Updated on 2024-01-17 GMT+08:00

Configuring a Ranger Data Connection

Switch the Ranger metadata of the existing cluster to the metadata stored in the RDS database. This operation enables multiple MRS clusters to share the same metadata, and the metadata will not be deleted when the clusters are deleted. In this way, Ranger metadata migration is not required during cluster migration.

Prerequisites

You have created an RDS MySQL database instance by referring to Creating an RDS Data Connection.

  • For versions earlier than MRS 3.x, if Type is set to RDS MySQL database, Username must be root. If the user is not root, create a user and grant permissions to the user by referring to Preparations.
  • For MRS 3.x or later clusters, when Type is set to RDS MySQL database, Username must not be root. In this case, create a user and grant permissions to the user by referring to Preparations.

Preparing for MySQL Database Ranger Metadata Configuration

This operation is required only for MRS 3.1.0 or later.

  1. Log in to FusionInsight Manager. For details, see Accessing FusionInsight Manager (MRS 3.x or Later). Choose Clusters > Services > Service name.

    Currently, the following components in an MRS 3.1.x cluster support Ranger authentication: HDFS, HBase, Hive, Spark, Impala, Storm, and Kafka.

  2. In the upper right corner of the Dashboard page, click More and select Disable Ranger. If Disable Ranger is dimmed, Ranger authentication is disabled, as shown in Figure 1.

    Figure 1 Disabling Ranger authentication

  3. (Optional) To use an existing authentication policy, perform this step to export the authentication policy on the Ranger web page. After the Ranger metadata is switched, you can import the existing authentication policy again. The following uses Hive as an example. After the export, a policy file in JSON format is generated in a local directory.

    1. Log in to FusionInsight Manager.
    2. Choose Cluster > Services > Ranger to go to the Ranger service overview page.
    3. Click RangerAdmin in the Basic Information area to go to the Ranger web UI.

      The admin user in Ranger belongs to the User type. To view all management pages, click the username in the upper right corner and select Log Out to log out of the system.

    4. Log in to the system as user rangeradmin (default password: Rangeradmin@123) or another user who has the Ranger administrator permissions. For details about the users and their default passwords, see User Account List.
    5. Click the export button in the row where the Hive component is located to export the authentication policy.
      Figure 2 Exporting authentication policies
    6. Click Export. After the export is complete, a policy file in JSON format is generated in a local directory.
      Figure 3 Exporting Hive authentication policies

Configuring a Data Connection for an MRS Cluster

  1. Log in to the MRS console.
  2. Click the name of the cluster to view its details.
  3. Click Manage on the right of Data Connection to go to the data connection configuration page.
  4. Click Configure Data Connection and set related parameters.

    • Component Name: Ranger
    • Module Type: Ranger metadata
    • Connection Type: RDS MySQL database
    • Connection Instance: Select a created RDS MySQL DB instance. For details about how to create a data connection, see Creating an RDS Data Connection.

  5. Select I understand the consequences of performing the scale-in operation and click Test.
  6. After the test is successful, click OK to complete the data connection configuration.
  7. Log in to FusionInsight Manager.
  8. Choose Cluster > Services > Ranger to go to the Ranger service overview page.
  9. Choose More > Restart Service or More > Service Rolling Restart.

    If you choose Restart Service, services will be interrupted during the restart. If you select Service Rolling Restart, rolling restart can minimize the impact or do not affect service running.

    Restarting Ranger will affect the permissions of all components controlled by Ranger and may affect service running. Restart Ranger when the cluster is idle or during off-peak hours. Before the Ranger component is restarted, the policies in the Ranger component still take effect.
    Figure 4 Restarting a service

  10. Enable Ranger authentication for the component to be authenticated. The Hive component is used as an example.

    Currently, the following components in an MRS 3.1.x cluster support Ranger authentication: HDFS, HBase, Hive, Spark, Impala, Storm, and Kafka.
    1. Log in to FusionInsight Manager and choose Cluster > Services > Service Name.
    2. In the upper right corner of the Dashboard page, click More and select Enable Ranger.
      Figure 5 Enabling Ranger authentication

  11. Log in to the Ranger web UI and click the import button in the row of the Hive component.

  12. Import parameters.

    • Click Select file and select the authentication policy file downloaded in 3.f.
    • Select Merge If Exist Policy.
    Figure 6 Importing authentication policies

  13. Restart the component for which Ranger authentication is enabled.

    1. Log in to FusionInsight Manager.
    2. Choose Cluster > Services > Hive to go to the Hive service overview page.
    3. Choose More > Restart Service or More > Service Rolling Restart.
      Figure 7 Restarting a service

      If you choose Restart Service, services will be interrupted during the restart. If you select Service Rolling Restart, rolling restart can minimize the impact or do not affect service running.