how to do security between services(hive, yarn,etc) to your ranger-plugins and ranger-plugins to ranger-admin ?

stanly_sxiang · ‎04-27-2017

how do you do security for your cluster ? my cluster has several services and I want to secure them. What's your typical configurations for the below 2 parts ?

1. service to ranger-plugin. e.g. hive connect to ranger-hive-plugins, how many types securities are supported ? is there Kerberos ?

2. ranger-plugin to ranger-admin, ranger-plugins fetch policy from ranger-admin ? is there kerberos also or something else ?

mqureshi · ‎04-27-2017

@xiang sheng

1. service to ranger-plugin. e.g. hive connect to ranger-hive-plugins, how many types securities are supported ? is there Kerberos ?

Kerberos is to authenticate across different componentsin Hadoop (pretty much all). Ranger has a plugin for HiveServer2 and that's how Ranger provides authorization for Hive tables.

2. ranger-plugin to ranger-admin, ranger-plugins fetch policy from ranger-admin ? is there kerberos also or something else?

You can use Unix, LDAP or AD to authenticate to Ranger admin.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/configure_ranger_authen...

For each servce that is kerberized, you will create a os user and kerberos principal and then give that user access to run a plugin process as part of the service. This user is how Ranger is able to access the service(s). See following link:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/hdfs_plugin_kerberos.ht...