Deploy Ranger Kubernetes clusters #
Global access control in Starburst Enterprise platform (SEP) allows you to create, manage, and store access control policies for objects that SEP has access to, including:
- Catalogs
- Schemas
- Views
- Tables
- Columns
- Rows
- Procedures
- Session Properties
Ranger access control policies can grant or revoke access to any of the above mentioned objects, and are stored in a backing PostgreSQL database.
Ranger is deployed via a separate Kubernetes (K8s) Helm chart. The chart has several key sections:
- Registry credentials
- A required administration container
- The required backing database
- An optional usersync container
You can configure multiple Starburst clusters to use the same Ranger
instance. Once deployed, Ranger is available within the cluster and can be
accessed internally using http://ranger:6080. External access is controlled
via the DNS configured for Ranger ingress.
This document assumes you are familiar with Ranger, as well as Helm charts and
K8s tools such as kubectl. We recommend that you review the following before
deploying Ranger:
- SEP K8s best practices
- SEP K8s requirements
Edit the Helm chart #
Our reference documentation provides details about the content of the Ranger Helm chart, including yaml sections not discussed here.
Provide your registry credentials #
We recommend that you use a separate registry-access.yaml file across all Helm
charts as described in our SEP K8s installation
instructions.
Alternatively, you can edit the registryCredentials: node of the Ranger Helm
chart to include them.
Configure the Ranger server #
The following values must be defined in the admin: node of the Ranger Helm chart:
- CPU resources for requests and limits - The defaults are sufficient for most environments; however, they must work with the instance type you are using.
- Memory resources for requests and limits - The defaults are sufficient for most environments; however, they must work with the instance type you are using.
- Passwords - You must supply all passwords in the
passwords:node.
You can read more about the admin: top-level node in our reference
documentation.
Configure Usersync #
Usersync automates the process of adding users to Ranger for policy enforcement by allowing the synchronization of users and groups from LDAP and Active Directories.
At a minimum, the env: properties in the top-level usersync: node must be
defined correctly for your environment. For all Ranger Helm chart usersync
properties, see our reference
documentation.
Configure the PostgreSQL backing database #
The configuration properties for the PostgreSQL database which stores policy
information are found in the database: top-level node. As a minimal
customization, you must ensure that the following are set correctly for your
environment:
database:
type: "internal"
internal:
port: 5432
databaseName: "ranger"
databaseUser: "ranger"
databasePassword: "RangerPass123"
databaseRootUser: "rangeradmin"
databaseRootPassword: "RangerAdminPass123"
You may also configure volume: persistence and resources, as well as the
resources: for the backing database itself in the database: node. For a
complete list of available backing database properties, see our reference
documentation.
Configure TLS (optional) #
If your organization uses TLS, you must enable and configure Ranger to work with it. The most straightforward way to handle TLS is to terminate TLS at the load balancer or ingress, using a signed certificate. This method requires no additional configuration for Ranger. Ranger can also be configured to listen on HTTPS directly.
If you choose not handle TLS using those methods, you can instead configure it
in the
usersync:
and expose: top-level nodes of the Ranger Helm chart.
Deploy Ranger #
When Ranger is configured as desired for your organization, run the following command to deploy it:
$ helm upgrade -i ranger starburst/starburst-ranger -f ranger-values.yaml
Is the information on this page helpful?
Yes
No