Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (2)
Not applicable

1.Prerequisites

  • Install Ranger
  • Install Knox
  • Test in lower environments
  • Inform stakeholders or plan for short outage as few services requires restart
  • Identify the IP addresses and users to allow access


2. Enable Knox-Ranger Plugin in Ambari

Login to Ambari → select Ranger → configs → Ranger Plugin

Enable Knox Plugin by clicking the “off” button and restart the required services Ambari suggests


3. Create a Knox Policy for Hive

  • After enabling the Knox Plugin for Ranger in Ambari, Knox policy should be automatically displayed in Ranger.
  • Select the Knox Policy

Add a new policy if not exists

Grant groups/users access to required IP Address

4. Connections Test

Below are the IPs I considered for testing

  • 172.25.39.156
  • 172.25.40.41

Test Cases:

  • Allow connections through any IPs for the group “sales”
  • Allow only connection access through IP range for group “sales”

Case 1: Allow connections through Knox → Hive for any IPs for the group “sales”

Test connection from both the IPs for user Sales1 in group “Sales” and connections are successful

Case 2: Allow connections through Knox → Hive only for IPs range 172.25.40.*for the group “sales”

Note - * works as a wild card in Ranger

Few Points to consider:

  • Specific IPs can be mentioned
  • Use wildcard (*) for ranges
  • Users part of group but not connecting from that IP range mentioned will face Authorization error
  • Users Outside of the group but connecting from that IP range mentioned will face Authorization error

Below output shows authorization error for user Sales1 (user part of group “Sales”) when connecting from 172.25.39.156 which is outside of IP range 172.25.40.* mentioned in Ranger

Below connection from 172.25.40.41 is connected successfully for user Sales1 (user part of group “Sales”) which is inside the IP range 172.25.40.* mentioned in Ranger

5. Access Granularity suggestions

  • Hortonworks recommends to apply group level restriction instead of individual users
  • For table level restriction please follow instructions in the link

We can customize Ranger Polices with Dynamic Context, below article explains in detail of the steps https://community.hortonworks.com/articles/57314/customizing-ranger-policies-with-dynamic-context.ht...

1,830 Views
Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎08-10-2018 08:43 PM
Updated by:
 
Contributors
Top Kudoed Authors