Apache Ranger 权限管理

Apache Ranger 提供以下核心模块：

• Ranger Admin：Ranger 的核心模块，内置了一个 Web 界面，用户可以通过界面或者 REST 接口来创建和更新安全策略。Hadoop 生态各个组件的 Plugin 定期对这些策略进行轮询和拉取。
• Agent Plugin：嵌入到 Hadoop 生态圈组件的 Plugin，定期从 Ranger Admin 拉取安全策略，存储在本地文件中。当用户访问组件时，Plugin 会根据安全策略对请求进行安全评估，将结果反馈给相应组件。
• User Sync：用于拉取用户和用户组的信息，将用户和用户组的权限数据同步到 Ranger 的数据库中。

除了原生的 RBAC 权限系统，StarRocks 3.1.9 及后续版本还支持通过 Apache Ranger 来进行访问控制。目前 StarRocks 在能力上支持：

• 通过 Ranger 创建 Access policy、Masking policy、Row-level filter policy。
• 支持 Ranger 审计日志。
• 暂不支持 Kerberos 认证的 Ranger Server。

编译

mvn install package -DskipTests -Dfast -Drat.skip=true -Dmaven.test.skip=true -Dcheckstyle.skip=true -Denforcer.skip=true

ranger-admin

install.properties

PYTHON_COMMAND_INVOKER=python

#DB_FLAVOR=MYSQL|ORACLE|POSTGRES|MSSQL|SQLA
DB_FLAVOR=MYSQL
#

#
# Location of DB client library (please check the location of the jar file)
#
#SQL_CONNECTOR_JAR=/usr/share/java/ojdbc6.jar
#SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar
#SQL_CONNECTOR_JAR=/usr/share/java/postgresql.jar
#SQL_CONNECTOR_JAR=/usr/share/java/sqljdbc4.jar
#SQL_CONNECTOR_JAR=/opt/sqlanywhere17/java/sajdbc4.jar
SQL_CONNECTOR_JAR=/data/app/apache-ranger/mysql-connector-java-5.1.47.jar

db_root_user=root
db_root_password=OIRLkZvqIQyB
db_host=localhost:3306
#SSL config
db_ssl_enabled=false
db_ssl_required=false
db_ssl_verifyServerCertificate=false
#db_ssl_auth_type=1-way|2-way, where 1-way represents standard one way ssl authentication and 2-way represents mutual ssl authentication
db_ssl_auth_type=1-way
javax_net_ssl_keyStore=
javax_net_ssl_keyStorePassword=
javax_net_ssl_trustStore=
javax_net_ssl_trustStorePassword=
javax_net_ssl_trustStore_type=jks
javax_net_ssl_keyStore_type=jks

# For postgresql db
db_ssl_certificate_file=

#
# DB UserId used for the Ranger schema
#
db_name=ranger
db_user=ranger
db_password=OIRLkZvqIQyB

#For over-riding the jdbc url.
is_override_db_connection_string=false
db_override_connection_string=


# change password. Password for below mentioned users can be changed only once using this property.
#PLEASE NOTE :: Password should be minimum 8 characters with min one alphabet and one numeric.
rangerAdmin_password=Ranger123456
rangerTagsync_password=Ranger123456
rangerUsersync_password=Ranger123456
keyadmin_password=Ranger123456


#Source for Audit Store. Currently solr, elasticsearch and cloudwatch logs are supported.
# * audit_store is solr
audit_store=solr

audit_elasticsearch_password=
audit_elasticsearch_index=
audit_elasticsearch_bootstrap_enabled=true


# * audit_solr_url URL to Solr. E.g. http://<solr_host>:6083/solr/ranger_audits
audit_solr_urls=http://192.168.1.49:8983/solr/ranger_audits
audit_solr_user=
audit_solr_password=
audit_solr_zookeepers=192.168.1.49:2181

audit_solr_collection_name=ranger_audits
#solr Properties for cloud mode
audit_solr_config_name=ranger_audits
audit_solr_configset_location=
audit_solr_no_shards=1
audit_solr_no_replica=1
audit_solr_max_shards_per_node=1
audit_solr_acl_user_list_sasl=solr,infra-solr
audit_solr_bootstrap_enabled=true

# * audit to amazon cloudwatch properties
audit_cloudwatch_region=
audit_cloudwatch_log_group=
audit_cloudwatch_log_stream_prefix=

#------------------------- DB CONFIG - END ----------------------------------

#
# ------- PolicyManager CONFIG ----------------
#

policymgr_external_url=http://192.168.1.49:6080
policymgr_http_enabled=true
policymgr_https_keystore_file=
policymgr_https_keystore_keyalias=rangeradmin
policymgr_https_keystore_password=

setup.sh

• 构建 jisql/lib 目录

[root@localhost lib]# ll
total 132
-rw-r--r-- 1 ranger ranger 19516 Jul 25 16:55 credentialbuilder-3.0.0-SNAPSHOT.jar
-rw-r--r-- 1 ranger ranger 29240 Jul 25 16:34 jisql-3.0.0-SNAPSHOT.jar
-rw-r--r-- 1 ranger ranger 78146 Jul 25 16:39 jopt-simple-5.0.4.jar
[root@localhost lib]# pwd
/data/app/apache-ranger/ranger-3.0.0-SNAPSHOT-admin/jisql/lib

ranger-admin 命令

[root@localhost lib]# ranger-admin --help
Invalid argument [--help];
Usage: Only start | stop | restart | metric | version, are supported.
For metric Usage: metric -type policies | audits | usergroup | services | database | contextenrichers | denyconditions

ranger-usersync 用户同步

setup.sh

[root@hadoop03 ranger-3.0.0-SNAPSHOT-usersync]# ranger-usersync start
Starting Apache Ranger Usersync Service
Apache Ranger Usersync Service with pid 84109 has started.

整合 StarRocks 管理权限

参考：https://docs.starrocks.io/zh/docs/3.2/administration/user_privs/ranger_plugin/

curl -u admin:Ranger123456  -X POST -H "Accept: application/json" \
-H "Content-Type: application/json" \
http://hadoop03:6080/service/plugins/definitions -d@ranger-servicedef-starrocks.json

RBAC 权限控制

• 数据库
  
  
  
  

• 表
  
  

• 字段
  
  
  
  

行过滤