Release 8.7.1
Page tree


Support | BlogContact Us 

Versions Compared

Old Version 1

changes.mady.by.user docuser1

Saved on

compared with

New Version Current

changes.mady.by.user docuser1

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DEV and version r0871

...

Excerpt
Pre-requisites

Prerequisites

Warning

Before you begin, please verify that your enterprise has deployed both Hive and Ranger according to recommended configuration practices. For more information, please consult the documentation that was provided with your Hadoop distribution.

Info

NOTE: Before you begin, you must integrate the

D s platform
with Hive. See Configure for Hive.

Secure Impersonation with
D s platform
and Hive with Ranger

Secure impersonation ensures consistent and easily traceable security access to the data stored within your Hadoop cluster.

Info

NOTE: Although not required, secure impersonation is highly recommended for connecting the platform with Hive.

Since secure impersonation for the combination of HiveServer2 and Ranger is not supported by Ranger, you must apply the following additional configuration changes to the

D s platform
to enable secure impersonation in the environment:

  1. Enable the platform with secure impersonation. See Configure for Secure Impersonation for details.
  2. Add the hive service user hive to the Unix or LDAP group
    D s defaultuser
    Typeos.group
    Fulltrue
    .

  3. D s config

  4. Set the following parameter:

    Code Block
    "hdfs.permissions.userUmask" = 027
  5. Ensure that the Unix or LDAP group has read access to the Hive warehouse directory, as described in the following section. For more information, see http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/.

Users and Groups for Ranger

When the

D s platform
is enabled with secure impersonation and submits requests to Hive, the following steps occur:

  1. The platform authenticates as the
    D s defaultuser
    Typeprincipal
    Fulltrue
    user through Kerberos.

  2. The Hive server authorizes access to the underlying table through Ranger as the Hadoop principal user assigned to

    D s defaultuser
    Typeprincipal
    .

    Info

    NOTE: This Hadoop principal is the user that should be configured through policies in Ranger to have the appropriate privileges.

  3. The Hive server executes access to the physical data file on HDFS as the Unix user hive, which should be part of the group
    D s defaultuser
    Typehadoop.group
    Fulltrue
    .

Info

NOTE: Since Ranger assigns access to databases, tables, and columns to Unix users and groups, a common practice is to assign the Hadoop principal users (used by

D s item
itemusers
) to dedicated Unix groups that are separate from the Unix group
D s defaultuser
Typeos.group
Fulltrue
use within Ranger. Ranger should not grant any privileges and roles to the Unix group
D s defaultuser
Typeos.group
Fulltrue
.

Info

NOTE: In UNIX environments, usernames and group names are case-sensitive. Please verify that you are using the case-sensitive names for users and groups in your Hadoop configuration and

D s item
itemconfiguration file
.

Policies in Ranger

In Ranger, you can configure access through policies. A Ranger policy is a combination of:

  • Specified database, table, or tabled column
  • Permissions associated with that specified object.
  • Assignment of permissions to individual users or groups

Required Permissions

Info

NOTE: In general, to manage access through Ranger, permissions to underlying Hadoop components such as HDFS or Hive should be minimized within those components. All permissions in Ranger are additive, which means that you should be careful about overlapping users and groups.

The following components require these permissions at a minimum to be assigned to the Hadoop principal:

ComponentPermissions
HDFSRead, Write, Execute
Hive

Select, Update.

Create (for Hive publishing)

Configuration

Info

NOTE: The following configuration is required for integration of HDP with Hive publishing when Ranger is enabled.

  1. In the Ambari console, navigate to the following: HDFS > Configs > Advanced > Advanced ranger-hdfs-plugin-properties.

  2. Set the following to true: Enable Ranger for HDFS.

  3. From the left nav bar, navigate to the following: Ranger > Configs > Ranger Plugin tab.

  4. Set the following to true: Hive Ranger Plugin.

  5. Please verify that the other Ambari properties are set to integrate Hive through Ranger. For more information, see the HDP documentation.
  6. Restart the HDP cluster.
  7. Open Ranger.

  8. In the policies area, create the following two policies:

    Code Block
    trifacta_policies
hive_warehouse
  9. Set the following properties on these policies:
    1. Policy Type: Access
    2. Enabled: true
    3. Resource path:

      1. For trifacta_policies, set this value to either of the following values:

        Code Block
        /trifacta
/trifacta/queryResults

      2. For hive_warehouse, set this value to the location of the Hive warehouse. The following is the default value:

        Code Block
        /user/hive/warehouse

    4. Recursive: true

      Info

      NOTE: Policies must be recursive.

    5. Audit Logging: yes

    6. Allow conditions:

      1. Select group: Hadoop, Trifacta

      2. Select user: Trifacta

      3. Permissions: Read, Write, Execute

  10. Save the policies.

...

© 2013-2023 Alteryx® Inc Privacy Policy  |  Terms of Use