Apache Ranger 权限管理

Apache Ranger 提供以下核心模块:

  • Ranger Admin:Ranger 的核心模块,内置了一个 Web 界面,用户可以通过界面或者 REST 接口来创建和更新安全策略。Hadoop 生态各个组件的 Plugin 定期对这些策略进行轮询和拉取。
  • Agent Plugin:嵌入到 Hadoop 生态圈组件的 Plugin,定期从 Ranger Admin 拉取安全策略,存储在本地文件中。当用户访问组件时,Plugin 会根据安全策略对请求进行安全评估,将结果反馈给相应组件。
  • User Sync:用于拉取用户和用户组的信息,将用户和用户组的权限数据同步到 Ranger 的数据库中。

除了原生的 RBAC 权限系统,StarRocks 3.1.9 及后续版本还支持通过 Apache Ranger 来进行访问控制。目前 StarRocks 在能力上支持:

  • 通过 Ranger 创建 Access policy、Masking policy、Row-level filter policy。
  • 支持 Ranger 审计日志。
  • 暂不支持 Kerberos 认证的 Ranger Server。
编译

mvn install package -DskipTests -Dfast -Drat.skip=true -Dmaven.test.skip=true -Dcheckstyle.skip=true -Denforcer.skip=true

ranger-admin
install.properties
bash 复制代码
PYTHON_COMMAND_INVOKER=python

#DB_FLAVOR=MYSQL|ORACLE|POSTGRES|MSSQL|SQLA
DB_FLAVOR=MYSQL
#

#
# Location of DB client library (please check the location of the jar file)
#
#SQL_CONNECTOR_JAR=/usr/share/java/ojdbc6.jar
#SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar
#SQL_CONNECTOR_JAR=/usr/share/java/postgresql.jar
#SQL_CONNECTOR_JAR=/usr/share/java/sqljdbc4.jar
#SQL_CONNECTOR_JAR=/opt/sqlanywhere17/java/sajdbc4.jar
SQL_CONNECTOR_JAR=/data/app/apache-ranger/mysql-connector-java-5.1.47.jar

db_root_user=root
db_root_password=OIRLkZvqIQyB
db_host=localhost:3306
#SSL config
db_ssl_enabled=false
db_ssl_required=false
db_ssl_verifyServerCertificate=false
#db_ssl_auth_type=1-way|2-way, where 1-way represents standard one way ssl authentication and 2-way represents mutual ssl authentication
db_ssl_auth_type=1-way
javax_net_ssl_keyStore=
javax_net_ssl_keyStorePassword=
javax_net_ssl_trustStore=
javax_net_ssl_trustStorePassword=
javax_net_ssl_trustStore_type=jks
javax_net_ssl_keyStore_type=jks

# For postgresql db
db_ssl_certificate_file=

#
# DB UserId used for the Ranger schema
#
db_name=ranger
db_user=ranger
db_password=OIRLkZvqIQyB

#For over-riding the jdbc url.
is_override_db_connection_string=false
db_override_connection_string=


# change password. Password for below mentioned users can be changed only once using this property.
#PLEASE NOTE :: Password should be minimum 8 characters with min one alphabet and one numeric.
rangerAdmin_password=Ranger123456
rangerTagsync_password=Ranger123456
rangerUsersync_password=Ranger123456
keyadmin_password=Ranger123456


#Source for Audit Store. Currently solr, elasticsearch and cloudwatch logs are supported.
# * audit_store is solr
audit_store=solr

audit_elasticsearch_password=
audit_elasticsearch_index=
audit_elasticsearch_bootstrap_enabled=true


# * audit_solr_url URL to Solr. E.g. http://<solr_host>:6083/solr/ranger_audits
audit_solr_urls=http://192.168.1.49:8983/solr/ranger_audits
audit_solr_user=
audit_solr_password=
audit_solr_zookeepers=192.168.1.49:2181

audit_solr_collection_name=ranger_audits
#solr Properties for cloud mode
audit_solr_config_name=ranger_audits
audit_solr_configset_location=
audit_solr_no_shards=1
audit_solr_no_replica=1
audit_solr_max_shards_per_node=1
audit_solr_acl_user_list_sasl=solr,infra-solr
audit_solr_bootstrap_enabled=true

# * audit to amazon cloudwatch properties
audit_cloudwatch_region=
audit_cloudwatch_log_group=
audit_cloudwatch_log_stream_prefix=

#------------------------- DB CONFIG - END ----------------------------------

#
# ------- PolicyManager CONFIG ----------------
#

policymgr_external_url=http://192.168.1.49:6080
policymgr_http_enabled=true
policymgr_https_keystore_file=
policymgr_https_keystore_keyalias=rangeradmin
policymgr_https_keystore_password=
setup.sh
  • 构建 jisql/lib 目录
bash 复制代码
[root@localhost lib]# ll
total 132
-rw-r--r-- 1 ranger ranger 19516 Jul 25 16:55 credentialbuilder-3.0.0-SNAPSHOT.jar
-rw-r--r-- 1 ranger ranger 29240 Jul 25 16:34 jisql-3.0.0-SNAPSHOT.jar
-rw-r--r-- 1 ranger ranger 78146 Jul 25 16:39 jopt-simple-5.0.4.jar
[root@localhost lib]# pwd
/data/app/apache-ranger/ranger-3.0.0-SNAPSHOT-admin/jisql/lib


ranger-admin 命令
bash 复制代码
[root@localhost lib]# ranger-admin --help
Invalid argument [--help];
Usage: Only start | stop | restart | metric | version, are supported.
For metric Usage: metric -type policies | audits | usergroup | services | database | contextenrichers | denyconditions
ranger-usersync 用户同步

setup.sh

bash 复制代码
[root@hadoop03 ranger-3.0.0-SNAPSHOT-usersync]# ranger-usersync start
Starting Apache Ranger Usersync Service
Apache Ranger Usersync Service with pid 84109 has started.


整合 StarRocks 管理权限

参考:https://docs.starrocks.io/zh/docs/3.2/administration/user_privs/ranger_plugin/

bash 复制代码
curl -u admin:Ranger123456  -X POST -H "Accept: application/json" \
-H "Content-Type: application/json" \
http://hadoop03:6080/service/plugins/definitions -d@ranger-servicedef-starrocks.json


RBAC 权限控制
  • 数据库





  • 字段



行过滤



相关推荐
HashData酷克数据4 小时前
官宣:Apache Cloudberry (Incubating) 2.0.0 发布!
数据库·开源·apache·cloudberry
XMYX-010 小时前
解决 Apache/WAF SSL 证书链不完整导致的 PKIX path building failed 问题
网络协议·apache·ssl
IT·陈寒11 小时前
怎么这么多 StringUtils —— Apache、Spring、Hutool 全面对比
java·spring·apache
喂完待续1 天前
【Big Data】云原生与AI时代的存储基石 Apache Ozone 的技术演进路径
云原生·架构·apache·big data·序列晋升
todoitbo3 天前
时序数据库选型指南:Apache IoTDB快速部署与实战应用
apache·时序数据库·iotdb
IDOlaoluo3 天前
apache-jmeter-5.1.1安装部署与使用教程(小白一看就会)
jmeter·apache
倔强的石头1063 天前
时序数据库选型指南:为何Apache IoTDB成为工业物联网首选
apache·时序数据库·iotdb
wei_shuo3 天前
物联网时序数据存储方案:Apache IoTDB 集群部署全流程 + TimechoDB 优势解读
物联网·apache·iotdb
sanggou3 天前
Apache Doris:重塑湖仓一体架构的高效计算引擎
架构·数据分析·apache
C-20023 天前
Apache 的安装及基本使用
apache