Apache Ranger 权限管理

Apache Ranger 提供以下核心模块:

  • Ranger Admin:Ranger 的核心模块,内置了一个 Web 界面,用户可以通过界面或者 REST 接口来创建和更新安全策略。Hadoop 生态各个组件的 Plugin 定期对这些策略进行轮询和拉取。
  • Agent Plugin:嵌入到 Hadoop 生态圈组件的 Plugin,定期从 Ranger Admin 拉取安全策略,存储在本地文件中。当用户访问组件时,Plugin 会根据安全策略对请求进行安全评估,将结果反馈给相应组件。
  • User Sync:用于拉取用户和用户组的信息,将用户和用户组的权限数据同步到 Ranger 的数据库中。

除了原生的 RBAC 权限系统,StarRocks 3.1.9 及后续版本还支持通过 Apache Ranger 来进行访问控制。目前 StarRocks 在能力上支持:

  • 通过 Ranger 创建 Access policy、Masking policy、Row-level filter policy。
  • 支持 Ranger 审计日志。
  • 暂不支持 Kerberos 认证的 Ranger Server。
编译

mvn install package -DskipTests -Dfast -Drat.skip=true -Dmaven.test.skip=true -Dcheckstyle.skip=true -Denforcer.skip=true

ranger-admin
install.properties
bash 复制代码
PYTHON_COMMAND_INVOKER=python

#DB_FLAVOR=MYSQL|ORACLE|POSTGRES|MSSQL|SQLA
DB_FLAVOR=MYSQL
#

#
# Location of DB client library (please check the location of the jar file)
#
#SQL_CONNECTOR_JAR=/usr/share/java/ojdbc6.jar
#SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar
#SQL_CONNECTOR_JAR=/usr/share/java/postgresql.jar
#SQL_CONNECTOR_JAR=/usr/share/java/sqljdbc4.jar
#SQL_CONNECTOR_JAR=/opt/sqlanywhere17/java/sajdbc4.jar
SQL_CONNECTOR_JAR=/data/app/apache-ranger/mysql-connector-java-5.1.47.jar

db_root_user=root
db_root_password=OIRLkZvqIQyB
db_host=localhost:3306
#SSL config
db_ssl_enabled=false
db_ssl_required=false
db_ssl_verifyServerCertificate=false
#db_ssl_auth_type=1-way|2-way, where 1-way represents standard one way ssl authentication and 2-way represents mutual ssl authentication
db_ssl_auth_type=1-way
javax_net_ssl_keyStore=
javax_net_ssl_keyStorePassword=
javax_net_ssl_trustStore=
javax_net_ssl_trustStorePassword=
javax_net_ssl_trustStore_type=jks
javax_net_ssl_keyStore_type=jks

# For postgresql db
db_ssl_certificate_file=

#
# DB UserId used for the Ranger schema
#
db_name=ranger
db_user=ranger
db_password=OIRLkZvqIQyB

#For over-riding the jdbc url.
is_override_db_connection_string=false
db_override_connection_string=


# change password. Password for below mentioned users can be changed only once using this property.
#PLEASE NOTE :: Password should be minimum 8 characters with min one alphabet and one numeric.
rangerAdmin_password=Ranger123456
rangerTagsync_password=Ranger123456
rangerUsersync_password=Ranger123456
keyadmin_password=Ranger123456


#Source for Audit Store. Currently solr, elasticsearch and cloudwatch logs are supported.
# * audit_store is solr
audit_store=solr

audit_elasticsearch_password=
audit_elasticsearch_index=
audit_elasticsearch_bootstrap_enabled=true


# * audit_solr_url URL to Solr. E.g. http://<solr_host>:6083/solr/ranger_audits
audit_solr_urls=http://192.168.1.49:8983/solr/ranger_audits
audit_solr_user=
audit_solr_password=
audit_solr_zookeepers=192.168.1.49:2181

audit_solr_collection_name=ranger_audits
#solr Properties for cloud mode
audit_solr_config_name=ranger_audits
audit_solr_configset_location=
audit_solr_no_shards=1
audit_solr_no_replica=1
audit_solr_max_shards_per_node=1
audit_solr_acl_user_list_sasl=solr,infra-solr
audit_solr_bootstrap_enabled=true

# * audit to amazon cloudwatch properties
audit_cloudwatch_region=
audit_cloudwatch_log_group=
audit_cloudwatch_log_stream_prefix=

#------------------------- DB CONFIG - END ----------------------------------

#
# ------- PolicyManager CONFIG ----------------
#

policymgr_external_url=http://192.168.1.49:6080
policymgr_http_enabled=true
policymgr_https_keystore_file=
policymgr_https_keystore_keyalias=rangeradmin
policymgr_https_keystore_password=
setup.sh
  • 构建 jisql/lib 目录
bash 复制代码
[root@localhost lib]# ll
total 132
-rw-r--r-- 1 ranger ranger 19516 Jul 25 16:55 credentialbuilder-3.0.0-SNAPSHOT.jar
-rw-r--r-- 1 ranger ranger 29240 Jul 25 16:34 jisql-3.0.0-SNAPSHOT.jar
-rw-r--r-- 1 ranger ranger 78146 Jul 25 16:39 jopt-simple-5.0.4.jar
[root@localhost lib]# pwd
/data/app/apache-ranger/ranger-3.0.0-SNAPSHOT-admin/jisql/lib


ranger-admin 命令
bash 复制代码
[root@localhost lib]# ranger-admin --help
Invalid argument [--help];
Usage: Only start | stop | restart | metric | version, are supported.
For metric Usage: metric -type policies | audits | usergroup | services | database | contextenrichers | denyconditions
ranger-usersync 用户同步

setup.sh

bash 复制代码
[root@hadoop03 ranger-3.0.0-SNAPSHOT-usersync]# ranger-usersync start
Starting Apache Ranger Usersync Service
Apache Ranger Usersync Service with pid 84109 has started.


整合 StarRocks 管理权限

参考:https://docs.starrocks.io/zh/docs/3.2/administration/user_privs/ranger_plugin/

bash 复制代码
curl -u admin:Ranger123456  -X POST -H "Accept: application/json" \
-H "Content-Type: application/json" \
http://hadoop03:6080/service/plugins/definitions -d@ranger-servicedef-starrocks.json


RBAC 权限控制
  • 数据库





  • 字段



行过滤



相关推荐
鲲志说8 小时前
数据洪流时代,如何挑选一款面向未来的时序数据库?IoTDB 的答案
大数据·数据库·apache·时序数据库·iotdb
psgogogo202516 小时前
Apache POI:Java操作Office文档的利器
java·开发语言·其他·apache
亚林瓜子18 小时前
Spring中使用Apache Http客户端调第三方系统接口临时查看请求体参数
spring·http·apache·log
zz-zjx18 小时前
Apache 生产环境操作与 LAMP 搭建指南
linux·运维·apache
DolphinScheduler社区18 小时前
(二)3.1.9 生产“稳”担当:Apache DolphinScheduler Worker 服务源码全方位解析
apache
SeaTunnel1 天前
一文掌握 Apache SeaTunnel 构建系统与分发基础架构
apache
左师佑图1 天前
Apache POI 在 Linux 无图形界面环境下因字体配置问题导致Excel导出失败的解决方案
linux·apache·excel
喵手1 天前
Java中的大数据流式计算与Apache Kafka集成!
java·华为云·apache
涤生大数据2 天前
Apache Doris性能优化全解析:慢查询定位与引擎深度调优
性能优化·apache·doris·大数据技术
88Ra2 天前
小程序中获取年月日时分的组件
java·小程序·apache