File and Object Storage

IBM Spectrum Scale HDFS Transparency Ranger Support

By Archive User posted Mon April 01, 2019 10:23 AM

  
Apache Ranger is a centralized security administration solution for Hadoop that enables administrators to create and enforce security policies for HDFS and other Hadoop platform components.

Ranger configuration is based on the installation and configuration of HDFS Transparency. Therefore, HDFS transparency must be installed before configuring Ranger, Then installing Ranger in native HDFS .

Enable Ranger

After Apache Ranger and Hadoop have been installed, administers must perform the following steps to enable Ranger:

1 Change HDFS umask to 077 from 022. This will prevent any new files or folders to be accessed by anyone other than the owner. To change the umask, from the HDFS dashboard > Configs tab > search for umask, and change the value from 022 to 077.

2 Know which directory is managed by Ranger and which directory is managed by POSIX/HDFS/ACL. Let HDFS manage the permissions for the /tmp and the /user folders.
3 Do not configure a file to be controlled by both Ranger and POSIX/HDFS/ACL permissions. This creates confusion in permission control.
4 Do not deny permission to the owner if the file is controlled by Ranger.

Configure Raner

1 Check that /etc/hadoop/conf/hdfs-site.xml contains the value org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer for the dfs.namenode.inode.attributes.provider.class as org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer

Synchronize /usr/lpp/mmfs/hadoop/etc/hadoop/hdfs-site.xml for HDFS Transparency 2.7.3-x or /var/mmfs/hadoop/etc/hadoop/hdfs-site.xml for HDFS Transparency 3.0.0 to all the NameNodes and DataNodes.

mmhadoopctl connector syncconf /etc/hadoop/conf/hdfs-site.xml


2 Copy the following four files to /usr/lpp/mmfs/hadoop/etc/hadoop (for HDFS Transparency 2.7.3-x) or /var/mmfs/hadoop/etc/hadoop (for HDFS Transparency 3.0.0) on all the NameNode and DataNodes: ranger-hdfs-audit.xml, ranger-hdfs-security.xml, ranger-policymgr-ssl.xml, ranger-security.xml from the path /etc/hadoop/conf.

3 Edit the /usr/lpp/mmfs/hadoop/etc/hadoop/hadoop-env.sh (for HDFS Transparency 2.7.3-x) or /var/mmfs/hadoop/etc/hadoop/hadoop-env.sh (for HDFS Transparency 3.0.0) on the NameNode and add these two classes to CLASSPATH:

For IOP 4.2:

/usr/iop/4.2.0.0/ranger-hdfs-plugin/lib/*.jar

for f in /usr/iop/4.2.0.0/ranger-hdfs-plugin/lib/*.jar; do
export HADOOP_CLASSPATH=$HADOOP_CLASSPATH:$f
done

for f in /usr/share/java/mysql-connector-java.jar; do
export HADOOP_CLASSPATH=$HADOOP_CLASSPATH:$f
done


For IOP 4.2.5:

Change the above version string 4.2.0.0 into “4.2.5.0-0000”.

For HortonWorks 2.6 and 3.X:

for f in /usr/hdp/
#Datasecurity
#dataprotection
#BigDataandAnalytics
#Hdfstransparencyranger
#Data-centricdesign
#IBMSpectrumScale
0 comments
0 views

Permalink