Using Apache Ranger with Splice Machine
Apache Ranger is a centralized security framework that allows you to manage fine-grained access control over Hadoop and related components. The Splice Machine Ranger plug-in extends Ranger security management to your Splice Machine database.
You can use Apache Ranger to:
- Manage policies for accessing resources by specific users and/or groups
- Audit tracking
- Analyze policies to gain deeper control of your system
- Delegate administration of certain data to other group owners
Ranger is currently only available for customers running the Enterprise version of Splice Machine on Hortonworks.
The remainder of this topic describes using Ranger with Splice Machine in these sections:
- Installing Ranger for Splice Machine
- Ranger Components
- Establishing Splice Machine Security Policies with Ranger
- Using Ranger with LDAP
- Using Ranger with Kerberos
- Reviewing Audit Logs
Installing Ranger for Splice Machine
You can install Apache Ranger with the Splice Machine Ambari Service on Hortonworks clusters that are running supported software versions, as listed below. The instructions for installing Ranger are included in the Splice Machine installation instructions in the
docs subdirectory of the GitHub directory for each product/platform version:
|Splice Machine Version||Platform Version||Install Instructions URL|
After you configure Splice Machine to use Ranger, you no longer use
REVOKE statements for managing access privileges; you’ll see an error message if you attempt to do so.
Ranger is structured into three main components:
|Ranger Service||Embeds a Ranger Plug-in that provides policy administration, audit, and report functions.|
|Ranger Plug-in||A lightweight Java plug-in that extracts the policy from a Ranger Portal server at regular intervals, and enforces those policies.|
|User Group Sync||Synchronizes user information from Unix, LDAP, or active Directory.|
Establishing Splice Machine Security Policies with Ranger
The instructions in this section assume that you already have:
- Used our instructions to install the Splice Machine Ranger plug-in
- Configured basic audit and security settings.
- Added the
splicemachineservice in Ranger on one of your Region Servers
You can now establish security policies for your database in two steps:
- Create users and groups in your Splice Machine database
- Use the Ranger Administrative user interface (via Ambari) to create policies that apply to those users and groups. To access this user interface:
- In the main Ranger screen, select
Ranger Admin UIunder the
As indicated in our installation instructions, you must create a policy that allows your database users to execute routines in the
SYSIBM schema: Splice Machine depends on execution of these routines for database operations. If you’ve not yet done so, follow the instructions in the next section.
Setting Up the
If you’ve not already configured a Ranger policy that allows your Splice Machine database users to execute routines in the
SYSIBM schema, follow these steps:
- Access the Ranger Admin UI.
Service Manager, click the small, green
This displays the list of policies defined for your
splicemachineservice. The initial list of policies were created by default for the
Add New Policybutton:
- Create a
SYSIBMthat allows users to execute all (
*) of the routines in that schema. In this screenshot, you’ll notice that, for demonstration purposes, we have only applied this policy to a user named
BOBwho is already defined in our database:
As you can see, each policy that you create in Ranger applies to specific object types (
tables, UDTs, routines, sequences, etc.) in a specific schema. You can also create policies that apply to certain columns of a table. Each policy specifies which group or user the policy applies to, and which permissions (
All, Select, Update, Insert, Trigger, Execute, etc.) the user(s) have for the specified entity.
Creating Additional Policies
To add new policies for your database users, you need to:
- Add the user in your database, if you’ve not already done so. You can use the Splice Machine
SYSCS_UTIL.SYSCS_CREATE_USERsystem procedure to add a new user; for example:
splice> CALL SYSCS_UTIL.SYSCS_CREATE_USER('myUserId', 'MyPswd'); Statement executed.
If you’re using LDAP with Splice Machine, you don’t need to create a user in your Splice Machine database; instead, you can simply make sure the user name in your Ranger configuration exactly matches the user name in your LDAP configuration. See the Using Ranger with LDAP section below for details.
Create a policy in the Ranger Admin UI, as shown in the Setting Up the
SYSIBMPolicy section, above. Specify the new user’s name and the permission you want to grant them in the new policy. This screenshot shows an example of granting user
CDLschema in a Splice machine database:
Note that because this user has only been granted
selectpermission on the table, he will not be allowed to perform other operations on this table, such as inserting or deleting.
- Log into Splice Machine as the user:
sqlshell.sh -u myUserId -s MyPswd Running Splice Machine SQL shell splice>
Using Ranger with LDAP
When you use Ranger with LDAP, you don’t need to create a user in your Splice Machine database; you just need to make sure that the user name in your Ranger configuration matches the LDAP user name.
Beware: LDAP is not case sensitive and converts user names to uppercase. Since Splice Machine is case sensitive, you must specify the Ranger user name in uppercase for it to correctly match the LDAP name in Splice Machine.
Using Ranger with Kerberos
There are some additional changes you need to make if you’re using Ranger in a Kerberized environment:
You must add the following three configuration properties for Splice Machine in the Ranger user interface:
You must specify a fully qualified domain name (e.g. www.mydomain.com) instead of an IP address in the following property in Ambari’s SpliceMachine service configuration:
Reviewing Audit Logs
You can examine the logs in Ranger:
- In Ranger, select the
- Enter a start date and specify
splicemachineas the service name.
- View the log.
You can also examine the logs in HDFS. These log files are found in a subdirectory of
/ranger/audit/splicemachine; for example,