Help Center/ MapReduce Service/ User Guide/ Managing Clusters/ Managing MRS Cluster Components/ Enabling and Disabling Ranger Authentication for an MRS Component
Updated on 2025-12-10 GMT+08:00
View PDF

Enabling and Disabling Ranger Authentication for an MRS Component

By default, the Ranger service is installed and Ranger authentication is enabled for a newly installed cluster with Kerberos authentication enabled. You can use the permission plug-in of the component to establish fine-grained security access policies for accessing component resources. If Ranger authentication is not required, the cluster administrator can manually disable Ranger authentication on the service page. After Ranger authentication is disabled, the system continues to perform permission control based on the role model of Manager when accessing component resources.

In a cluster upgraded from an earlier version, Ranger authentication is not used by default when users access component resources. The cluster administrator can manually enable Ranger authentication after installing the Ranger service.

Notes and Constraints

  • This section applies only to MRS 3.x or later.
  • In a cluster in security mode, the following components support Ranger authentication: HDFS, YARN, Kafka, Hive, HBase, Storm, Impala, HetuEngine, CDL, and Spark/Spark2x.
  • In a cluster in non-security mode, Ranger supports permission control on component resources based on OS users. The following components support Ranger authentication: HBase, HDFS, Hive, Spark/Spark2x, YARN, and HetuEngine (supported in MRS 3.3.0 and later).
  • Once Ranger authentication is enabled, Ranger takes over all component authentication. Permissions set by the original authentication plug-in become invalid, except for the ACL rules of HDFS and YARN, which still take effect. Proceed with caution and ensure permissions are pre-configured in Ranger.
  • Once Ranger authentication is disabled, the component's own permission plug-in takes over all component authentication. Permissions configured in Ranger become invalid. Proceed with caution and ensure permissions are pre-configured on MRS Manager.

Enabling Ranger Authentication

  1. Log in to FusionInsight Manager of the MRS cluster.

    For details about how to log in to FusionInsight Manager, see Accessing MRS Manager.

  2. Choose Cluster > Services.
  3. Click the specified service name on the service management page.
  4. On the service details page, expand the More drop-down list and select Enable Ranger.
  5. In the displayed dialog box, enter the password of the current login user and click OK.
  6. In the service list, restart the service whose configuration has expired.

Disabling Ranger Authentication

  1. Log in to FusionInsight Manager of the MRS cluster.

    For details about how to log in to FusionInsight Manager, see Accessing MRS Manager.

  2. Choose Cluster > Services.
  3. Click the specified service name on the service management page.
  4. On the service details page, expand the More drop-down list and select Disable Ranger.
  5. Enter the password of the current login user and click OK. In the displayed dialog box, click OK.
  6. In the service list, restart the service whose configuration has expired.
Parent Topic: Managing MRS Cluster Components