tencent cloud

CHDFS-Ranger-Plugin extends the service types in the Ranger Admin console. You can set the operation permissions related to CHDFS in the Ranger console.

Code address

You can get the code from the ranger-plugin directory at GitHub.

Version

v1.2 or above

Deployment steps

1. Create a COS directory in the service definition directory of Ranger (note: make sure that the directory permissions include at least x and r permissions).
2. For an EMR environment, the path is ranger/ews/webapp/WEB-INF/classes/ranger-plugins.
3. For a self-built Hadoop environment, you can find the components connected to the Ranger service through find hdfs in the ranger directory in order to find the location of the ranger-plugins directory.
   
4. Place cos-chdfs-ranger-plugin-xxx.jar in the CHDFS directory (note: the JAR package should at least have the r permission).
5. Restart Ranger.
6. Register the CHDFS service on Ranger. You can refer to the following command:
   
   ## To generate a service, you need to pass in the password of the Ranger admin account and the address of the Ranger service.
   ## For an EMR cluster, the admin user is root, and the password is the root password set when the EMR cluster is created. Replace the IP of the Ranger service with the master node IP of EMR.
   adminUser=root
   adminPasswd=xxxxxx
   rangerServerAddr=10.0.0.1:6080
   curl -v -u${adminUser}:${adminPasswd} -X POST -H "Accept:application/json" -H "Content-Type:application/json" -d @./chdfs-ranger.json http://${rangerServerAddr}/service/plugins/definitions
   ## To delete the service just defined, you need to pass in the service ID returned during creation.
   serviceId=102
   curl -v -u${adminUser}:${adminPasswd} -X DELETE -H "Accept:application/json" -H "Content-Type:application/json" http://${rangerServerAddr}/service/plugins/definitions/${serviceId}

7. After the service is successfully created, you can see the CHDFS service in the Ranger console as shown below:
   
8. Click + next to the CHDFS service to define a new service instance. The service instance name is customizable; for example, you can enter chdfs or chdfs_test. The service configuration is as shown below:
   
   You need to set the username subsequently used to start the COSRangerService service for policy.grantrevoke.auth.users. We generally recommend you set it to hadoop.
9. Click the generated CHDFS service instance to add a policy as shown below:
   
10. On the displayed page, configure the following parameters as detailed below:
    

• MountPoint: mount point name in the format of f4mxxxxxx-yyyy. You can log in to the CHDFS console to view it.
• Path: path of CHDFS, which must start with /.
  • include: indicates whether the set permission applies to the specified path itself or other paths except it.
  • recursive: indicates that the permission applies to not only the specified path but also the subpaths under it (i.e., recursive subpaths). It is usually used when the path is set as a directory.
• Select Group/Select User: username and user group in logical OR relationship; that is, the operation is authorized as long as the username or user group condition is met.
• Permissions:
  • Read: read operation, which corresponds to the GET and HEAD operations in COS, such as downloading objects and querying object metadata.
  • Write: write operation, which corresponds to the PUT operation in COS, such as uploading objects.
  • Delete: delete operation, which corresponds to the object deletion operation in COS. To rename a path in Hadoop, you need to have the deletion permission for the original path and write permission for the new path.
  • List: traversal permission, which corresponds to the List Object operation in COS.

COSRangerService is the core of the entire permission system. It is responsible for integrating the Ranger client and receiving its authentication requests, token generation and renewal requests, and temporary key generation requests. It is also where sensitive information (Tencent Cloud key information) resides. Generally, it is deployed on a bastion host, and only the cluster admin is allowed to manipulate it and view its configuration.

COSRangerService supports one-primary-multiple-secondary HA deployment. The DelegationToken status is persistently stored in HDFS. The leader role is determined by ZooKeeper lock grabbing. The service that gets the leader role will write its address to ZooKeeper, so that COSRangerClient can perform address routing.

Code address

You can get the code from the cos-ranger-server directory at GitHub.

Version

v1.2 or above

Deployment steps

1. Copy the code of COSRangerService to the servers in the cluster. We recommend you configure at least two servers (one primary server and one secondary server) in the production environment. As sensitive information is involved, we recommend you use bastion hosts or servers with tight permission control.
2. Modify the relevant configuration items in the cos-ranger.xml file. Those that must be modified are as follows. For the description of the configuration items, please see the comments in the file.

• qcloud.object.storage.rpc.address
• qcloud.object.storage.status.port
• qcloud.object.storage.enable.chdfs.ranger
• qcloud.object.storage.zk.address

3. Modify the relevant configuration items in the ranger-chdfs-security.xml file. Those that must be modified are as follows. For the description of the configuration items, please see the comments in the file.

• ranger.plugin.chdfs.policy.cache.dir
• ranger.plugin.chdfs.policy.rest.url
• ranger.plugin.chdfs.service.name

4. Modify the hadoop_conf_path and java.library.path configuration items in start_rpc_server.sh, which point to the directory of the Hadoop configuration file (such as core-site.xml and hdfs-site.xml) and the hadoop native lib path, respectively.
5. Run the following command to start the service.
   

   chmod +x start_rpc_server.sh
   nohup ./start_rpc_server.sh &> nohup.txt &
   

6. If the start fails, check whether the error log contains an error message.
7. COSRangerService supports displaying the HTTP port status (the port name is qcloud.object.storage.status.port, which is 9998 by default). You can run the following command to get the status information (such as whether the leader is contained and the authentication statistics).
   

   # Replace `10.xx.xx.xxx` below with the IP of the server where the Ranger service is deployed
   # Replace 9998 with the value of `qcloud.object.storage.status.port`
   curl -v http://10.xx.xx.xxx:9998/status
   

COSRangerClient is dynamically loaded by the Hadoop CHDFS plugin and proxies all COSRangerService access requests, such as token acquisition and authentication.

Code address

You can get the code from the cos-ranger-client directory at GitHub.

Version

v1.0 or above

Deployment method

1. Copy the cos-ranger-client JAR package to the same directory as the CHDFS plugin (please choose to copy the JAR package consistent with the major version of your Hadoop).
2. Add the following configuration items in core-site.xml:
   
   <configuration>
             <!--*****Required********-->
             <!-- ZooKeeper address. The client finds the address of the Ranger service by ZooKeeper query -->
             <property>
                 <name>qcloud.object.storage.zk.address</name>
                 <value>10.0.0.8:2121</value>
             </property>
              <!--***Optional****-->           
             <!-- Set the Kerberos credentials used by the COSRangerService. Please refer to the configuration of the COSRangerService, which must be consistent. If there are no authentication needs, you can skip this configuration -->
             <property>                
                    <name>qcloud.object.storage.kerberos.principal</name>
                    <value>hadoop/_HOST@EMR-XXXX</value>
             </property>
            <!--***Optional****-->  
           <!-- Ranger server IP path recorded on ZooKeeper. The default value is used here. The configuration must be consistent with that of COSRangerService -->
            <property>              
                   <name>qcloud.object.storage.zk.leader.ip.path</name> 
                   <value>/ranger_qcloud_object_storage_leader_ip</value>
            </property>
   </configuration>
   

Version

v2.1 or above

Deployment method

For the method of deploying the CHDFS plugin, please see Mounting CHDFS Instance. Open Ranger and adding the following:

  <property>
      <name>fs.ofs.ranger.enable.flag</name> 
      <value>true</value>
  </property>