Created 06-17-2016 06:59 PM
We have a kerborized hadoop cluster with Ranger enabled, if we want try out Presto does there need to be a service created in Ranger for Presto? is the a plugin available for presto to work with Ranger?
Or
Presto uses HDFS/Hive services which are already plugged in Ranger?
Let me know..
Created 06-17-2016 07:06 PM
At present, Presto is not supported with Ranger. You can control the HDFS and Hive services via Ranger to enable Presto to access those resources, but there won't be any control for Presto security mechanisms.
Currently, the supported components in Ranger (0.5) are HDFS, YARN, Hive, HBase, Kafka, Storm, Knox, and Solr.
Created 06-17-2016 07:06 PM
At present, Presto is not supported with Ranger. You can control the HDFS and Hive services via Ranger to enable Presto to access those resources, but there won't be any control for Presto security mechanisms.
Currently, the supported components in Ranger (0.5) are HDFS, YARN, Hive, HBase, Kafka, Storm, Knox, and Solr.
Created 06-17-2016 07:17 PM
Hello @emaxwell thanks for the quick response. My question now is, how is presto allowed to access hdfs and hive with Ranger standing between them? My understanding with Ranger is it is kind of gate keeper and you need to have a service to go through it.. can you help me here or direct me to a document which I can read..?
another question.. what about the Presto auditing, Will Ranger show audit log related to Presto?
Created 06-18-2016 05:28 PM
The components that are supported by Ranger have plugins that the components use to verify authorization. For example, if Presto wants to read from HDFS, the it will contact the NameNode. The NameNode will use the HDFS Ranger plugin to check the authorization for the presto user on the files trying to be accessed.
Created 06-17-2016 09:25 PM
@Bhanu Pittampally Ranger doesn't have plugin for Presto, saying so audit related to Presto wont be there in Ranger Auditing. Regarding the question on how Presto is allowed to acess hdfs and hive, there might be global policies defined in ranger allowing it to happend if Ranger Hdfs and Hive Plugin is enabled in your environment. Do you see audit log in ranger audit for hdfs when you do Hdfs operation via Presto? Check with user is getting authorized. This also happens only when you have Ranger hdfs plugin is enabled and auditing is done for the resource. Same with Hive case also.
Created 06-17-2016 09:36 PM
@Ramesh Mani: Thanks for jumping in. I have not installed Presto yet, I am preparing for it and trying to get answers to my questions. So in order for a user to work through presto to access HDFS/Hive there should be some global policies be created? am I understanding it correctly?
this question might be related to my first one, If a user have access to hdfs/hive (enabled thru Ranger), can they simply use presto as a access tool and access the data?
Created 06-17-2016 09:38 PM
I think @emaxwell already answered my other question.
q: If a user have access to hdfs/hive (enabled thru Ranger), can they simply use presto as a access tool and access the data?
Answer: You can control the HDFS and Hive services via Ranger to enable Presto to access those resources,