.sheeper10 小时前
Vulnhub靶场Apache解析漏洞
网络安全·apache
ccc_9wy1 天前
Apache Solr RCE(CVE-2017-12629)--vulhub
apache·solr·lucene·burp suite·vulhub·远程命令执行漏洞rce·cve-2017-12629
ccc_9wy1 天前
Apache Solr RCE(CVE-2019-0193)--vulhub
网络安全·apache·solr·lucene·vulhub·cve-2019-0193·远程命令执行漏洞rce
casual_clover1 天前
搭建一个简单的Web服务器(Apache2.4)
服务器·apache
李三醒2 天前
Apache Tomcat 漏洞CVE-2024-50379条件竞争文件上传漏洞 servlet readonly spring boot 修复方式
spring boot·tomcat·apache
鸠摩智首席音效师2 天前
Apache 如何监听多个端口 ?
apache
Mitch3112 天前
【漏洞复现】CVE-2022-45206 & CVE-2023-38905 SQL Injection
web安全·网络安全·docker·apache·jeecgboot
小锋学长生活大爆炸2 天前
【教程】apache设置禁止通过IP访问,只能域名访问
linux·运维·服务器·网络·网络协议·tcp/ip·apache
Ting丶丶3 天前
Apache Tomcat RCE 稳定复现 保姆级!(CVE-2024-50379)附视频+POC
安全·web安全·网络安全·tomcat·apache·音视频·网络攻击模型