Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

What is the Ranger edit service page on HIVE / HDFS meant for?

Labels:
avatar
author-rank jknulst author-rank
Super Collaborator

Created on ‎10-12-2016 02:42 PM - edited ‎08-19-2019 03:04 AM

Hi,

I can't figure out what these pages are meant for exactly within the Ranger component:

8460-rangerii.png

And the HDFS one:

8471-rangeriii.png

I am asking since the Ranger HDFS / HIVE plugins both seem to work fine, policies can be published but nonetheless the 'TEST Connection' on both service configs can fail without upsetting your Ranger setup.

So, what is this about?

1,639 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎10-12-2016 04:38 PM

@Jasper

Ranger service - configuration has details on which hadoop components is using Ranger for authorization and what policies are there which can be enabled / disabled / audited or not. These service definitions gets created when you enable ranger for the respective components from Ambari and restart the service

These properties which are there against the services are used only for Test Connection and Lookup functionality which allows you to select the resource when you maintain policies, i.e auto population of the resource based on the resource name you are going to type in the field.

e.g For Hive when you maintain policies if the "Database" field if there are multiple databases in hive and some of them starts with letter "d" and you type "d" in that field in brings up a list of databases which starts with "d". Same case with HDFS it will bring the matching directories for the "PATH". Same with other components too.

To do this operation, Ranger communicates with respective hadoop component and brings those details. The user and config maintained here will be used for this communication and in kerberos it will be a service principal which will be used. These users will have policy to do these operations.

This is the main purpose of these configuration and it DOESN'T stop you from using the RANGER plugin if the TEST CONNECTION / LOOKUP is not working. It is just for added convenience when maintaining policies. There are lot of misconception around it.

In Kerberos environment in HDP 2.5 where ranger itself is kerberized , there are some "Add New Configuration" parameters get configured which maintains various users which communicates with Ranger admin to download policies, tags, service creation from ambari, service check etc.

View solution in original post

1,483 Views
3 REPLIES 3

avatar
author-rank bhagan author-rank
Super Collaborator

Created ‎10-12-2016 03:58 PM

In order to add policies for services, you first need to define the service. The pages that you reference are the service definitions for Hive and HDFS.

1,483 Views
0 Kudos

avatar
author-rank sshimpi
Super Guru

Created ‎10-12-2016 04:05 PM

@Jasper

Wherever you enable ranger plugin for 1st time and restart the service -[Eg. say HDFS], it will create HDFS repository with cluster name in Ranger Web UI. This repository contains the config params which indicates which cluster-HDFS service its connecting to [incase if there are multiple HDFS repositories in place].

In future if your namenode is moved to different machine the policies will not work and you need to modify the configs on the HDFS repository page accordingly to get it working.

Many reasons I see.. -few are

1. This page shows option to disable repository if you dont want it any more.

2. If you have kerberized cluster then default policies will not work. You need to modify repository settings properly to get the policies working.

etc..

1,483 Views
0 Kudos

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎10-12-2016 04:38 PM

@Jasper

Ranger service - configuration has details on which hadoop components is using Ranger for authorization and what policies are there which can be enabled / disabled / audited or not. These service definitions gets created when you enable ranger for the respective components from Ambari and restart the service

These properties which are there against the services are used only for Test Connection and Lookup functionality which allows you to select the resource when you maintain policies, i.e auto population of the resource based on the resource name you are going to type in the field.

e.g For Hive when you maintain policies if the "Database" field if there are multiple databases in hive and some of them starts with letter "d" and you type "d" in that field in brings up a list of databases which starts with "d". Same case with HDFS it will bring the matching directories for the "PATH". Same with other components too.

To do this operation, Ranger communicates with respective hadoop component and brings those details. The user and config maintained here will be used for this communication and in kerberos it will be a service principal which will be used. These users will have policy to do these operations.

This is the main purpose of these configuration and it DOESN'T stop you from using the RANGER plugin if the TEST CONNECTION / LOOKUP is not working. It is just for added convenience when maintaining policies. There are lot of misconception around it.

In Kerberos environment in HDP 2.5 where ranger itself is kerberized , there are some "Add New Configuration" parameters get configured which maintains various users which communicates with Ranger admin to download policies, tags, service creation from ambari, service check etc.

1,484 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements