Ranger Basic Principles
Apache Ranger offers a centralized security management framework and supports unified authorization and auditing. It manages fine grained access control over Hadoop and related components, such as HDFS, Hive, HBase, and Kafka. You can use the front-end web UI console provided by Ranger to configure policies to control users' access to these components.
Figure 1 shows the Ranger architecture.
Connection Name |
Description |
---|---|
RangerAdmin |
Provides a WebUI and RESTful API to manage policies, users, and auditing. |
UserSync |
Periodically synchronizes user and user group information from an external system and writes the information to RangerAdmin. |
TagSync |
Periodically synchronizes tag information from the external Atlas service and writes the tag information to RangerAdmin. |
Ranger Principles
- Ranger Plugins
Ranger provides policy-based access control (PBAC) plug-ins to replace the original authentication plug-ins of the components. Ranger plug-ins are developed based on the authentication interface of the components. Users set permission policies for specified services on the Ranger web UI. Ranger plug-ins periodically update policies from the RangerAdmin and caches them in the local file of the component. When a client request needs to be authenticated, the Ranger plug-in matches the user carried in the request with the policy and then returns an accept or reject message.
- UserSync User Synchronization
UserSync periodically synchronizes data from LDAP/Unix to RangerAdmin. In security mode, data is synchronized from LDAP. In non-security mode, data is synchronized from Unix. By default, the incremental synchronization mode is used. In each synchronization period, UserSync updates only new or modified users and user groups. When a user or user group is deleted, UserSync does not synchronize the change to RangerAdmin. That is, the user or user group is not deleted from the RangerAdmin. To improve performance, UserSync does not synchronize user groups to which no user belongs to RangerAdmin.
- Unified auditing
Ranger plug-ins can record audit logs. Currently, audit logs can be stored in local files or Elasticsearch. By default, audit logs are stored in local files. To enable Elasticsearch storage, enable it by following the instructions provided in the guide and query the audit details of the corresponding components on the Audit tab page of Ranger WebUI.
- High reliability
Ranger supports two RangerAdmins working in active/active mode. Two RangerAdmins provide services at the same time. If either RangerAdmin is faulty, Ranger continues to work.
- High performance
Ranger provides the Load-Balance capability. When a user accesses Ranger WebUI using a browser, the Load-Balance automatically selects the RangerAdmin with the lightest load to provide services.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot