Apache Hadoop生态组件部署分享-Ranger

zookeeper: Apache Hadoop生态组件部署分享-zookeeper

hadoop：Apache Hadoop生态组件部署分享-Hadoop

hive: Apache Hadoop生态组件部署分享-Hive

hbase: Apache Hadoop生态组件部署分享-Hbase

impala:Apache Hadoop生态组件部署分享-Impala

spark: Apache Hadoop生态组件部署分享-Spark

sqoop: Apache Hadoop生态组件部署分享-Sqoop

kafak: Apache Hadoop生态组件部署分享-Kafka

版本选择: ranger2.5 其他组件版本: hadoop3.3.5 hive3.1.3 tez 0.10.2 zookeeper3.9.2

说明: 在多次编译ranger 2.4 - ranger 2.7 过程中如果不在乎ranger版本与hadoop、hive、tez等版本兼容问题其实都可以使用。但是要考虑到兼容性问题就需要去修改hadoop、hive等一些依赖版本,经过大量编译测试 ranger2.6 ranger2.7多少都有点小问题，后面问题记录会记录

一、ranger编译

1.1、下载ranger2.5 解压到指定路径

tar -xf /wdata/disk3/softs/apache-ranger-2.5.0.tar.gz -C /wdata/disk2/

1.2 、修改相关版本信息

<hadoop.version>3.3.4</hadoop.version>  修改为 <hadoop.version>3.3.5</hadoop.version><libthrift.version>0.14.0</libthrift.version> 修改为 <libthrift.version>0.13.0</libthrift.version><assembly.plugin.version>2.6</assembly.plugin.version> 修改为 <assembly.plugin.version>3.3.0</assembly.plugin.version>

1.3 执行编译

mvn clean compile package install

1.4 成功日志

[INFO] Installing /wdata/disk2/apache-ranger-2.5.0/target/ranger-2.5.0-schema-registry-plugin.jar to /root/.m2/repository/org/apache/ranger/ranger-distro/2.5.0/ranger-distro-2.5.0-schema-registry-plugin.jar[INFO] Installing /wdata/disk2/apache-ranger-2.5.0/target/ranger-2.5.0-presto-plugin.tar.gz to /root/.m2/repository/org/apache/ranger/ranger-distro/2.5.0/ranger-distro-2.5.0-presto-plugin.tar.gz[INFO] ------------------------------------------------------------------------[INFO] Reactor Summary for ranger 2.5.0:[INFO][INFO] ranger ............................................. SUCCESS [  4.746 s][INFO] Jdbc SQL Connector ................................. SUCCESS [  6.282 s][INFO] Credential Support ................................. SUCCESS [  8.325 s][INFO] Audit Component .................................... SUCCESS [ 23.806 s][INFO] ranger-plugin-classloader .......................... SUCCESS [  4.645 s][INFO] Common library for Plugins ......................... SUCCESS [01:18 min][INFO] ranger-intg ........................................ SUCCESS [ 12.101 s][INFO] Installer Support Component ........................ SUCCESS [  4.214 s][INFO] Credential Builder ................................. SUCCESS [  9.146 s][INFO] Embedded Web Server Invoker ........................ SUCCESS [  8.387 s][INFO] Ranger HA Common Library ........................... SUCCESS [  8.878 s][INFO] ranger-metrics ..................................... SUCCESS [  9.323 s][INFO] Key Management Service ............................. SUCCESS [ 45.312 s][INFO] HBase Security Plugin Shim ......................... SUCCESS [  8.477 s][INFO] HBase Security Plugin .............................. SUCCESS [ 18.182 s][INFO] Hdfs Security Plugin ............................... SUCCESS [ 21.809 s][INFO] Hive Security Plugin ............................... SUCCESS [ 18.565 s][INFO] Knox Security Plugin Shim .......................... SUCCESS [  4.608 s][INFO] Knox Security Plugin ............................... SUCCESS [ 24.491 s][INFO] Storm Security Plugin .............................. SUCCESS [ 10.105 s][INFO] YARN Security Plugin ............................... SUCCESS [  5.818 s][INFO] Ozone Security Plugin .............................. SUCCESS [  6.765 s][INFO] Ranger Util ........................................ SUCCESS [  4.112 s][INFO] Unix Authentication Client ......................... SUCCESS [  3.062 s][INFO] User Group Synchronizer Util ....................... SUCCESS [  2.746 s][INFO] ranger-authn ....................................... SUCCESS [  3.773 s][INFO] Security Admin Web Application ..................... SUCCESS [06:50 min][INFO] KAFKA Security Plugin .............................. SUCCESS [ 53.917 s][INFO] SOLR Security Plugin ............................... SUCCESS [  7.892 s][INFO] NiFi Security Plugin ............................... SUCCESS [  7.756 s][INFO] NiFi Registry Security Plugin ...................... SUCCESS [  7.161 s][INFO] Kudu Security Plugin ............................... SUCCESS [  3.514 s][INFO] Unix User Group Synchronizer ....................... SUCCESS [ 35.265 s][INFO] Ldap Config Check Tool ............................. SUCCESS [  4.428 s][INFO] Unix Authentication Service ........................ SUCCESS [  4.170 s][INFO] Unix Native Authenticator .......................... SUCCESS [  2.124 s][INFO] KMS Security Plugin ................................ SUCCESS [ 13.065 s][INFO] Tag Synchronizer ................................... SUCCESS [ 11.825 s][INFO] Hdfs Security Plugin Shim .......................... SUCCESS [  3.397 s][INFO] Hive Security Plugin Shim .......................... SUCCESS [  4.280 s][INFO] YARN Security Plugin Shim .......................... SUCCESS [  3.491 s][INFO] OZONE Security Plugin Shim ......................... SUCCESS [  3.822 s][INFO] Storm Security Plugin shim ......................... SUCCESS [  3.509 s][INFO] KAFKA Security Plugin Shim ......................... SUCCESS [  3.404 s][INFO] SOLR Security Plugin Shim .......................... SUCCESS [  4.399 s][INFO] Atlas Security Plugin Shim ......................... SUCCESS [  3.724 s][INFO] KMS Security Plugin Shim ........................... SUCCESS [  4.734 s][INFO] ranger-examples .................................... SUCCESS [  0.066 s][INFO] Ranger Examples - Conditions and ContextEnrichers .. SUCCESS [  6.264 s][INFO] Ranger Examples - SampleApp ........................ SUCCESS [  2.736 s][INFO] Ranger Examples - Ranger Plugin for SampleApp ...... SUCCESS [  3.863 s][INFO] sample-client ...................................... SUCCESS [  5.864 s][INFO] Apache Ranger Examples Distribution ................ SUCCESS [  7.829 s][INFO] Ranger Tools ....................................... SUCCESS [ 21.405 s][INFO] Atlas Security Plugin .............................. SUCCESS [  8.564 s][INFO] SchemaRegistry Security Plugin ..................... SUCCESS [ 10.805 s][INFO] Sqoop Security Plugin .............................. SUCCESS [  9.257 s][INFO] Sqoop Security Plugin Shim ......................... SUCCESS [  4.055 s][INFO] Kylin Security Plugin .............................. SUCCESS [  8.512 s][INFO] Kylin Security Plugin Shim ......................... SUCCESS [  4.128 s][INFO] Presto Security Plugin ............................. SUCCESS [  8.788 s][INFO] Presto Security Plugin Shim ........................ SUCCESS [  4.276 s][INFO] Elasticsearch Security Plugin Shim ................. SUCCESS [  3.644 s][INFO] Elasticsearch Security Plugin ...................... SUCCESS [  5.047 s][INFO] Ranger Security Plugin for Trino ................... SUCCESS [  6.272 s][INFO] Apache Ranger Distribution ......................... SUCCESS [  02:45 h][INFO] ------------------------------------------------------------------------[INFO] BUILD SUCCESS[INFO] ------------------------------------------------------------------------[INFO] Total time:  03:03 h[INFO] Finished at: 2025-11-11T12:05:11+08:00[INFO] ------------------------------------------------------------------------

进入target路径查看

因后面安装ranger等插件需要python3环境,因此需要安装python3

二、安装Python3

2.1 解压

tar -xf Python-3.9.0.tgz -C /opt/module/

2.2 安装相关依赖

yum -y install openssl-devel zlib-devel gcc libffi-develcd /opt/module/python-3.9

2.3 配置安装目录

在python安装配置中一定要加上--enable-shared参数就可以生成对应动态链接库

/opt/module/Python-3.9.0./configure --enable-shared --prefix=/opt/module/python-3.9make && make install
ln -s /opt/module/python-3.9/bin/python3.9 /usr/bin/python3cp /opt/module/python-3.9/lib/libpython3.9.so.1.0 /usr/lib64/

2.4 验证

python3 -V

三、ranger 安装

3.1 ranger-admin-2.5 安装

A、解压到指定路径

#232节点执行mkdir -p /usr/share/java/mkdir /opt/apache_v00/ranger-2.5.0tar -xf ranger-2.5.0-admin.tar.gz -C  /opt/apache_v00/ranger-2.5.0
#从230分发到安装ranger的节点scp /usr/share/java/mysql-connector-java.jar 192.168.242.232:/usr/share/java/

B.创建数据库(mysql节点执行)

create database ranger25;CREATE USER 'ranger25'@'%' IDENTIFIED BY 'ranger25Zxcv';grant all privileges on ranger25.* to 'ranger25'@'%'  identified by 'ranger25Zxcv';

C、 编辑配置文件

cp install.properties install.properties_20251020vim install.properties主要修改内容如下:db_root_user=rootdb_root_password=123456db_host=apache230.hadoop.com:3306
db_name=ranger25db_user=ranger25db_password=ranger25Zxcv
rangerAdmin_password=123456Zxcv.rangerTagsync_password=123456Zxcv.rangerUsersync_password=123456Zxcv.
hadoop_conf=/opt/apache_v00/hadoop-3.3.5/etc/hadooppolicymgr_external_url=http://apache232.hadoop.com:6080
#这里原先的值为audit_store=solr,不设置即为关闭audit_store=

D、执行初始化命令

步骤里面会执行创建ranger表以及赋权、验证等操作

[root@apache232 ranger-2.5.0-admin]# ./setup.sh2025-11-10 19:58:52,375   --------- Running Ranger PolicyManager Web Application Install Script ---------2025-11-10 19:58:52,376  [I] uname=Linux2025-11-10 19:58:52,378  [I] hostname=apache232.hadoop.com2025-11-10 19:58:52,381  [I] DB_FLAVOR=MYSQL2025-11-10 19:58:52,382  [I] Audit source=2025-11-10 19:58:52,384  [I] Checking distribution name..2025-11-10 19:58:52,388  [I] Found distribution : CentOS2025-11-10 19:58:52,389  [I] check if command /opt/module/jdk1.8.0_144/bin/java exists2025-11-10 19:58:52,390  [I] '/opt/module/jdk1.8.0_144/bin/java' command found2025-11-10 19:58:52,470  [I] Checking MYSQL CONNECTOR FILE : /usr/share/java/mysql-connector-java.jar........2025-11-10 19:59:22,356  [I] Ranger all admins default password change request processed successfully..Installation of Ranger PolicyManager Web Application is completed.

E、设置全局环境

会创建/var/log/ranger/ 、/etc/ranger/以及软连接等操作

root@apache232 ranger-2.5.0-admin]# ./set_globals.shusermod：无改变[2025/10/22 10:36:34]:  [I] Soft linking /etc/ranger/admin/conf to ews/webapp/WEB-INF/classes/conf

F、修改ranger-admin-site.xml配置

路径为:/opt/apache_v00/ranger-2.5.0/ranger-2.5.0-admin/conf/ranger-admin-site.xml

主要修改的内容为:

<property>                <name>ranger.jpa.jdbc.user</name>                <value>ranger25</value>                <description />        </property>        <property>                <name>ranger.service.host</name>                <value>apache232.hadoop.com</value>        </property>

G、启动ranger admin

[root@apache232 ~]# ranger-admin startStarting Apache Ranger Admin ServiceApache Ranger Admin Service with pid 116230 has started.[root@apache232 ~]# jps116230 EmbeddedServer116326 Jps

H、 打开页面验证

http://192.168.242.232:6080/#/policymanager/resource

3.2 Ranger-UserSync-2.5 安装

A、 解压压缩包到执行路径

tar -xf /opt/softs/ranger-2.5.0-usersync.tar.gz -C /opt/apache_v00/ranger-2.5.0

B、 编辑install.properties配置

主要修改的内容如下:

POLICY_MGR_URL = http://192.168.242.232:6080#这里密码要与上面保持一致rangerUsersync_password=123456Zxcv.hadoop_conf=/opt/apache_v00/hadoop-3.3.5/etc/hadoop

C、 初始化UserSync

[root@apache232 ranger-2.5.0-usersync]# ./setup.shDirect Key not found:SYNC_GROUP_USER_MAP_SYNC_ENABLEDDirect Key not found:hadoop_confDirect Key not found:ranger_base_dirDirect Key not found:USERSYNC_PID_DIR_PATHDirect Key not found:rangerUsersync_password......ranger.usersync.policymgr.password has been successfully created.Provider jceks://file/etc/ranger/usersync/conf/rangerusersync.jceks was updated.[I] Successfully updated password of rangerusersync user

D、 修改ranger-ugsync-site.xml配置

主要修改如下内容

<property>                <name>ranger.usersync.enabled</name>                <value>true</value>        </property>

E、 启动ranger UserSync

[root@apache232 ranger-2.5.0-usersync]# ranger-usersync startStarting Apache Ranger Usersync ServiceApache Ranger Usersync Service with pid 129807 has started.

F、 打开页面查看用户和组同步情况

用户同步情况

组同步情况

3.3 集成hive

A. 解压到指定路径

tar -xf /opt/softs/ranger-2.5.0-hive-plugin.tar.gz -C /opt/apache_v00/ranger-2.5.0cd /opt/apache_v00/ranger-2.5.0/ranger-2.5.0-hive-plugincp install.properties install.properties_20251111

B. 编辑install.properties

#ranger admin webPOLICY_MGR_URL=http://192.168.242.232:6080#在策略管理器中创建的存储库名称REPOSITORY_NAME=hivetest#hive home路径COMPONENT_INSTALL_DIR_NAME=/opt/apache_v00/apache-hive-3.1.3

C.启用HIVE插件

在启用之后最好备份下hive的conf路径,应该会对其路径的配置文件有所修改(目前发现只有新增)

cd /opt/apache_v00/apache-hive-3.1.3mkdir conf_v1cp -r conf/* conf_v1

开始启用hive插件

cd /opt/apache_v00/ranger-2.5.0/ranger-2.5.0-hive-plugin[root@apache232 ranger-2.5.0-hive-plugin]# ./enable-hive-plugin.shCustom user and group is available, using custom user and group.+ 2025年 11月 11日 星期二 09:23:12 CST : hive: lib folder=/opt/apache_v00/apache-hive-3.1.3/lib conf folder=/opt/apache_v00/apache-hive-3.1.3/conf+ 2025年 11月 11日 星期二 09:23:12 CST : Creating default file from [/opt/apache_v00/ranger-2.5.0/ranger-2.5.0-hive-plugin/install/conf.templates/default/configuration.xml] for [/opt/apache_v00/apache-hive-3.1.3/conf/hiveserver2-site.xml] ..+ 2025年 11月 11日 星期二 09:23:12 CST : Saving current config file: /opt/apache_v00/apache-hive-3.1.3/conf/hiveserver2-site.xml to /opt/apache_v00/apache-hive-3.1.3/conf/.hiveserver2-site.xml.20251111-092312 ...+ 2025年 11月 11日 星期二 09:23:13 CST : Saving current config file: /opt/apache_v00/apache-hive-3.1.3/conf/ranger-hive-audit.xml to /opt/apache_v00/apache-hive-3.1.3/conf/.ranger-hive-audit.xml.20251111-092312 ...+ 2025年 11月 11日 星期二 09:23:13 CST : Saving current config file: /opt/apache_v00/apache-hive-3.1.3/conf/ranger-hive-security.xml to /opt/apache_v00/apache-hive-3.1.3/conf/.ranger-hive-security.xml.20251111-092312 ...+ 2025年 11月 11日 星期二 09:23:13 CST : Saving current config file: /opt/apache_v00/apache-hive-3.1.3/conf/ranger-policymgr-ssl.xml to /opt/apache_v00/apache-hive-3.1.3/conf/.ranger-policymgr-ssl.xml.20251111-092312 ...+ 2025年 11月 11日 星期二 09:23:13 CST : Saving lib file: /opt/apache_v00/apache-hive-3.1.3/lib/ranger-hive-plugin-impl to /opt/apache_v00/apache-hive-3.1.3/lib/.ranger-hive-plugin-impl.20251111092313 ...+ 2025年 11月 11日 星期二 09:23:13 CST : Saving lib file: /opt/apache_v00/apache-hive-3.1.3/lib/ranger-hive-plugin-shim-2.5.0.jar to /opt/apache_v00/apache-hive-3.1.3/lib/.ranger-hive-plugin-shim-2.5.0.jar.20251111092313 ...+ 2025年 11月 11日 星期二 09:23:13 CST : Saving lib file: /opt/apache_v00/apache-hive-3.1.3/lib/ranger-plugin-classloader-2.5.0.jar to /opt/apache_v00/apache-hive-3.1.3/lib/.ranger-plugin-classloader-2.5.0.jar.20251111092313 ...+ 2025年 11月 11日 星期二 09:23:14 CST : Saving current JCE file: /etc/ranger/hivetest/cred.jceks to /etc/ranger/hivetest/.cred.jceks.20251111092314 ...Ranger Plugin for hive has been enabled. Please restart hive to ensure that changes are effective.

此时hive conf路径/opt/apache_v00/apache-hive-3.1.3/conf 会新增四个配置文件

hiveserver2-site.xml、ranger-hive-audit.xml、ranger-hive-security.xml、ranger-policymgr-ssl.xml

D.分发配置文件到其他hiveserver2节点上

为了能够演示不同用户权限这里修改hive-site.xml中的 hive.server2.enable.doAs 参数为true (每台节点都修改)

#hive.server2.enable.doAs=true 就是 使用Hive 以用户自己身份执行务 ； false 则是 所有人都用 hive 用户执行任务。

分发新增的4个配置文件到其他hiveserver2节点

#232节点分发

cd /opt/apache_v00/apache-hive-3.1.3/conf

scp ranger-security.xml ranger-hive-audit.xml ranger-hive-security.xml ranger-policymgr-ssl.xml 192.168.242.230:/opt/apache_v00/apache-hive-3.1.3/confscp ranger-security.xml ranger-hive-audit.xml ranger-hive-security.xml ranger-policymgr-ssl.xml 192.168.242.231:/opt/apache_v00/apache-hive-3.1.3/conf

分发依赖的包

scp -r ranger-hive-plugin-impl ranger-hive-plugin-shim-2.5.0.jar ranger-plugin-classloader-2.5.0.jar 192.168.242.230:/opt/apache_v00/apache-hive-3.1.3/lib/scp -r ranger-hive-plugin-impl ranger-hive-plugin-shim-2.5.0.jar ranger-plugin-classloader-2.5.0.jar 192.168.242.231:/opt/apache_v00/apache-hive-3.1.3/lib/

然后重启hive 服务

E.ranger页面新增一个hive service

点击加号

配置相关内容

Service Name 要与配置内容一致

Display Name 展示的名字,自定义即可

user和password随便写都行

jdbc.url ： jdbc:hive2://apache231.hadoop.com:10000

点击连接测试

然后连接验证

beeline -u "jdbc:hive2://apache232.hadoop.com:10000/default" -n admin -p 123456

我这边验证了但是会由hdfs权限问题,因此我这里等下面hdfs也集成好了一起验证ranger对hdfs、hive的权限控制

3.4 集成hdfs

A. 解压到指定路径

tar -xf /opt/softs/ranger-2.5.0-hdfs-plugin.tar.gz -C /opt/apache_v00/ranger-2.5.0

B.install.properties 配置

cd /opt/apache_v00/ranger-2.5.0/ranger-2.5.0-hdfs-pluginvim 
POLICY_MGR_URL=http://192.168.242.232:6080REPOSITORY_NAME=hdfstestCOMPONENT_INSTALL_DIR_NAME=/opt/apache_v00/hadoop-3.3.5

C.启用hdfs插件

同样在启用hdfs插件之前我们也备份下hdfs配置文件

cd /opt/apache_v00/hadoop-3.3.5/etcmkdir hadoop_20251111 && cp -r hadoop/* hadoop_20251111

开始启用hdfs插件

cd /opt/apache_v00/ranger-2.5.0/ranger-2.5.0-hdfs-plugin

[root@apache232 ranger-2.5.0-hdfs-plugin]# ./enable-hdfs-plugin.shCustom group is available, using default user and custom group.
+ 2025年 11月 11日 星期二 09:56:08 CST : hadoop: lib folder=/opt/apache_v00/hadoop-3.3.5/share/hadoop/hdfs/lib conf folder=/opt/apache_v00/hadoop-3.3.5/etc/hadoop+ 2025年 11月 11日 星期二 09:56:08 CST : Saving current config file: /opt/apache_v00/hadoop-3.3.5/etc/hadoop/hdfs-site.xml to /opt/apache_v00/hadoop-3.3.5/etc/hadoop/.hdfs-site.xml.20251111-095608 ...+ 2025年 11月 11日 星期二 09:56:08 CST : Saving current config file: /opt/apache_v00/hadoop-3.3.5/etc/hadoop/ranger-hdfs-audit.xml to /opt/apache_v00/hadoop-3.3.5/etc/hadoop/.ranger-hdfs-audit.xml.20251111-095608 ...+ 2025年 11月 11日 星期二 09:56:08 CST : Saving current config file: /opt/apache_v00/hadoop-3.3.5/etc/hadoop/ranger-hdfs-security.xml to /opt/apache_v00/hadoop-3.3.5/etc/hadoop/.ranger-hdfs-security.xml.20251111-095608 ...+ 2025年 11月 11日 星期二 09:56:09 CST : Saving current config file: /opt/apache_v00/hadoop-3.3.5/etc/hadoop/ranger-policymgr-ssl.xml to /opt/apache_v00/hadoop-3.3.5/etc/hadoop/.ranger-policymgr-ssl.xml.20251111-095608 ...+ 2025年 11月 11日 星期二 09:56:09 CST : Saving current JCE file: /etc/ranger/hdfstest/cred.jceks to /etc/ranger/hdfstest/.cred.jceks.20251111095609 ...  Ranger Plugin for hadoop has been enabled. Please restart hadoop to ensure that changes are effective.

E.分发相关配置文件以及jar

启用成功之后你会发现232的hadoop配置新增了:

ranger-security.xml、ranger-hdfs-audit.xml、ranger-hdfs-security.xml、ranger-policymgr-ssl.xml、hiveserver2-site.xml以及hdfs-site.xml中新增了

<property>        <name>dfs.permissions.enabled</name>        <value>true</value>    </property>    <property>        <name>dfs.permissions</name>        <value>true</value>    </property>    <property>        <name>dfs.namenode.inode.attributes.provider.class</name>        <value>org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer</value>    </property>    <property>        <name>dfs.permissions.ContentSummary.subAccess</name>        <value>true</value>    </property>

然后我们将之前配置的dfs.permissions.enabled 属性注释掉即可

然后分发这些配置文件到其他hadoop节点

scp ranger-security.xml ranger-hdfs-audit.xml ranger-hdfs-security.xml ranger-policymgr-ssl.xml hdfs-site.xml hiveserver2-site.xml 192.168.242.230:/opt/apache_v00/hadoop-3.3.5/etc/hadoopscp ranger-security.xml ranger-hdfs-audit.xml ranger-hdfs-security.xml ranger-policymgr-ssl.xml hdfs-site.xml  hiveserver2-site.xml 192.168.242.231:/opt/apache_v00/hadoop-3.3.5/etc/hadoop

当时漏掉了hiveserver2-site.xml 配置导致其他hiveserver2 鉴权不走ranger，权限没控制住除了配置文件你还会发现

/opt/apache_v00/hadoop-3.3.5/share/hadoop/hdfs/lib 下新增了

lrwxrwxrwx 1 root root      81 11月 11 09:56 ranger-hdfs-plugin-impl -> /opt/apache_v00/ranger-2.5.0/ranger-2.5.0-hdfs-plugin/lib/ranger-hdfs-plugin-impllrwxrwxrwx 1 root root      91 11月 11 09:56 ranger-hdfs-plugin-shim-2.5.0.jar -> /opt/apache_v00/ranger-2.5.0/ranger-2.5.0-hdfs-plugin/lib/ranger-hdfs-plugin-shim-2.5.0.jarlrwxrwxrwx 1 root root      93 11月 11 09:56 ranger-plugin-classloader-2.5.0.jar -> /opt/apache_v00/ranger-2.5.0/ranger-2.5.0-hdfs-plugin/lib/ranger-plugin-classloader-2.5.0.jar

此时也需要进行分发到其他hadoop节点对应路径下

scp -r ranger-hdfs-plugin-impl ranger-hdfs-plugin-shim-2.5.0.jar ranger-plugin-classloader-2.5.0.jar 192.168.242.230:/opt/apache_v00/hadoop-3.3.5/share/hadoop/hdfs/libscp -r ranger-hdfs-plugin-impl ranger-hdfs-plugin-shim-2.5.0.jar ranger-plugin-classloader-2.5.0.jar 192.168.242.231:/opt/apache_v00/hadoop-3.3.5/share/hadoop/hdfs/lib

注: 如果忘记了这步骤namenode会启用异常: java.lang.ClassNotFoundException: Class org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer

重启hadoop相关服务

F.ranger配置hdfs插件

然后点击连接测试

添加完成以后

By default, fallback to HDFS ACLs are enabled. If access cannot be determined by Ranger policies, authorization will fall back to HDFS ACLs. If this behavior needs to be changed, modify HDFS plugin config - xasecure.add-hadoop-authorization.

🧭 当 Ranger HDFS Plugin 不知道是否允许访问时， 默认会"退回"去查 Hadoop 自带的 ACL 权限。 想让 Ranger 独占决策，就把 xasecure.add-hadoop-authorization 设为 false。

G.验证ranger是否可以控制相关权限

beeline -u "jdbc:hive2://apache232.hadoop.com:10000/default" -n test1022 -p 123456

赋的权限如下:

再验证ranger对hive的权限控制

赋权截图

3.5 集成hbase

A. 解压安装包到指定路径

tar -xf /opt/softs/ranger-2.5.0-hbase-plugin.tar.gz -C /opt/apache_v00/ranger-2.5.0/

B. install.properties 配置

POLICY_MGR_URL=http://192.168.242.232:6080REPOSITORY_NAME=hbasetestCOMPONENT_INSTALL_DIR_NAME=/opt/apache_v00/hbase-2.6.0

C.启用hbase插件

启用之前备份一下

cd /opt/apache_v00/hbase-2.6.0mkdir conf_20251112cp -r conf/* conf_20251112/

开始启用

/opt/apache_v00/ranger-2.5.0/ranger-2.5.0-hbase-plugin[root@apache232 ranger-2.5.0-hbase-plugin]# ./enable-hbase-plugin.shCustom group is available, using default user and custom group.+ 2025年 11月 12日 星期三 10:32:55 CST : hbase: lib folder=/opt/apache_v00/hbase-2.6.0/lib conf folder=/opt/apache_v00/hbase-2.6.0/confchown: 无效的用户: "hbase:hadoop"chown: 无效的用户: "hbase:hadoop"chown: 无效的用户: "hbase:hadoop"chown: 无效的用户: "hbase:hadoop"chown: 无效的用户: "hbase:hadoop"+ 2025年 11月 12日 星期三 10:32:55 CST : Saving current config file: /opt/apache_v00/hbase-2.6.0/conf/hbase-site.xml to /opt/apache_v00/hbase-2.6.0/conf/.hbase-site.xml.20251112-103255 ...+ 2025年 11月 12日 星期三 10:32:55 CST : Saving current config file: /opt/apache_v00/hbase-2.6.0/conf/ranger-hbase-audit.xml to /opt/apache_v00/hbase-2.6.0/conf/.ranger-hbase-audit.xml.20251112-103255 ...+ 2025年 11月 12日 星期三 10:32:55 CST : Saving current config file: /opt/apache_v00/hbase-2.6.0/conf/ranger-hbase-security.xml to /opt/apache_v00/hbase-2.6.0/conf/.ranger-hbase-security.xml.20251112-103255 ...+ 2025年 11月 12日 星期三 10:32:55 CST : Saving current config file: /opt/apache_v00/hbase-2.6.0/conf/ranger-policymgr-ssl.xml to /opt/apache_v00/hbase-2.6.0/conf/.ranger-policymgr-ssl.xml.20251112-103255 ...+ 2025年 11月 12日 星期三 10:32:56 CST : Saving current JCE file: /etc/ranger/hbasetest/cred.jceks to /etc/ranger/hbasetest/.cred.jceks.20251112103256 ...chown: 无效的用户: "hbase:hadoop"Ranger Plugin for hbase has been enabled. Please restart hbase to ensure that changes are effective.

启用之后可以发现配置文件新增了ranger-hbase-audit.xml、ranger-hbase-security.xml、ranger-policymgr-ssl.xml、ranger-security.xml另外hbase-site.xml新增了配置项:

<property>        <name>hbase.security.authorization</name>        <value>true</value>    </property>    <property>        <name>hbase.coprocessor.master.classes</name>        <value>org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor</value>    </property>    <property>        <name>hbase.coprocessor.region.classes</name>        <value>org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor</value>    </property>

且依赖包/opt/apache_v00/hbase-2.6.0/lib 下新增了ranger-hbase-plugin-impl 目录、ranger-hbase-plugin-shim-2.5.0.jar、ranger-plugin-classloader-2.5.0.jar

此时我们将配置文件以及jar分发到另外两台（此时在232节点下）

cd /opt/apache_v00/hbase-2.6.0/confscp ranger-security.xml hbase-site.xml ranger-hbase-audit.xml ranger-hbase-security.xml ranger-policymgr-ssl.xml 192.168.242.230:/opt/apache_v00/hbase-2.6.0/conf/scp ranger-security.xml hbase-site.xml ranger-hbase-audit.xml ranger-hbase-security.xml ranger-policymgr-ssl.xml 192.168.242.231:/opt/apache_v00/hbase-2.6.0/conf/

依赖包分发

cd /opt/apache_v00/hbase-2.6.0/libscp -r ranger-hbase-plugin-impl/ ranger-hbase-plugin-shim-2.5.0.jar ranger-plugin-classloader-2.5.0.jar 192.168.242.230:/opt/apache_v00/hbase-2.6.0/libscp -r ranger-hbase-plugin-impl/ ranger-hbase-plugin-shim-2.5.0.jar ranger-plugin-classloader-2.5.0.jar 192.168.242.231:/opt/apache_v00/hbase-2.6.0/lib

D.重启hbase服务

#230-231执行hbase-daemon.sh restart masterhbase-daemon.sh restart regionserver
232执行hbase-daemon.sh restart regionserver

E. 添加hbase service

点击测试连接第一次会显示失败,提示master似乎没有正在运行，这个时候先忽略,直接add添加,然后给root赋权

不然master会报错：

org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'root',action: put, tableName:hbase:meta, family:info, column: state

然后重启一下master服务

再次测试连接

F. 验证ranger是否可以控制hbase 不同用户权限

[root@apache232 ~]# su - test1022[test1022@apache232 ~]$ hbasehbase              hbase-cleanup.sh   hbase-common.sh    hbase-config.sh    hbase-daemon.sh    hbase-daemons.sh   hbase-jruby        hbase_startup.jsh[test1022@apache232 ~]$ hbase shellHBase ShellUse "help" to get list of supported commands.Use "exit" to quit this interactive shell.For Reference, please visit: http://hbase.apache.org/2.0/book.html#shellVersion 2.6.0, rde99f8754135ea69adc39da48d2bc2b2710a5366, Mon Apr 29 12:46:30 UTC 2024Took 0.0030 secondshbase:001:0> listTABLE0 row(s)Took 0.3420 seconds=> []hbase:002:0>hbase:003:0>hbase:004:0> scan 'testa:student'ROW                                      COLUMN+CELLorg.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'test1022',action: scannerOpen, tableName:testa:student, family:info.        at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.authorizeAccess(RangerAuthorizationCoprocessor.java:569)        at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preScannerOpen(RangerAuthorizationCoprocessor.java:1015)        at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preScannerOpen(RangerAuthorizationCoprocessor.java:709)

可以发现没有权限

ranger中赋权

等待十几秒 再次查询

其他组件集成步骤差不多，这里就不再一一介绍了.