Ranger Tagsync and Atlas#

Starburst Enterprise platform (SEP) features integration with Apache Atlas, as described in Atlas integration.

Once Atlas integration is configured and working, you can take advantage of an Apache Ranger plugin named Ranger Tagsync. This lets SEP cooperate with a separate installation of Ranger that is already configured and working with SEP. The Tagsync plugin runs as a separate daemon on the Ranger server.

The Tagsync feature allows Atlas and Ranger to cooperate. In this configuration, each change to a SEP object is not only registered with the Atlas database, but Atlas can also query Ranger for the permissions that are to be applied to the object.

This allows you to automatically apply Ranger’s role-based access control to SEP catalogs, schemas, tables, and columns as they are created. If you register a custom Atlas type, newly created objects of that type are also automatically assigned permissions based on users and roles.

Requirements#

To integrate SEP, Atlas, and Ranger, you must have:

  • A valid Starburst Enterprise license for the Starburst Atlas plugin.

  • An SEP cluster, version 359 or later, configured and running.

  • Apache Atlas and Apache Kafka, configured as described in the Atlas setup steps.

  • Apache Ranger, configured as described on Ranger requirements.

  • Network connectivity from the SEP coordinator to the Atlas, Kafka, and Ranger servers at their specified ports.

  • The Ranger TagSync plugin, which is part of the Apache Ranger distribution.

  • The Starburst Ranger TagSync Resource Mapper JAR file downloaded from Starburst Support. This file is named starburst-ranger-tagsync-resource-mapper-version.jar, where version should match the version of the Starburst Ranger plugin in use.

The Atlas-Ranger integration is implemented as a custom mapper JAR file plus configuration settings that you apply to your Ranger installation. No configuration of your SEP cluster is necessary.

The mapper file is provided by Starburst to associate Atlas type names defined by Starburst with Ranger tag names. This is what allows Ranger permission settings to be applied to changes in Atlas types.

Setup steps#

To integrate SEP, Atlas, and Ranger, first identify the installation directory for the Ranger Tag Synchronizer (TagSync) plugin, which configures a daemon that runs independently of the Ranger server. The TagSync plugin is in a top-level folder of the expanded Ranger distribution tarball file. Some systems require you to install the plugin separately, such as with yum install ranger-tagsync.

There are two cases, depending on whether or not the Tagsync plugin has been run before.

Tagsync already running#

  1. If Ranger Tagsync has already been configured and is now running, stop the Tagsync daemon with:

    service ranger-tagsync stop
    
  2. Locate the conf/ranger-tagsync-site.xml file and edit it to add the following lines:

    <property>
        <name>ranger.tagsync.atlas.custom.resource.mappers</name>
        <value>com.starburst.ranger.tagsync.AtlasStarburstResourceMapper</value>
    </property>
    
    <property>
        <name>ranger.tagsync.atlas.starburst.instance.testing_trino.ranger.service</name>
        <value>starburst-enterprise</value>
    </property>
    
  3. Restart the Tagsync daemon with:

    service ranger-tagsync start
    

Tagsync new setup#

If you are configuring Ranger Tagsync for the first time, follow these steps:

  1. Navigate to the tagsync/scripts directory.

  2. Edit the install.properties file as appropriate for your Ranger installation, following the guidance in the Ranger documentation. Most default URLs in this file as shipped are for localhost. Identify and update the URLs that apply to your network.

  3. To specify SEP-Ranger-Atlas integration, add lines like the following to install.properties:

    TAGSYNC_ATLAS_CUSTOM_RESOURCE_MAPPERS=com.starburst.ranger.tagsync.AtlasStarburstResourceMapper
    TAGSYNC_ATLAS_TO_RANGER_SERVICE_MAPPING=sep-cluster-name,starburst,ranger-service-name
    

    The argument for the RESOURCE_MAPPERS property is the exact literal string as shown.

    The SERVICE_MAPPING property takes a single string without spaces, composed of three comma-separated arguments:

    • sep-cluster-name: the name of your SEP cluster from the point of view of Atlas. This is the value you assigned to atlas.cluster.name in the Atlas plugin configuration file.

    • starburst: the literal string starburst.

    • ranger-service-name: the value you assigned to ranger.service-name in the Ranger configuration properties.

  4. In the tagsync/scripts directory, run setup.sh. This prepares a directory structure and transforms the install.properties settings into an XML configuration file.

  5. Place the downloaded Starburst Ranger TagSync Resource Mapper JAR file in the lib directory of the Ranger Tagsync directory.

  6. Start the Tagsync daemon with the Linux service command:

    service ranger-tagsync start
    

Consult the Ranger documentation for further details.