阅读次数
标签(空格分隔): 部署文档,转载请注明出处
1.代码下载&编译
git clone https://github.com/apache/incubator-ranger.git
cd incubator-ranger
git checkout ranger-0.5
mvn clean compile package assembly:assembly install
下载的过程中遇到python hash库的问题,重新安装下python即可
另外经常因为下载库过程超时,重试几次就好了
编译好的目录在target目录下。
2.控制台ranger-admin的安装
1)安装mysql数据库
配置my.cnf:
basedir =/home/bae/dataplatform/jumbo
datadir =/home/bae/dataplatform/jumbo/var
port = 3309
socket = /home/bae/dataplatform/jumbo/var/mysql.sock
启动mysql:
./bin/mysql_install_db
./share/mysql/mysql.server start
2)生成各个模块的keytab
addprinc -randkey rangeradmin/hostA@EXAMPLE.COM
xst -k /home/bae/dataplatform/kerberos/keytab/rangeradmin.keytab rangeradmin/hostA@EXAMPLE.COM
addprinc -randkey rangerlookup/hostA@EXAMPLE.COM
xst -k /home/bae/dataplatform/kerberos/keytab/rangerlookup.keytab rangerlookup/hostA@EXAMPLE.COM
addprinc -randkey rangerusersync/hostA@EXAMPLE.COM
xst -k /home/bae/dataplatform/kerberos/keytab/rangerusersync.keytab rangerusersync/hostA@EXAMPLE.COM
addprinc -randkey rangertagsync/hostA@EXAMPLE.COM
xst -k /home/bae/dataplatform/kerberos/keytab/rangertagsync.keytab rangertagsync/hostA@EXAMPLE.COM
3)配置ranger-admin
将ranger-0.5.4-SNAPSHOT-admin.tar.gz解压到安装目录下,修改install.properties,需要修改的选项如下:
SQL_CONNECTOR_JAR=/home/bae/dataplatform/jumbo/lib/mysql/mysql-connector-java-5.1.41-bin.jar
db_root_user=root
db_root_password=
db_host=hostMysql:3309
db_name=ranger
db_user=rangeradmin
db_password=123456
audit_store=db
audit_db_name=ranger_audit
audit_db_user=rangerlogger
audit_db_password=123456
policymgr_external_url=http://localhost:8070
policymgr_http_enabled=true
unix_user=work
unix_group=work
spnego_principal=HTTP/hostA@EXAMPLE.COM
spnego_keytab=/home/bae/dataplatform/kerberos/keytab/spnego.service.keytab
token_valid=30
cookie_domain=hostA
cookie_path=/
admin_principal=rangeradmin/hostA@EXAMPLE.COM
admin_keytab=/home/bae/dataplatform/kerberos/keytab/rangeradmin.keytab
lookup_principal=rangerlookup/hostA@EXAMPLE.COM
lookup_keytab=/home/bae/dataplatform/kerberos/keytab/rangerlookup.keytab
运行./setup.sh(root运行,否则报groupadd没有权限)
遇到问题:
a)报错:
SQLException : SQL state: 28000 java.sql.SQLException: Access denied for user ‘rangeradmin’@’hostA’ (using password: YES) ErrorCode: 1045
查看user表,该用户已经创建,但是机器没有被授权
create user 'rangeradmin'@'hostA' identified by '123456';
flush privileges;
b)修改了policymgr_external_url=http://localhost:8070端口,发现8070端口没有启动成功
在conf/ranger-admin-site.xml中发现
<property>
<name>ranger.service.http.port</name>
<value>6080</value>
</property>
这里需要修改.
c)range-admin stop/start重新启动后就可以看到了。注意tomcat的日志在ews/logs/catalina.out当中
验证是否成功:打开http://localhost:8070,使用admin/admin登录
3.安装usersync进程
这个安装的目的是同步unix,或者ldap中的用户到ranger中。
拷贝编译好的ranger-0.5.4-SNAPSHOT-usersync.tar.gz到适当目录并解压
修改install.properties:(同步本机的unix用户)
POLICY_MGR_URL = http://localhost:8070
# sync source, only unix and ldap are supported at present
# defaults to unix
SYNC_SOURCE = unix
#User and group for the usersync process
unix_user=work
unix_group=work
logdir=/home/bae/dataplatform/ranger-0.5.4-SNAPSHOT-usersync/logs/ranger/usersync
usersync_principal=rangerusersync/hostA@EXAMPLE.COM
usersync_keytab=/home/bae/dataplatform/kerberos/keytab/rangerusersync.keytab
hadoop_conf=/home/bae/dataplatform/hadoop/conf/
使用root账号运行./setup.sh
启动usersync:/ranger-usersync-services.sh start
验证是否成功:在ranger控制台的settings->Users/Groups信息看本机的账号是否已经被同步上来。
4.hdfs-plugin安装(只需要在对应集群的主备namenode上安装)
为了让ranger能够控制hdfs,需要安装plugin
拷贝ranger-0.5.4-SNAPSHOT-hbase-plugin.tar.gz到对应目录并解压。修改install.properties
POLICY_MGR_URL=http://hostA:8070
SQL_CONNECTOR_JAR=/home/bae/dataplatform/jumbo/lib/mysql/mysql-connector-java-5.1.41-bin.jar
REPOSITORY_NAME=hadoopdev(与后续页面上配置的一致)
XAAUDIT.DB.IS_ENABLED=true
XAAUDIT.DB.FLAVOUR=MYSQL
XAAUDIT.DB.HOSTNAME=hostA:3309
XAAUDIT.DB.DATABASE_NAME=ranger_audit
XAAUDIT.DB.USER_NAME=rangeradmin
XAAUDIT.DB.PASSWORD=123456
CUSTOM_USER=work
CUSTOM_GROUP=work
创建到hadoop_conf的软链:
ln -s /home/bae/dataplatform/hadoop-2.7.2 /home/bae/dataplatform/hadoop
ln -s /home/bae/dataplatform/hadoop-2.7.2/etc/hadoop/ /home/bae/dataplatform/hadoop-2.7.2/conf
确认$HADOOP_HOME下面有lib目录,如果没有需要编译native lib,编译方法:
http://hadoop.apache.org/docs/r2.7.3/hadoop-project-dist/hadoop-common/NativeLibraries.html
使用root账号启动hdfs-plugin:
./enable-hdfs-plugin.sh(root身份运行)
重启namenode进程:
将$HADOOP_HOME/lib下面新增的ranger jar添加到hadoop_classpath变量中,
在conf/hadoop-env.sh中添加:
for f in $HADOOP_HOME/lib/*.jar; do
if [ "$HADOOP_CLASSPATH" ]; then
export HADOOP_CLASSPATH=$HADOOP_CLASSPATH:$f
else
export HADOOP_CLASSPATH=$f
fi
done
重新启动namenode(如果报jdbc方法找不到问题,就将mysql-connector-java-5.1.41-bin.jar拷贝到$HADOOP_HOME/lib目录下后重启)
5.在ranger的控制台中增加plugin配置:
首先创建一个kerberos的用户名密码
addprinc -pw password rangeradmin@example.com
修改core-site.xml增加映射:
RULE:[2:$1@$0](rangeradmin@EXAMPLE.COM)s/.*/work/
RULE:[1:$1@$0](rangeradmin@EXAMPLE.COM)s/.*/work/
重启namenode使其生效,重启ranger-admin
在Service Manager->hdfs中增加hadoopdev(名称与hdfs plugin中设置的一致)repo
username:rangeradmin@example.com
password:password
namenode url:hdfs://hostB:8900
Authorization Enabled:yes
Authentication Type:kerberos
hadoop.security.auth_to_local:RULE:[1:$1@$0](rangeradmin@EXAMPLE.COM)s/.*/work/
dfs.datanode.kerberos.principal:dn/_HOST@EXAMPLE.COM
dfs.namenode.kerberos.principal:nn/_HOST@EXAMPLE.COM
dfs.secondary.namenode.kerberos.principal:nn/_HOST@EXAMPLE.COM
RPC Protection Type:Authentication
dfs.nameservices = smallfile
dfs.ha.namenodes.smallfile= nn1,nn2
dfs.namenode.rpc-address.nn1 = hostB:8900
dfs.namenode.rpc-address.nn2 = hostC:8900
dfs.client.failover.proxy.provider.smallfile = org.apache.hadoop.hdfs.server.namenode.ha.ConfiguredFailoverProxyProvider
其中username/password需要是kerberos中有效的用户名密码。
点击test connection如果成功,那么save.
验证plugin是否添加成功:在audit->plugin目录下是否出现对应的plugin信息。
6.ranger对hdfs授权测试
注意首先要在hdfs上将权限收回,比如把一个目录权限设置成000,这样就完全由ranger policy控制。否则生效的都是hdfs上的大权限。
可以通过audit->access中得Access Enforcer看生效得是ranger-acl还是hadoop-acl
参考文档:
在kerberos环境下安装ranger:
https://cwiki.apache.org/confluence/display/RANGER/Ranger+installation+in+Kerberized++Environment