-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathfaq.html
More file actions
304 lines (264 loc) · 21.1 KB
/
faq.html
File metadata and controls
304 lines (264 loc) · 21.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia Site Renderer 1.8
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta http-equiv="Content-Language" content="en" />
<title>Apache Ranger – Frequently Asked Questions</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.6.min.css" />
<link rel="stylesheet" href="./css/site.css" />
<link rel="stylesheet" href="./css/print.css" media="print" />
<script type="text/javascript" src="./js/apache-maven-fluido-1.6.min.js"></script>
</head>
<body class="topBarDisabled">
<div class="container-fluid">
<div id="banner">
<div class="pull-left"><a href="https://ranger.apache.org" id="bannerLeft"><img src="ranger.jpg" alt="Apache Ranger" width="400px" height="200px"/></a></div>
<div class="pull-right"></div>
<div class="clear"><hr/></div>
</div>
<div id="breadcrumbs">
<ul class="breadcrumb">
<li id="publishDate">Last Published: 2023-03-23<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 3.0.0-SNAPSHOT<span class="divider">|</span></li>
<li class=""><a href="./" title="Ranger">Ranger</a><span class="divider">/</span></li>
<li class="active ">Frequently Asked Questions</li>
</ul>
</div>
<div class="row-fluid">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">Overview</li>
<li><a href="index.html" title="Introduction"><span class="none"></span>Introduction</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/News" class="externalLink" title="News"><span class="none"></span>News</a> </li>
<li><a href="download.html" title="Download"><span class="none"></span>Download</a> </li>
<li class="active"><a href="#"><span class="none"></span>FAQ</a>
</li>
<li class="nav-header">Resources</li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/Index" class="externalLink" title="Wiki"><span class="none"></span>Wiki</a> </li>
<li><a href="quick_start_guide.html" title="Quick Start Guide"><span class="none"></span>Quick Start Guide</a> </li>
<li><a href="apidocs/index.html" title="Ranger REST API Documentation"><span class="none"></span>Ranger REST API Documentation</a> </li>
<li><a href="kms/apidocs/index.html" title="Ranger KMS REST API Documentation"><span class="none"></span>Ranger KMS REST API Documentation</a> </li>
<li><a href="https://www.apache.org/licenses/" class="externalLink" title="License"><span class="none"></span>License</a> </li>
<li class="nav-header">Project Information</li>
<li><a href="project-summary.html" title="Project Summary"><span class="none"></span>Project Summary</a> </li>
<li><a href="mail-lists.html" title="Mailing Lists"><span class="none"></span>Mailing Lists</a> </li>
<li><a href="https://issues.apache.org/jira/browse/RANGER" class="externalLink" title="Issue Tracking"><span class="none"></span>Issue Tracking</a> </li>
<li><a href="team-list.html" title="Team"><span class="none"></span>Team</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger" class="externalLink" title="Security Advisories"><span class="none"></span>Security Advisories</a> </li>
<li class="nav-header">Releases</li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.3.0+-+Release+Notes" class="externalLink" title="2.3.0"><span class="none"></span>2.3.0</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.2.0+-+Release+Notes" class="externalLink" title="2.2.0"><span class="none"></span>2.2.0</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.1.0+-+Release+Notes" class="externalLink" title="2.1.0"><span class="none"></span>2.1.0</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.0.0+-+Release+Notes" class="externalLink" title="2.0.0"><span class="none"></span>2.0.0</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+1.2.0+-+Release+Notes" class="externalLink" title="1.2.0"><span class="none"></span>1.2.0</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+1.1.0+-+Release+Notes" class="externalLink" title="1.1.0"><span class="none"></span>1.1.0</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/1.0.0+Release+-+Apache+Ranger" class="externalLink" title="1.0.0"><span class="none"></span>1.0.0</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/0.7.1+Release+-+Apache+Ranger" class="externalLink" title="0.7.1"><span class="none"></span>0.7.1</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/0.7.0+Release+-+Apache+Ranger" class="externalLink" title="0.7.0"><span class="none"></span>0.7.0</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/0.6.3+Release+-+Apache+Ranger" class="externalLink" title="0.6.3"><span class="none"></span>0.6.3</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/0.6.2+Release+-+Apache+Ranger" class="externalLink" title="0.6.2"><span class="none"></span>0.6.2</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/0.6.1+Release+-+Apache+Ranger" class="externalLink" title="0.6.1"><span class="none"></span>0.6.1</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/0.6+Release+-+Apache+Ranger" class="externalLink" title="0.6.0"><span class="none"></span>0.6.0</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/0.5.3+Release+-+Apache+Ranger" class="externalLink" title="0.5.3"><span class="none"></span>0.5.3</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/0.5.2+Release+-+Apache+Ranger" class="externalLink" title="0.5.2"><span class="none"></span>0.5.2</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/0.5.1+Release+-+Apache+Ranger" class="externalLink" title="0.5.1"><span class="none"></span>0.5.1</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/0.5+Release+-+Apache+Ranger" class="externalLink" title="0.5.0"><span class="none"></span>0.5.0</a> </li>
<li><a href="https://cwiki.apache.org/confluence/display/RANGER/0.4+Release" class="externalLink" title="0.4.0"><span class="none"></span>0.4.0</a> </li>
<li class="nav-header">Apache</li>
<li><a href="https://www.apache.org" class="externalLink" title="Home"><span class="none"></span>Home</a> </li>
<li><a href="https://www.apache.org/events/current-event" class="externalLink" title="Events"><span class="none"></span>Events</a> </li>
<li><a href="https://www.apache.org/licenses/" class="externalLink" title="License"><span class="none"></span>License</a> </li>
<li><a href="https://www.apache.org/foundation/sponsorship" class="externalLink" title="Sponsorship"><span class="none"></span>Sponsorship</a> </li>
<li><a href="https://www.apache.org/security" class="externalLink" title="Security"><span class="none"></span>Security</a> </li>
<li><a href="https://www.apache.org/foundation/thanks" class="externalLink" title="Thanks"><span class="none"></span>Thanks</a> </li>
<li><a href="https://www.apache.org/foundation/policies/conduct" class="externalLink" title="Code of Conduct"><span class="none"></span>Code of Conduct</a> </li>
</ul>
<hr />
<div id="poweredBy">
<div class="clear"></div>
<iframe src="https://www.facebook.com/plugins/like.php?href=http://ranger.apache.org/&send=false&layout=box_count&show-faces=false&action=like&colorscheme=light"
scrolling="no" frameborder="0"
style="border:none; width:48px; height:63px; margin-top: 10px;" ></iframe>
<div class="clear"></div>
<div class="clear"></div>
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Maven" class="builtBy"><img class="builtBy" alt="Maven" src="https://maven.apache.org/images/logos/maven-feather.png" /></a>
</div>
</div>
</div>
<div id="bodyColumn" class="span10" >
<div class="section">
<h2><a name="Frequently_Asked_Questions"></a><a name="top">Frequently Asked Questions</a></h2>
<p><b>General</b></p>
<ol style="list-style-type: decimal">
<li><a href="#What_does_Apache_Ranger_offer_for_Hadoop">What does Apache Ranger offer for Apache Hadoop and related components?</a></li>
<li><a href="#What_components_does_Apache_Ranger_support_today">What projects does Apache Ranger support today</a></li>
<li><a href="#How_does_it_work_over_Hadoop_and_related_components">How does it work over Hadoop and related components</a></li>
<li><a href="#Is_there_a_single_point_of_failure">Is there a single point of failure?</a></li></ol>
<p><b>Apache Hadoop</b></p>
<ol style="list-style-type: decimal">
<li><a href="#How_does_Apache_Ranger_provide_authorization_in_Apache_Hadoop">How does Apache Ranger provide authorization in Apache Hadoop?</a></li>
<li><a href="#Does_Apache_Ranger_emulate_native_unix_level_permissions">Does Apache Ranger emulated permissions at the unix level for Apache Hadoop?</a></li>
<li><a href="#Do_we_need_an_Apache_Ranger_plugin_in_each_datanode">Does the Apache Ranger plugin need to be implemented in each datanode ?</a></li></ol>
<p><b>Apache Hive</b></p>
<ol style="list-style-type: decimal">
<li><a href="#How_does_Apache_Ranger_provide_authorization_in_Apache_Hive">How does Apache Ranger provide authorization in Apache Hive?</a></li>
<li><a href="#How_does_Apache_Ranger_authorization_compare_to_SQL_standard_authorization">How does Apache Ranger authorization compare to SQL standard authorization?</a></li></ol>
<p><b>Apache HBase</b></p>
<ol style="list-style-type: decimal">
<li><a href="#How_does_Apache_Ranger_provide_authorization_in_Apache_HBase">How does Apache Ranger provide authorization in Apache Hbase?</a></li></ol>
<p><b>Apache Knox</b></p>
<ol style="list-style-type: decimal">
<li><a href="#How_does_Apache_Ranger_provide_authorization_in_Apache_Knox">How does Apache Ranger provide authorization in Apache Knox?</a></li></ol>
<p><b>Apache Kafka</b></p>
<ol style="list-style-type: decimal">
<li><a href="#How_does_Apache_Ranger_provide_authorization_in_Apache_Kafka">How does Apache Ranger provide authorization in Apache Kafka?</a></li></ol>
<p><b>Apache Solr</b></p>
<ol style="list-style-type: decimal">
<li><a href="#How_does_Apache_Ranger_provide_authorization_in_Apache_Solr">How does Apache Ranger provide authorization in Apache Solr?</a></li></ol>
<p><b>YARN</b></p>
<ol style="list-style-type: decimal">
<li><a href="#How_does_Apache_Ranger_provide_authorization_in_YARN">How does Apache Ranger provide authorization in YARN?</a></li></ol></div>
<div class="section">
<h2><a name="General"></a>General</h2>
<dl>
<dt><a name="What_does_Apache_Ranger_offer_for_Hadoop">What does Apache Ranger offer for Apache Hadoop and related components?</a></dt>
<dd>
<p>
Apache Ranger offers a centralized security framework to manage fine grained access control over Hadoop and related components (Apache Hive, HBase etc.). Using the Apache Ranger administration console, users can easily manage policies around accessing a resource (file, folder, database, table, column etc) for a particular set of users and/or groups, and enforce the policies within Hadoop. They also can enable audit tracking and policy analytics for deeper control of the environment. Apache Ranger also provides ability to delegate administration of certain data to other group owners, with an aim of decentralizing data ownership
</p>
<p align="right"><a href="#top">[top]</a></p><hr /></dd>
<dt><a name="What_components_does_Apache_Ranger_support_today">What projects does Apache Ranger support today</a></dt>
<dd>
<p>
Apache Ranger supports fine grained authorization and auditing for following Apache projects:
</p>
<ul>
<li>Apache Hadoop</li>
<li>Apache Hive</li>
<li>Apache HBase</li>
<li>Apache Storm</li>
<li>Apache Knox</li>
<li>Apache Solr</li>
<li>Apache Kafka</li>
<li>YARN</li>
</ul>
<p align="right"><a href="#top">[top]</a></p><hr /></dd>
<dt><a name="How_does_it_work_over_Hadoop_and_related_components">How does it work over Hadoop and related components</a></dt>
<dd>
<p>
Apache Ranger at the core has a centralized web application, which consists of the policy administration, audit and reporting modules. Authorized users will be able to manage their security policies using the web tool or using REST APIs. These security policies are enforced within Hadoop ecosystem using lightweight Ranger Java plugins, which run as part of the same process as the namenode (HDFS), Hive2Server(Hive), HBase server (Hbase), Nimbus server (Storm) and Knox server (Knox) respectively. Thus there is no additional OS level process to manage.
</p>
<p align="right"><a href="#top">[top]</a></p><hr /></dd>
<dt><a name="Is_there_a_single_point_of_failure">Is there a single point of failure?</a></dt>
<dd>
<p>
No, Apache Ranger is not a Single Point of Failure. Apache Ranger's plugins run within the same process as the component, e.g. NameNode for HDFS. These agents pull the policy-changes using REST API at a configured regular interval (e.g.: 30 second). The plugin is able to function even if the policy server is temporarily down and will provide the authorization enforcement. Also, the policy manager web application can be hosted on a HA infrastructure. (with multiple apache server, multiple tomcat servers and a standby database server w/o replication setup).
</p>
<p align="right"><a href="#top">[top]</a></p></dd></dl></div>
<div class="section">
<h2><a name="Apache_Hadoop"></a>Apache Hadoop</h2>
<dl>
<dt><a name="How_does_Apache_Ranger_provide_authorization_in_Apache_Hadoop">How does Apache Ranger provide authorization in Apache Hadoop?</a></dt>
<dd>
<p>
Apache Ranger provides a plugin for Apache Hadoop, specifically for the NameNode as part of the authorization method. The Apache Ranger plugin is in the path of the user request and is able to make a decision on whether the user request shoud be authorized. The plugin also collects access request details required for auditing
</p>
<p>
Apache Ranger will enforce the security policies available in the policy database. Users can create a security policy for a specific set of resources (one or more folders and/or files) and assign specific set of permissions (e.g: read, write, execute) to a specific set of users and/or groups. The security policies are stored in the policy manager and are independent from native permissions.
</p>
<p align="right"><a href="#top">[top]</a></p><hr /></dd>
<dt><a name="Does_Apache_Ranger_emulate_native_unix_level_permissions">Does Apache Ranger emulated permissions at the unix level for Apache Hadoop?</a></dt>
<dd>
<p>
No, Apache Ranger enforces authorization based on policies entered in the policy administration tool and does not emulate the permissions at the unix level. Apache Ranger does provide a default feature to validate access using native hadoop file-level permissions if the Ranger policies do not cover the requested access
</p>
<p align="right"><a href="#top">[top]</a></p><hr /></dd>
<dt><a name="Do_we_need_an_Apache_Ranger_plugin_in_each_datanode">Does the Apache Ranger plugin need to be implemented in each datanode ?</a></dt>
<dd>
<p>
No, the Apache Ranger plugin for Hadoop is only needed in the NameNode.
</p>
<p align="right"><a href="#top">[top]</a></p></dd></dl></div>
<div class="section">
<h2><a name="Apache_Hive"></a>Apache Hive</h2>
<dl>
<dt><a name="How_does_Apache_Ranger_provide_authorization_in_Apache_Hive">How does Apache Ranger provide authorization in Apache Hive?</a></dt>
<dd>
<p>
The Apache Ranger plugin is enabled in Hiveserver2 as part of the authorization
</p>
<p align="right"><a href="#top">[top]</a></p><hr /></dd>
<dt><a name="How_does_Apache_Ranger_authorization_compare_to_SQL_standard_authorization">How does Apache Ranger authorization compare to SQL standard authorization?</a></dt>
<dd>
<p>
Apache Hive currently provides two methods of authorization, Storage based authorization and SQL standard authorization, which was introduced in Hive 13. SQL standard authorization provides grant/revoke functionality at database, table level. The commands would be familiar to a DBA admin. Apache Ranger provides a centralized authorization interface for Hive and provides more granular access control at column level through the Hive plugin. Ranger also provides ability to use wildcard in resource names within the policy.
</p>
<p align="right"><a href="#top">[top]</a></p></dd></dl></div>
<div class="section">
<h2><a name="Apache_HBase"></a>Apache HBase</h2>
<dl>
<dt><a name="How_does_Apache_Ranger_provide_authorization_in_Apache_HBase">How does Apache Ranger provide authorization in Apache Hbase?</a></dt>
<dd>
<p>
Apache Ranger provides a coprocessor which is added to HBase, and includes the logic to perform authorization check and collect audit data.
</p>
<p align="right"><a href="#top">[top]</a></p></dd></dl></div>
<div class="section">
<h2><a name="Apache_Knox"></a>Apache Knox</h2>
<dl>
<dt><a name="How_does_Apache_Ranger_provide_authorization_in_Apache_Knox">How does Apache Ranger provide authorization in Apache Knox?</a></dt>
<dd>
<p>
Apache Knox currently provides a service level authorization for users/groups. These acls are stored locally in a file. Apache Ranger has built a plugin for Knox to enable administration of these policies through central UI/REST APIs as well as detailed auditing of Knox user access.
</p>
<p align="right"><a href="#top">[top]</a></p></dd></dl></div>
<div class="section">
<h2><a name="Apache_Kafka"></a>Apache Kafka</h2>
<dl>
<dt><a name="How_does_Apache_Ranger_provide_authorization_in_Apache_Kafka">How does Apache Ranger provide authorization in Apache Kafka?</a></dt>
<dd>
<p>
Security was introduced in Apache Kafka 0.9. Apache Ranger can manage the Kafka ACLs per topic. Users can use Ranger to control who can write to a topic or read from a topic. In addition to providing policies by users and groups, Apache Ranger also supports IP address based permissions to publish or subscribe.
</p>
<p align="right"><a href="#top">[top]</a></p></dd></dl></div>
<div class="section">
<h2><a name="Apache_Solr"></a>Apache Solr</h2>
<dl>
<dt><a name="How_does_Apache_Ranger_provide_authorization_in_Apache_Solr">How does Apache Ranger provide authorization in Apache Solr?</a></dt>
<dd>
<p>
Similar to Apache Kafka, security in Apache Solr was introduced recently by the community. Through Apache Ranger, users can build policies for users/groups to query a particular collections in Solr. Efforts are underway in Solr community to provide more granular index level permissions.
</p>
<p align="right"><a href="#top">[top]</a></p></dd></dl></div>
<div class="section">
<h2><a name="YARN"></a>YARN</h2>
<dl>
<dt><a name="How_does_Apache_Ranger_provide_authorization_in_YARN">How does Apache Ranger provide authorization in YARN?</a></dt>
<dd>
<p>
YARN is widely used in the Hadoop ecosystem as resource management layer for applications. Adminstrators can use YARN to setup queues with a certain capacity and applications can be given permissions to write to a certain queue. Using Apache Ranger, administrators can manage the policies for who can write to a particular queue
</p>
<p align="right"><a href="#top">[top]</a></p></dd></dl></div>
</div>
</div>
</div>
<hr/>
<footer>
<div class="container-fluid">
<div class="row-fluid">
<p><a href="https://www.apache.org/foundation/contributing"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support the ASF" id="asf-logo" height="20" width="20" /></a>Copyright © 2011-2018 The Apache Software Foundation. Licensed under the <a href="https://www.apache.org/licenses/">Apache License, Version 2.0</a>.<br/>
Apache Ranger, Ranger, Apache, the Apache feather logo are trademarks of the <a href="https://www.apache.org">Apache Software Foundation</a>.<br/>
All other marks mentioned may be trademarks or registered trademarks of their respective owners.</p>
</div>
</div>
</footer>
</body>
</html>