Help Center/ MapReduce Service/ User Guide/ Managing Clusters/ Managing MRS Cluster Metadata/ Storing Ranger Metadata to RDS
Updated on 2024-09-23 GMT+08:00
View PDF
Share

Storing Ranger Metadata to RDS

This topic describes how to switch the Ranger metadata of the existing cluster to the metadata stored in the RDS database. This operation enables MRS clusters to share the same metadata, retains the metadata when the cluster is deleted, and avoids Ranger metadata migration during cluster migration.

Disabling Ranger Authentication for Cluster Components

This operation is required only for MRS 3.1.0 or later.

  1. Log in to FusionInsight Manager and choose Cluster > Services > Service Name.

    Currently, the following components in an MRS 3.1.x cluster support Ranger authentication: HDFS, HBase, Hive, Spark, Impala, Storm, and Kafka.

  2. In the upper right corner of the Dashboard page, click More and select Disable Ranger. If Disable Ranger is dimmed, Ranger authentication is disabled, as shown in Figure 1.

    Figure 1 Disabling Ranger authentication

  3. (Optional) To use an existing authentication policy, perform this step to export the authentication policy on the Ranger web page. After the Ranger metadata is switched, you can import the existing authentication policy again. The following uses Hive as an example. After the export, a policy file in JSON format is generated in a local directory.

    1. Log in to FusionInsight Manager.
    2. Choose Cluster > Services > Ranger to go to the Ranger service overview page.
    3. Click RangerAdmin in the Basic Information area to go to the Ranger web UI.

      The admin user in Ranger belongs to the User type. To view all management pages, click the username in the upper right corner and select Log Out to log out of the system.

    4. Log in to the system as user rangeradmin (default password: Rangeradmin@123) or another user who has the Ranger administrator permissions. For details about the user and its default password, see User Account List.
    5. Click the export button in the row where the Hive component is located to export the authentication policy.
      Figure 2 Exporting authentication policies
    6. Click Export. After the export is complete, a policy file in JSON format is generated in a local directory.
      Figure 3 Exporting Hive authentication policies

Creating and Configuring an RDS DB Instance

  1. Log in to the RDS console and buy an RDS DB instance. For details, see Buying a DB Instance..

    • To ensure network communications between the cluster and the MySQL or PostgreSQL database, create the instance in the same VPC and subnet as the cluster.
    • Security group rules of the RDS DB instance must allow inbound access from MySQL (default port 3306) and PostgreSQL (default port 5432).

      For example, click the instance name on the RDS console to go to the instance management page. In the Connection Information area, click the name next to Security Group. On the page that is displayed, click the Inbound Rules tab, and click Add Rule. In the displayed Add Inbound Rule dialog box, in the Protocol & Port area, select TCP and enter port number 3306. In the Source area, select IP address and enter the IP addresses of all nodes where the MetaStore instances of Hive are located.

    • Ranger can interconnect with RDS for MySQL databases of the MySQL 5.7.x and 8.0 versions only.
    • Hive can interconnect with RDS for MySQL and PostgreSQL databases. The supported versions are MySQL 5.7.x and 8.0 and PostgreSQL14.

  2. In the navigation pane of the RDS management console, choose Instances. Locate the row containing the RDS DB instance used by MRS data connections, click More in the Operation column, and select Log In to log in to the DB instance as user root.

    Figure 4 Logging in to an RDS DB instance

  3. On the home page of the instance, click Create Database to create a database.

    If no new database is created, the MRS data connections will fail to configure.

    Figure 5 Creating a database

  4. On the top of the page, choose Account Management > User Management.

    • For clusters earlier than MRS 3.x, if the selected data connection is RDS MySQL database, ensure that the database user is root. If the user is not root, create a user and grant permissions to the user by referring to 4 to 6.
    • For MRS 3.x or later clusters, when Type is set to RDS MySQL database, Username must not be root. In this case, create a user and grant permissions to the user by referring to 4 to 6.

  5. Click Create User to create a non-root user and select all permissions listed in Global Permissions.

    If you are configuring an external RDS data connection for Ranger, you can select only the SELECT, INSERT, CREATE, RELOAD, CREATE USER, and GRANT permissions.

    Figure 6 Creating a user

  6. On the top of the page, choose SQL Operations > SQL Query, switch to the target database by database name, and run the following SQL statements to grant permissions to the database user. In the following statements, ${db_name} and ${db_user} indicate the name of the database to be connected to MRS and the name of the new user, respectively. 

    grant all privileges on ${db_name}.* to '${db_user}'@'%' with grant option;
grant reload on *.* to '${db_user}'@'%' with grant option;
flush privileges;
    Figure 7 Assigning permissions to database users

Creating an RDS Data Connection for an Existing MRS Cluster

Perform the following steps to create an RDS data connection for an existing MRS cluster.

  1. Log in to the MRS management console, and choose Data Connections in the left navigation pane.
  2. Click Create Data Connection.
  3. Configure parameters according to Table 1.

    Table 1 Parameters for creating a data connection

    Parameter

    Description

    Type

    The type of an external source connection. Value options are as follows:

    • RDS PostgreSQL database. Clusters with Hive installed can connect to this type of database.
    • RDS MySQL database. Clusters with Hive or Ranger installed can connect to this type of database.

    Name

    The name of a data connection.

    Database Instance

    The RDS database instance. This instance must be created in RDS before being referenced here, and the database must have been created. For details, see Creating and Configuring an RDS DB Instance. Click View DB Instance to view the created DB instances.

    Database

    The name of the database to be connected to.

    Username

    The username for logging in to the database to be connected.

    Password

    The password for logging in to the database to be connected.

    If the selected data connection is an RDS MySQL database, ensure that the database user is a root user. If the user is not root, perform operations by referring to Creating and Configuring an RDS DB Instance.

  4. Click OK.

Configuring a Ranger Data Connection

  1. Log in to the MRS console.
  2. Click the name of the cluster to view its details.
  3. Click Manage on the right of Data Connection to go to the data connection configuration page.
  4. Click Configure Data Connection and set related parameters.

  5. Select I understand the consequences of performing the scale-in operation and click Test.
  6. After the test is successful, click OK to complete the data connection configuration.
  7. Log in to FusionInsight Manager.
  8. Choose Cluster > Services > Ranger to go to the Ranger service overview page.
  9. Choose More > Restart Service or More > Service Rolling Restart.

    If you choose Restart Service, services will be interrupted during the restart. If you select Service Rolling Restart, rolling restart can minimize the impact or do not affect service running.

    Restarting Ranger will affect the permissions of all components controlled by Ranger and may affect service running. Restart Ranger when the cluster is idle or during off-peak hours. Before the Ranger component is restarted, the policies in the Ranger component still take effect.
    Figure 8 Restarting a service

  10. Enable Ranger authentication for the component to be authenticated. The Hive component is used as an example.

    Currently, the following components in an MRS 3.1.x cluster support Ranger authentication: HDFS, HBase, Hive, Spark, Impala, Storm, and Kafka.
    1. Log in to FusionInsight Manager and choose Cluster > Services > Service Name.
    2. In the upper right corner of the Dashboard page, click More and select Enable Ranger.
      Figure 9 Enabling Ranger authentication

  11. Log in to the Ranger web UI and click the import button in the row of the Hive component.

    Figure 10 Clicking the import button

  12. Import parameters.

    • Click Select file and select the authentication policy file downloaded in 3.f.
    • Select Merge If Exist Policy.
    Figure 11 Importing authentication policies

  13. Restart the component for which Ranger authentication is enabled.

    1. Log in to FusionInsight Manager.
    2. Choose Cluster > Services > Hive to go to the Hive service overview page.
    3. Choose More > Restart Service or More > Service Rolling Restart.
      Figure 12 Restarting a service

      If you choose Restart Service, services will be interrupted during the restart. If you select Service Rolling Restart, rolling restart can minimize the impact or do not affect service running.