Community Articles

1. Prerequisites

• Install Ranger
• Install Knox
• Test in lower environments
• Inform stakeholders or plan for short outage as few services requires a restart
• Identify the IP addresses and users to allow access

2. Enable Knox-Ranger Plugin in Ambari

1. Login to Ambari > select Ranger > configs > Ranger Plugin
2. Enable Knox Plugin by clicking the “off” button, and restart the required services Ambari suggests

3. Create a Knox Policy for Hive

After enabling the Knox Plugin for Ranger in Ambari, Knox policy should be automatically displayed in Ranger.

1. Select the Knox Policy
2. Add a new policy, if not exists
3. Grant groups/users access to required IP address

4. Connections Test

Below are the IPs I considered for testing

• 172.25.39.156
• 172.25.40.41

Test Cases:

• Allow connections through any IPs for the group “sales”
• Allow only connection access through IP range for group “sales”

Case 1: Allow connections through Knox → Hive for any IPs for the group “sales”

Test connection from both the IPs for user Sales1 in group “Sales” and connections are successful

Case 2: Allow connections through Knox → Hive only for IPs range 172.25.40.*for the group “sales”

Note: * works as a wild card in Ranger

Few points to consider:

• Specific IPs can be mentioned
• Use wildcard (*) for ranges
• Users part of the group, but not connecting from that IP range mentioned will face Authorization error
• Users outside of the group, but connecting from that IP range mentioned will face Authorization error

5. Access Granularity suggestions

• Hortonworks recommends applying group-level restrictions instead of individual users
• For table-level restrictions, please follow the instructions in the link

We can customize Ranger Polices with Dynamic Context; the following article explains in detail the steps:

Customizing Ranger Policies with Dynamic Context