6.14. System Level Security with Apache Ranger#
Policies in Ranger are created with the Ranger user interface and define access
and authorization. Each policy combines user and group information with a
resource and access rights to the resource. Ranger is configured to your
organization’s LDAP system for user and group information. Ranger usage requires
the installation of the Presto Ranger plugin. It creates the Starburst
starburst-enterprise-presto service type, or service
definition, in Ranger. This encompasses a Presto-specific set of resources that
include catalog, schema, table, column, and more, so access rules for there
resources can be configured in Ranger.
The Ranger Presto plugin is responsible for connecting to Ranger from Presto and using the defined policies for Presto resources. Any user action in Presto, such as submitting a query, is validated against the policies from Ranger and potentially prevented.
For example, a query is parsed and analyzed to determine all involved resources such as schemas and tables. Once a list is created, all policies are analyzed in Presto to determine if the user initiating the query has all necessary access rights. Processing only continues if all rights are granted.
Contrary to the Hive level security, the system level Ranger integration is suitable to define role-based access to catalogs using any connector as well as a number of other system resources.
Starting to use of Ranger for role-based access control can be summarized into a few steps:
- Install Ranger and add the Presto Ranger plugin
- Configure Ranger for user and group information from LDAP
- Configure Presto to use Ranger
- Define policies with the Ranger user interface
- Enjoy the access control for catalogs, schema, tables and more for all users
Details for all these steps and more are documented in the following sections.
Your first important step is the installation and configuration of Ranger, which can be summarized to the following steps:
- Install Ranger 2.0.0 or higher
- Configure Ranger to access your LDAP system for user, group and role information
- Add Presto Ranger plugin to Ranger
AWS CloudFoundation Deployment
The Starburst support for Amazon CFT-based installation includes installation of Apache Ranger and all relevant configuration. Detailed information is available in the AWS documentation.
The Starburst support for Kubernetes-based installation includes installation of Apache Ranger and all relevant configuration. Detailed information is available in the Kubernetes documentation.
Connect Existing Ranger
Using an existing Ranger 2.0.0 or higher is supported. You just have to make sure that the coordinator has network access to Ranger and LDAP is configured, so that all relevant users, groups and roles are available. As a next step you need install the Presto Ranger Plugin.
Manual Ranger Installation
If you are running Presto on-premise or some other custom deployment, you need to install Ranger 2.0.0 or higher following the documentation from the Ranger project.
Connect Ranger to LDAP
Ranger needs to access the information about your users, groups and roles in your LDAP system. With the K8s and AWS installation methods, all details are already configured. For existing Ranger usage or manual installation, you need to ensure that Ranger is connected to your LDAP directory provider and a synchronization process is in place. The process varies based on your LDAP system and documented in the Ranger documentation.
Presto Ranger Plugin
The Presto Ranger plugin is automatically installed with Ranger, when using the AWS CFT and Kubernetes installations. For existing Ranger instances or custom Ranger installation, you need follow these steps:
- Locate the directory in your SEP distribution
- Copy JAR files
presto-jdbc.jarto your Ranger installation into the directory
- Restart Ranger. The Presto Ranger plugin automatically creates the service type definition for Presto in Ranger.
- Access the Ranger user interface and confirm that you can find the Starburst Enterprise Presto service type
With the Presto Ranger plugin installed in Ranger, you can create one or multiple services with the SEP. This allows you to have separate services for different Presto clusters.
With Ranger installed and configured you are now ready to configure Ranger as
the activated access control system. Update
and set the path to your Ranger access control configuration file:
Subsequently configure details in the file:
access-control.name=ranger ranger.policy-rest-url=http://ranger.example.com:6080 ranger.service-name=presto-production ranger.presto-plugin-username=<username> ranger.presto-plugin-password=<password> ranger.policy-refresh-interval=30s
||Set the name of the access control system to
||The URL to the Ranger server|
||Name of the service defined in Ranger for this Presto cluster|
||Authentication type for Presto connecting to Ranger, currently only
||Username for the Ranger Presto plugin to use to connect to Ranger with BASIC authentication|
||Password for the Ranger Presto plugin to use to connect to Ranger with BASIC authentication|
||Path to Ranger plugin SSL configuration|
||Ranger’s client persistent cache for policies|
||Interval to refresh policies from Ranger||
||Timeout to use when connecting to Ranger||
||Timeout to use when reading policies from Ranger||
User, groups and roles are sourced from your connected LDAP directory and are used the target users for each policy.
Policy creation and management is performed with the Ranger user interface, or optionally with the Ranger REST API.
A policy is a combination of set of resources and the associated privileges. Specific user interface elements with drop down and auto-completion are available for all resources.
A resource set includes one or more resources of different resource types. Wildcard characters are supported to select a number of resources based on a pattern.
- catalog - schema
- catalog - schema - table
- catalog - schema - table - column
- catalog - schema - procedure
- catalog - session property
- system session property
As you can see from the list above, some resources are hierarchically organized within a catalog and below. This allows you for example to restrict access to a complete catalog, a specific schema, or table or even down to a column or a procedure within a schema.
For example, if you can define a set of resources, that allows you to restrict
access to all the two tables
cards-info in all schemas
- Catalog: hdfs
- Schema: *
- Table: credit-info, cards-info
A set of resource works as a primary key for a policy. It needs to be unique. Multiple policies however may cover a single resource because of the wildcard.
A set of privileges consists of one or more user groups, roles and users, and a set of access types for the specified resource set. Privileges can allow or deny operations.
The catalog, schema, table and column resources, which grant access to resources for queries, have the following access types.
SELECTto read data from the resource.
INSERTto add data to the resource.
UPDATEto change data in the resource.
DELETEto remove data from the resource.
OWNERSHIPto claim ownership of the resource, which provides complete access.
In addition there are privileges that determine access to queries and their usage, and are therefore of a more general nature.
SELECTto list queries.
EXECUTEto initiate processing of any query. Without this privilege user action is extremely limited.
KILLto stop processing of any query.