Apache Ranger is a centralized security administration solution for Hadoop that enables administrators to create and enforce security policies for HDFS and other Hadoop platform components.
Ranger configuration is based on the installation and configuration of HDFS Transparency. Therefore, HDFS transparency must be installed before configuring Ranger, Then
installing Ranger in native HDFS .
Enable RangerAfter Apache Ranger and Hadoop have been installed, administers must perform the following steps to enable Ranger:
1 Change HDFS umask to 077 from 022. This will prevent any new files or folders to be accessed by anyone other than the owner. To change the umask, from the HDFS dashboard > Configs tab > search for umask, and change the value from 022 to 077.
2 Know which directory is managed by Ranger and which directory is managed by POSIX/HDFS/ACL. Let HDFS manage the permissions for the /tmp and the /user folders.
3 Do not configure a file to be controlled by both Ranger and POSIX/HDFS/ACL permissions. This creates confusion in permission control.
4 Do not deny permission to the owner if the file is controlled by Ranger.
Configure Raner1 Check that /etc/hadoop/conf/hdfs-site.xml contains the value org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer for the dfs.namenode.inode.attributes.provider.class as org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer
Synchronize /usr/lpp/mmfs/hadoop/etc/hadoop/hdfs-site.xml for HDFS Transparency 2.7.3-x or /var/mmfs/hadoop/etc/hadoop/hdfs-site.xml for HDFS Transparency 3.0.0 to all the NameNodes and DataNodes.
mmhadoopctl connector syncconf /etc/hadoop/conf/hdfs-site.xml
2 Copy the following four files to /usr/lpp/mmfs/hadoop/etc/hadoop (for HDFS Transparency 2.7.3-x) or /var/mmfs/hadoop/etc/hadoop (for HDFS Transparency 3.0.0) on all the NameNode and DataNodes: ranger-hdfs-audit.xml, ranger-hdfs-security.xml, ranger-policymgr-ssl.xml, ranger-security.xml from the path /etc/hadoop/conf.
3 Edit the /usr/lpp/mmfs/hadoop/etc/hadoop/hadoop-env.sh (for HDFS Transparency 2.7.3-x) or /var/mmfs/hadoop/etc/hadoop/hadoop-env.sh (for HDFS Transparency 3.0.0) on the NameNode and add these two classes to CLASSPATH:
For IOP 4.2:
/usr/iop/4.2.0.0/ranger-hdfs-plugin/lib/*.jar
for f in /usr/iop/4.2.0.0/ranger-hdfs-plugin/lib/*.jar; do
export HADOOP_CLASSPATH=$HADOOP_CLASSPATH:$f
done
for f in /usr/share/java/mysql-connector-java.jar; do
export HADOOP_CLASSPATH=$HADOOP_CLASSPATH:$f
done
For IOP 4.2.5:
Change the above version string 4.2.0.0 into “4.2.5.0-0000”.
For HortonWorks 2.6 and 3.X:
for f in /usr/hdp/
#Datasecurity#dataprotection#BigDataandAnalytics#Hdfstransparencyranger#Data-centricdesign#IBMSpectrumScale