Support Questions

Find answers, ask questions, and share your expertise

Best Practices on Ranger, Ranger KMS and Knox

avatar
Expert Contributor

Hi Guys,

For our cluster, we have setup Kerberos, Ranger, Ranger KMS and Knox. Things are working more or less smoothly.Things are functional and probably not optimal. What are the configurations or settings should we be looking at to make sure things are optimal or any scope of further improvement.

Already visiting : http://hortonworks.com/blog/best-practices-in-hdfs-authorization-with-apache-ranger

Regards.

1 ACCEPTED SOLUTION

avatar

Hi @Smart Solutions.

It's tricky to give generic best practice recommendations without knowing a lot of detail about what you are doing or have already done.

There are a few things I can think of off the top of my head.

Ensure you're using HDFS Data Encryption for especially sensitive locations (though you needn't apply it everywhere).

Start looking at things like the refresh rate of your Ranger policies, ensure that's in-line with your expectations, setting the refresh time too low could impact the performance of the Ranger admin so bear that in mind.

Make sure that you're actually looking at the logging and auditing that Ranger is creating.

Start thinking about how Atlas could start to play a part in your security story, with things like the upcoming tag based policy control, Ranger + Atlas will be a very powerful combination. For more info take a look at: http://hortonworks.com/hadoop-tutorial/tag-based-policies-atlas-ranger/

Standard practices apply, ensure that people have the least permissions they need (both in terms of access to data and services) to complete their job, no more, no less.

Hope that helps, the fact that you already have Kerberos, Ranger and Knox in place suggests you're already along the right path.

Good luck and hope that helps.

View solution in original post

2 REPLIES 2

avatar

Hi @Smart Solutions.

It's tricky to give generic best practice recommendations without knowing a lot of detail about what you are doing or have already done.

There are a few things I can think of off the top of my head.

Ensure you're using HDFS Data Encryption for especially sensitive locations (though you needn't apply it everywhere).

Start looking at things like the refresh rate of your Ranger policies, ensure that's in-line with your expectations, setting the refresh time too low could impact the performance of the Ranger admin so bear that in mind.

Make sure that you're actually looking at the logging and auditing that Ranger is creating.

Start thinking about how Atlas could start to play a part in your security story, with things like the upcoming tag based policy control, Ranger + Atlas will be a very powerful combination. For more info take a look at: http://hortonworks.com/hadoop-tutorial/tag-based-policies-atlas-ranger/

Standard practices apply, ensure that people have the least permissions they need (both in terms of access to data and services) to complete their job, no more, no less.

Hope that helps, the fact that you already have Kerberos, Ranger and Knox in place suggests you're already along the right path.

Good luck and hope that helps.

avatar

Just as an aside, if you also happen to be a paying Hortonworks support cluster, I can't speak highly enough about SmartSense, which will analyse the configs of your cluster and provide you with performance, stability and security recommendations specific to your exact environment. This service is included in every support contract, for more info take a look at: http://hortonworks.com/services/smartsense/

There was also a recent session at the Dublin Hadoop Summit which is worth watching for general tuning suggestions and recommendations (not security specific): https://www.youtube.com/watch?v=sCB6HmfdTZ4