Updated on 2024-10-08 GMT+08:00

Adding a Ranger Access Permission Policy for Impala

This section applies only to MRS 3.1.5 or later.

Scenario

After the MRS cluster with Ranger installed is created, Hive/Impala permission control is integrated into Ranger. Impala reuses Hive permission policies. This section describes how to integrate Hive into Ranger.

Prerequisites

  • The Ranger service has been installed and is running properly.
  • You have created users, user groups, or roles for which you want to configure permissions.

Procedure

  1. For normal clusters with Kerberos authentication disabled, check whether Ranger authentication is enabled for Hive and Impala.

    If Ranger authentication is not enabled, enable Ranger authentication for Hive, restart the Hive service, and then restart the Impala service. Enable Ranger authentication for Impala and restart the Impala service. By default, Ranger is enabled for security clusters with Kerberos authentication enabled. You can skip this step.

  2. For normal clusters, log in to FusionInsight Manager, choose Cluster > Services > Ranger, choose Configurations > All Configurations, and click UserSync(Role). Add the following configuration parameter to the custom configuration item ranger.usersync.config.expandor and restart Ranger. Skip this step for security clusters with Kerberos authentication enabled.

    Parameter

    Value

    ranger.usersync.sync.source

    ldap

  3. Log in to the Ranger web UI as the Ranger administrator rangeradmin. For details, see Logging In to the Ranger Web UI. Select Hive.

  1. Add an access control policy.

    1. In the HADOOP SQL area, click the added service Hive.
    2. Click Add New Policy to add an access control policy.
    3. Set the parameters according to Table 1. Use the default values for the parameters that are not listed in the table.
      Table 1 Parameters

      Parameter

      Description

      Example Value

      Policy Name

      Policy Name

      testuser

      database

      Name of the database that the policy allows to access

      default

      table

      Name of the table corresponding to the database that the policy allows to access

      dataorigin

      Hive Column

      Column name of the table corresponding to the database that the policy allows to access

      name

      Allow Conditions

      • Select Group: user group that the policy allows to access
      • Select User: user in the user group that the policy allows to access
      • Permissions: permissions that the policy allows the user to have
      • Select Group: hive
      • Select User: testuser
      • Permissions: select and Create
      Figure 1 Adding the testuser access policy
    4. Click Add to add the policy. According to the preceding policy, the testuser user in the hive user group has the Create and Select permissions on the name column of the dataorigin table in the default database of Hive, but no permissions to access other columns.

  2. Log in to the Impala client and check whether Ranger has been integrated with Impala.

    1. Log in to the node where the client is installed as the client installation user and run the following command to initialize environment variables:

      source /opt/client/bigdata_env

    2. Set up a connection and log in as user testuser.
      • For normal clusters with Kerberos authentication disabled, run the following command:

        impala-shell -i <Impalad node IP address> -u testuser

      • For security clusters with Kerberos authentication enabled, run the following command:

        kinit testuser

        Enter the password to log in.

        impala-shell -i <Impalad node IP address>

    3. Query data and check whether Ranger is integrated.
      • Failed to run the select * from dataorigin command and an error message indicating insufficient permission is displayed.
      • The select name from dataorigin command is executed successfully and the preset permission is met.

      • If you have specified an HDFS path when running commands, you need to be assigned the read, write, and execution permissions on the HDFS path. For details, see Adding a Ranger Access Permission Policy for HDFS. You do not need to configure the Ranger policy of HDFS. You can use the Hive permission plug-in to add permissions to the role and assign the role to the corresponding user. If the HDFS Ranger policy can match the file or directory permission of the Hive database table, the HDFS Ranger policy is preferentially used.
      • If a table is created in Hive, run the invalidate metadata command in Impala to update metadata. In this case, you need to grant the refresh permission to the user or run the invalidate metadata command as user hive. Otherwise, the following error message is displayed.