基于apache Ranger开源项目源代码进行二次开发,实现支持CDH集成的Ranger安全管理系统。另外需要在CDH管理界面上配置部分参数。
本文档经过测试验证的CDH和ranger版本:
CDH版本:6.3.2
Apache Ranger版本:2.0.0
CDH在重启组件服务时为组件服务独立启动进程运行,动态生成运行配置文件目录和配置文件,ranger插件配置文件部署到CDH安装目录无法被组件服务读取到。
基于ranger 源代码二次开发,在agents-common模块org.apache.ranger.plugin.service
.RangerBasePlugin类init()方法内部开始处插入copyConfigFile()方法调用,并定义copyConfigFile()方法,实现复制ranger配置文件到CDH组件服务的运行配置文件目录:
private void copyConfigFile() {
String serviceHome = "CDH_" + this.serviceType.toUpperCase() + "_HOME";
if ("CDH_HDFS_HOME".equals(serviceHome)) {
serviceHome = "CDH_HADOOP_HOME";
}
serviceHome = System.getenv(serviceHome);
File dir = new File(serviceHome);
String userDir = System.getProperty("user.dir");
File destDir = new File(userDir);
IOFileFilter regexFileFilter = new RegexFileFilter("ranger-.+xml");
Collection configFileList = FileUtils.listFiles(dir, regexFileFilter, TrueFileFilter.INSTANCE);
for (File rangerConfigFile : configFileList) {
try {
FileUtils.copyFileToDirectory(rangerConfigFile, destDir);
} catch (IOException e) {
LOG.error("Copy ranger config file failed.", e);
}
}
}
修改agents-common模块enable-agent.sh脚本文件:
HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/share/hadoop/hdfs/lib
修改为:
HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}
elif [ "${HCOMPONENT_NAME}" = "kafka" ]; then
HCOMPONENT_CONF_DIR=${HCOMPONENT_INSTALL_DIR}/config
修改为:
elif [ "${HCOMPONENT_NAME}" = "kafka" ]; then
HCOMPONENT_CONF_DIR=${PROJ_LIB_DIR}/ranger-kafka-plugin-impl
以上修改需重新打包ranger,然后安装部署各插件。
hive插件需安装在所有hiveServer2节点服务器上
解决hive客户端访问时报如下错误的问题:
Error: Could not open client transport with JDBC Uri:
jdbc:hive2://****:10000/testdb: Failed to open new session:
java.lang.IllegalArgumentException: Cannot modify hive.query.redaction.rules at
runtime. It is not in list of params that are allowed to be modified at runtime
(state=08S01,code=0)
Error: Could not open client transport with JDBC Uri:
jdbc:hive2://****:10000/testdb: Failed to open new session:
java.lang.IllegalArgumentException: Cannot modify hive.exec.query.redactor.hooks at
runtime. It is not in list of params that are allowed to be modified at runtime
(state=08S01,code=0)
手工修改/opt/cloudera/parcels/CDH/lib/hive/conf/目录下的hive环境变量文件hive-env.sh,注释删除export HIVE_OPTS配置行
Apache Ranger 2.0.0版本对应hive版本3.1.0,CDH 6.3.2版本对应hive版本2.1.1,不兼容,hive server启动会报错
把Apache Ranger 1.2.0版本hive插件代码hive-agent拷贝到Apache Ranger 2.0.0版本hive-agent,修改Apache Ranger 2.0.0根目录pom.xml中的hive版本号为2.1.1:
<hive.version>2.1.1hive.version>
重新编译打包Apache Ranger 2.0.0版本并安装hive插件
HDFS插件需安装在所有namenode节点服务器上
在CDH管理界面配置HDFS参数,确保dfs.permissions参数已勾选,
编辑“hdfs-site.xml 的 NameNode 高级配置代码段”参数配置,新增配置:
dfs.namenode.inode.attributes.provider.class=org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer
YARN插件安装在所有ResourceManager节点服务器上
在CDH管理界面配置YARN参数,配置“yarn-site.xml 的 ResourceManager 高级配置代码段”,新增参数配置:
yarn.authorization-provider=org.apache.ranger.authorization.yarn.authorizer.RangerYarnAuthorizer
Kafka插件安装在所有Broker节点服务器上
在CDH管理界面配置Kafka参数,配置“kafka.properties 的 Kafka Broker 高级配置代码段”,新增参数配置:
authorizer.class.name=org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer