Ranger Tagsync and Atlas#
Once Atlas integration is configured and working, you can take advantage of an Apache Ranger plugin named Ranger Tagsync. This lets SEP cooperate with a separate installation of Ranger that is already configured and working with SEP. The Tagsync plugin runs as a separate daemon on the Ranger server.
The Tagsync feature allows Atlas and Ranger to cooperate. In this configuration, each change to a SEP object is not only registered with the Atlas database, but Atlas can also query Ranger for the permissions that are to be applied to the object.
This allows you to automatically apply Ranger’s role-based access control to SEP catalogs, schemas, tables, and columns as they are created. If you register a custom Atlas type, newly created objects of that type are also automatically assigned permissions based on users and roles.
To integrate SEP, Atlas, and Ranger, you must have:
A valid Starburst Enterprise license for the Starburst Atlas plugin.
An SEP cluster, version 359 or later, configured and running.
Apache Atlas and Apache Kafka, configured as described in the Atlas setup steps.
Apache Ranger, configured as described on Ranger requirements.
Network connectivity from the SEP coordinator to the Atlas, Kafka, and Ranger servers at their specified ports.
The Ranger TagSync plugin, which is part of the Apache Ranger distribution.
The Starburst Ranger TagSync Resource Mapper JAR file downloaded from Starburst Support. This file is named
starburst-ranger-tagsync-resource-mapper-version.jar, where version should match the version of the Starburst Ranger plugin in use.
The Atlas-Ranger integration is implemented as a custom mapper JAR file plus configuration settings that you apply to your Ranger installation. No configuration of your SEP cluster is necessary.
The mapper file is provided by Starburst to associate Atlas type names defined by Starburst with Ranger tag names. This is what allows Ranger permission settings to be applied to changes in Atlas types.
To integrate SEP, Atlas, and Ranger, first identify the installation directory
for the Ranger Tag Synchronizer (TagSync) plugin, which configures a daemon that
runs independently of the Ranger server. The TagSync plugin is in a top-level
folder of the expanded Ranger distribution
tarball file. Some systems
require you to install the plugin separately, such as with
There are two cases, depending on whether or not the Tagsync plugin has been run before.
Tagsync already running#
If Ranger Tagsync has already been configured and is now running, stop the Tagsync daemon with:
service ranger-tagsync stop
conf/ranger-tagsync-site.xmlfile and edit it to add the following lines:
<property> <name>ranger.tagsync.atlas.custom.resource.mappers</name> <value>com.starburst.ranger.tagsync.AtlasStarburstResourceMapper</value> </property> <property> <name>ranger.tagsync.atlas.starburst.instance.testing_trino.ranger.service</name> <value>starburst-enterprise</value> </property>
Restart the Tagsync daemon with:
service ranger-tagsync start
Tagsync new setup#
If you are configuring Ranger Tagsync for the first time, follow these steps:
Navigate to the
install.propertiesfile as appropriate for your Ranger installation, following the guidance in the Ranger documentation. Most default URLs in this file as shipped are for
localhost. Identify and update the URLs that apply to your network.
To specify SEP-Ranger-Atlas integration, add lines like the following to
The argument for the
RESOURCE_MAPPERSproperty is the exact literal string as shown.
SERVICE_MAPPINGproperty takes a single string without spaces, composed of three comma-separated arguments:
sep-cluster-name: the name of your SEP cluster from the point of view of Atlas. This is the value you assigned to
atlas.cluster.namein the Atlas plugin configuration file.
starburst: the literal string
ranger-service-name: the value you assigned to
ranger.service-namein the Ranger configuration properties.
setup.sh. This prepares a directory structure and transforms the
install.propertiessettings into an XML configuration file.
Place the downloaded Starburst Ranger TagSync Resource Mapper JAR file in the
libdirectory of the Ranger Tagsync directory.
Start the Tagsync daemon with the Linux
service ranger-tagsync start
Consult the Ranger documentation for further details.