logo

WANDISCO FUSION®
PLUGIN FOR LIVE RANGER

Version 2.0
Last updated: 28th June 2018

1. Welcome

Welcome to the User Guide for the Fusion Plugin for Live Ranger, version 2.0.

Apache Ranger is a framework to manage data security in Hadoop deployments. It provides centralized security administration, fine-grained authorization and centralized auditing within a single cluster. Use the Fusion Plugin for Live Ranger to extend the capabilities of WANdisco Fusion to Apache Ranger across multiple Hadoop environments, and keep your security policies consistent.

1.1. Product overview

WANdisco Fusion gives you LiveData: consistent data everywhere, spanning platforms and locations, even for changing data at petabyte scale. Business critical data is guaranteed consistent, always available, and accessible from anywhere.

The Fusion Plugin for Live Ranger extends WANdisco Fusion to information managed and used by Apache Ranger. Use it to keep your security policies consistent among Hadoop deployments with WANdisco Fusion. Key features include:

  • Apache Ranger policy replication

  • Coordination of activities that modify policy definitions, including those performed via the Apache Ranger REST API, or from its administrative interface in a browser

  • Integration with WANdisco Fusion

1.2. Documentation guide

This guide contains the following:

Welcome

This chapter introduces this user guide and provides help with how to use it.

Release Notes

Details the latest software release, covering new features, fixes and known issues to be aware of.

Concepts

Explains how Fusion Plugin for Live Ranger through WANdisco Fusion uses WANdisco’s LiveData platform.

Installation

Covers the steps required to install and set up Fusion Plugin for Live Ranger into a WANdisco Fusion deployment.

Operation

Describes the steps required to run, reconfigure and troubleshoot Fusion Plugin for Live Ranger.

Reference

Additional Fusion Plugin for Live Ranger documentation, including documentation for the available REST API.

1.2.1. Symbols in the documentation

In the guide we highlight types of information using the following call outs:

The alert symbol highlights important information.
The STOP symbol cautions you against doing something.
Tips are principles or practices that you’ll benefit from knowing or using.
The i symbol shows where you can find more information, such as in our online Knowledgebase.

1.3. Contact support

See our online Knowledgebase which contains updates and more information.

If you need more help raise a case on our support website.

1.4. Give feedback

If you find an error or if you think some information needs improving, raise a case on our support website or email docs@wandisco.com.

2. Release Notes

Wandisco Inc. is pleased to present the first major revision to the Fusion Plugin for Live Ranger. This release supports the latest version of WANdisco Fusion, 2.12, operating in simple and secure cluster environments.

2.1. Live Ranger 2.0 Build 143

29 June 2018

The Fusion Plugin for Live Ranger is the first major revision following beta availability. It includes a handful of new features, issue resolutions, platform support and other enhancements. These release notes include specific information about the product improvements, and should be read in conjunction with the product documentation.

2.1.1. Installation

The release can be installed to a WANdisco Fusion environment by following the installation guide instructions. Automated updates from prior versions is not required as deployment will occur alongside a new major release of WANdisco Fusion.

2.1.2. Highlighted New Features

This release includes the following major new features.

WD-RPX-155, WD-RPX-179

Operation in Azure HDInsight 3.6.

WD-RPX-176

Stack provided for the addition and management of Fusion Plugin for Live Ranger as a service in Ambari.

2.1.3. Supported Platforms

WANdisco Fusion

  • 2.12

Hadoop

  • Hortonworks Data Platform 2.6.4

  • Azure HDInsight 3.6

2.1.4. System Requirements

Before installing or upgrading, ensure that your systems, software, and hardware meet the requirements found in the user guide at http://docs.wandisco.com/bigdata/wdfusion/2.12

2.1.5. Known Issues

Fusion Plugin for Live Ranger 2.0 includes a small set of known issues.

  • Poor operation with Azure HD Insight configured with ADLS as primary file system.

  • Uninstallation on Ubuntu will not correctly halt operation of the Fusion server.

  • Starting the WANdisco Fusion server while the Apache Ranger Admin UI is not available may result in subsequent failure to replicate user identities.

  • The Fusion Plugin for Live Ranger does not yet provide full interoperability with Ranger deployed in an HA configuration.

  • No provision is made for Ranger service replication, as service information can be cluster-specific.

  • WD-RPX-278 -Character encoding support
    To use the standard Chinese coded character set GB18030, some additional configurations must be made to the underlying Ranger DBMS, i.e.,

  1. Replace your /etc/my.cnf with my.cnf.

  2. The Ranger assets within MySQL also needed to be converted from UTF8 to UTF8MB4.
    See ranger_mysql_gb18030.sql

3. Concepts

Familiarity with the following concepts will improve your use of the Fusion Plugin for Live Ranger.

WANdisco Fusion Plugin

A plugin is used by WANdisco Fusion to extend its functionality. Plugins are loaded by the WANdisco Fusion server on startup.

Apache Ranger

Apache Ranger offers a centralized security framework for fine grained access control over Hadoop and related components (Apache Hive, HBase, Storm, Knox, Solr, Kafka and YARN). Use the Apache Ranger administration console to manage policies for accessing resources (file, folder, database, table, column, etc.) for a particular set of users and/or groups, and enforce those policies within Hadoop.

Ranger has a centralized web application that consists of policy, audit and administration modules. Authorized users can manage security policies via a web interface or the Apache Ranger REST API. Policies are enforced in Hadoop components by Ranger Plugins.

Apache Ranger Policy Server

The Policy Server maintains the policies defined by users, and responds to requests from Ranger Plugins to retrieve policy information.

Apache Ranger Audit Server

The Audit Server can be configured to send access audit logs generated by Apache Ranger Plugins to a range of destinations.

Apache Ranger Administration Portal

The Ranger Administration Portal provides a simple interface for security administrators to create and manage policies enforced by Apache Ranger.

Apache Ranger Plugin

Ranger Plugins are specific to the Hadoop component in which they enforce Ranger policies retrieved from the Ranger Policy Server. They are lightweight Java implementations that are embedded in the processes of other cluster components to intercept operations that would always execute without security policy enforcement, and apply those policies to prevent unauthorized operations. Plugins also deliver information to the Ranger Audit Server.

3.1. Product concepts

The Fusion Plugin for Live Ranger implements LiveData for Apache Ranger policies. It intercepts operations that act on policy definitions in the Apache Ranger Policy Server and ensures that they are coordinated and replicated among multiple Ranger Policy Server instances.

It consists of two key components:

Live Ranger Proxy

The Live Ranger Proxy is a server that sits between clients and the REST API and Web interface of the Ranger Policy Server. Prior to forwarding client requests to the Ranger Policy Server, the proxy first proposes them to the WANdisco Fusion server for coordination.

Live Ranger Plugin

The Live Ranger Plugin is a runtime extension for the WANdisco Fusion server. It accepts proposals for operation coordination from the Live Ranger Proxy, and leverages the LiveData capabilities of the WANdisco Fusion server to ensure that all operations are performed with guaranteed consistent outcomes among multiple Apache Ranger deployments.

This Plugin is also responsible for the execution of operations that originate from other Ranger deployments. It presents those requests to its local Apache Ranger Policy Server as though they originated locally so they can be executed.

3.2. Supported Functionality

The Fusion Plugin for Live Ranger:

  • provides functionality to replicate Ranger policy definitions between instances of the Apache Ranger Policy Administration Server using WANdisco Fusion

  • intercepts all means by which Ranger policies can be created, modified, deleted, etc. to coordinate those operations among multiple Apache Ranger instances

  • offers functionality for an administrator to check and report on the consistency between policy definitions across multiple Ranger instances

  • supports the ability to resolve inconsistencies among policies between Ranger instances

  • provides a selection of REST API endpoints by which its operation can be managed

Of note, the following capabilities are explicitly not performed by this product:

  • Synchronization of operations performed by Ranger Plugins that are specific to Hadoop components in each cluster. There is no dependency between the Fusion Plugin for Live Ranger and Ranger Plugins deployed in each cluster. Note that this means that although Ranger policies and their administration will be replicated with guaranteed consistency among Ranger instances, each cluster’s Ranger plugins will poll those policies independently, applying them independently also.

  • Replication of the Ranger Key Management Service. The Ranger KMS is a cryptographic key management service that supports "data at rest" encryption in HDFS.

  • Selective replication of Ranger policies. Ranger policy replication is enabled as a whole between clusters when using the Fusion Plugin for Live Ranger. Either all Ranger policies and repositories are replicated, or none are.

4. Installation

4.1. Pre-requisites

4.1.1. System Requirements

Along with the standard product requirements for WANdisco Fusion, you need to:

  • Ensure that your clusters use an Ambari-based deployment of Hortonworks 2.6.4.[1]

  • Configure the Hadoop environment for either Simple or Kerberos security.

  • Use Apache Ranger for policy enforcement.

Known Issue
The GET operation for EntityCache loader fails if the Ranger Admin is not up while installing the Fusion Plugin for Live Ranger proxy.
Work around: Ensure that the Ranger Admin is active before installing the Fusion Plugin for Live Ranger proxy.

4.1.2. Replication Requirements

Replication Rule Creation

Prior to installation, establish a replication rule associated with an HDFS path that is dedicated for the use of the Fusion Plugin for Live Ranger. e.g. /rangerproxy.

4.1.3. Security Requirements

There are a range of security-related preparations that must be performed directly in your environments. For each cluster, ensure that the following tasks are performed.

Add the system user wd-ranger-user in all nodes:
# useradd wd-ranger-user Enter
Create the user directory in hdfs
# hdfs fs -mkdir /user/wd-ranger-user Enter
# hdfs dfs -chown wd-ranger-user:wd-ranger-user /user/wd-ranger-user Enter
# hdfs dfs -chmod 755 /user/wd-ranger-user Enter

On the node where the KDC server is running:

Create the principal
kadmin.local# addprinc -randkey wd-ranger-user/<hostname of the Ranger proxy server>@<REALM.COM> Enter
Create the keytab
kadmin.local# xst -norandkey -kt wd-ranger-proxy.keytab wd-ranger-user/<hostname of the Ranger proxy server>@<REALM.COM> Enter
Copy the keytab into the Ranger Proxy Server node
# scp wd-ranger-proxy.keytab root@<hostname of the Ranger proxy server>:/etc/security/keytabs Enter
Change ownership of the file on that host
# chown wd-ranger-user:wd-ranger-user /etc/security/keytabs/wd-ranger-proxy.keytab Enter

Add the wd-ranger-user and hdfs user to the underlying Ranger instance with admin roles.

Create appropriate users in Ranger

  1. Login to the Ranger Admin UI

  2. Navigate to Settings >> Users/Groups tab

  3. Create wd-ranger-user user with admin role

  4. Create hdfs user with admin role

4.2. Installation

Install the Fusion Plugin for Live Ranger using a standard RPM-based installation process. Configure the plugin with simple command-line tools or manual changes to configuration files that are specific to the plugin.

In addition to the documented installation process below, Wandisco Inc. provides an Ambari-based installion process with this release. Please contact Wandisco Inc. support for details of this improved installation process.

4.2.1. Locate installation components

There are two RPM files that provide installable components for Fusion Plugin for Live Ranger:

  • fusion-ranger-plugin-hdp-2.6.4-2.0-100.noarch.rpm

  • fusion-ranger-proxy-hdp-2.6.4-2.0-100.noarch.rpm

Obtain the files so that you can distribute them to the appropriate hosts in your deployment for WANdisco Fusion. The fusion-ranger-proxy-hdp-2.6.4-2.0-100.noarch.rpm needs to be installed on each Ranger Proxy server host in your deployment. The fusion-ranger-plugin-hdp-2.6.4-2.0-100.noarch.rpm needs to be installed on each WANdisco Fusion server host.

4.2.2. Install the plugin

Install fusion-ranger-plugin-hdp-2.6.4-2.0-100.noarch.rpm on each WANdisco Fusion server host as the superuser.

Install the plugin on each WANdisco Fusion server
# rpm -i fusion-ranger-plugin-hdp-2.6.4-2.0-100.noarch.rpm Enter

4.2.3. Install the proxy

Install fusion-ranger-proxy-hdp-2.6.4-2.0-100.noarch.rpm on each host where you want to operate a Fusion Plugin for Live Ranger proxy.

Install the proxy on each host required
# rpm -i fusion-ranger-proxy-hdp-2.6.4-2.0-100.noarch.rpm Enter

4.2.4. Configure the plugin

Change current directory to /etc/wandisco/fusion/plugins/live-ranger:

# cd /etc/wandisco/fusion/plugins/live-ranger Enter

Execute the configuration script configure-proxy-plugin. Provide details of how the proxy will operate:

Kerberos

Whether or not the cluster has security enabled.

Ranger Admin Username

The username of the Ranger administrator account

Ranger Admin Password

The password for the Ranger administrator account

Cluster Name

The name of the cluster

Fusion SSL

Whether or not Fusion is SSL enabled

An example (interactive mode):

# ./configure-proxy-plugin Enter
Enter the Ranger Policy Manager URL: http://rpxy01-vm0.bdfrem.wandisco.com:6080 Enter
Is the cluster Kerberos enabled (yes/no)? : yes Enter
Enter the Ranger Admin Username: admin Enter
Please enter the password to be encrypted: ***** Enter
Enter the Cluster Name: RPXY-01 Enter
---------------------------------------------------------------------------
* Ranger details *
Ranger Policy Manager URL: http://rpxy01-vm0.bdfrem.wandisco.com:6080
Cluster Name: RPXY-01
---------------------------------------------------------------------------
Confirm the rangerproxy plugin configuration details (yes/no): yes Enter
Adding 'ranger_default_rule=true' as a additional global properties into fusion
Enter the RangerProxy replication path [/rangerproxy]: /rangerproxy Enter
Is fusion server ssl enabled? (yes/no): no Enter
Response: * About to connect() to rpxy01-vm1.bdfrem.wandisco.com port 8082 (#0)
* Trying 10.10.214.121. connected
* Connected to chen5-5.bigd.wandisco.com (10.6.214.24) port 8082 (#0)
> PUT /fusion/fs/properties/global/additionalProperties?path=/rangerproxy HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: rpxy01-vm1.bdfrem.wandisco.com:8082
> Accept: /
> Content-Type: application/xml
> Content-Length: 138
>
} [data not shown]
< HTTP/1.1 401 Authentication required
* gss_init_sec_context() failed: : Ticket expiredWWW-Authenticate: Negotiate
< Set-Cookie: hadoop.auth=; Path=/; HttpOnly
< Content-Length: 0
< Server: Jetty(6.1.26.hwx)
<
* Connection #0 to host rpxy01-vm1.bdfrem.wandisco.com left intact
* Closing connection #0
RangerProxy plugin configuration done successfully, restart fusion server to load the plugin
--------------------------------------------------------------------------------------------
Note: You can edit the configuration values anytime in: /etc/wandisco/fusion/plugins/live-ranger/rangerproxy-plugin-site.xml
The fusion server must be restarted for the changes to take effect
--------------------------------------------------------------------------------------------

An example (non-interactive mode):

Enter configuration values in defines_tmpl.sh file, e.g.
RANGER_POLICYMGR_URL="http://rpxy01-vm0.bdfrem.wandisco.com:6080"
PROXY_PLUGIN_KERBEROS="yes"
RANGER_ADMIN_USERNAME="admin"
RANGER_ADMIN_PASSWORD="*****"
CLUSTER_NAME="RPXY-01"
REPL_PATH="/rangerproxy"
FUSION_SERVER_SSL_ENABLED="no"
Execute the configuration script
# ./configure-proxy-plugin --config=defines_tmpl.sh Enter

Once completed, the script will produce the configuration file at /etc/wandisco/fusion/plugins/live-ranger/rangerproxy-plugin-site.xml. You can modify this file later if required. If this file is changed, restart the Live Ranger Fusion server as configuration properties are obtained on server startup only.

4.2.5. Configure the proxy

Change current directory to /etc/wandisco/live-ranger-proxy:

# cd /etc/wandisco/live-ranger-proxy Enter

Execute the configuration script configure-proxy-server. Provide details of how the plugin will operate:

An example (interactive mode):

# ./configure-proxy-server Enter
Enter the RangerProxy server listen host [0.0.0.0]: rpxy01-vm1.bdfrem.wandisco.com Enter
Enter the RangerProxy server listen port [8072]: 8072 Enter
Do you want to enable ssl (yes/no)?
[If yes, you need to provide the keystore path and password]: no Enter
Is the cluster Kerberos enabled (yes/no)?
[If yes, you need to provide the principal and keytab]: yes Enter
Enter the Cluster Name: RPXY-01 Enter
Enter list of read-only users: Ranger Enter
Enter Spnego Principal: HTTP/rpxy01-vm1.bdfrem.wandisco.com@WANDISCO.HADOOP Enter
Enter the Spnego Keytab file path: /etc/security/keytabs/spnego.service.keytab Enter
/etc/security/keytabs/spnego.service.keytab file found.
Enter the Kerberos principal: rangerproxy@WANDISCO.HADOOP Enter
Enter the Kerberos keytab file path: /etc/security/keytabs/rangerproxy.keytab Enter
/etc/security/keytabs/rangerproxy.keytab file found.
Enter the Ranger Admin Username: admin Enter
Please enter the password to be encrypted : ***** Enter
Enter the fusion server zone name: zone01 Enter
Enter the Ranger Policy Manager URL: http://rpxy01-vm0.bdfrem.wandisco.com:6080 kbd[Enter]
Enter the Cluster Name: RPXY-01 Enter
-------------------------------------------------------------------------------
* RangerProxy server details
RangerProxy server listen host: rpxy01-vm1.bdfrem.wandisco.com
RangerProxy server listen port: 8072
RangerProxy server SSL: false
RangerProxy server Kerberos: true
Kerberos Principal: rangerproxy@WANDISCO.HADOOP
Kerberos Keytab path: /etc/security/keytabs/rangerproxy.keytab
Kerberos Read-Only users list: Ranger
Kerberos Spnego Principal: HTTP/rpxy01-vm1.bdfrem.wandisco.com@WANDISCO.HADOOP
Kerberos Spnego Keytab: /etc/security/keytabs/spnego.service.keytab
Kerberos Name rules: DEFAULT
Ranger details
Fusion server zone name: zone01
Ranger Policy Manager URL: http://rpxy01-vm0.bdfrem.wandisco.com:6080
Cluster Name: RPXY-01
--------------------------------------------------------------------------------
Which user should Live Ranger Proxy run as? [root]: root Enter
Which group should Live Ranger Proxy run as? [root]: root Enter
Enter the minimum memory(-Xms) for Live Ranger Proxy (in MB) [512]: 512 Enter
Enter the maximum memory(-Xmx) for Live Ranger Proxy (in MB) [1024]: 1024 Enter
-------------------------------------------------
Live Ranger Proxy environment details *
Run as User: root
Run as Group: root
Minimum memory: 512m
Maximum memory: 1024m
-------------------------------------------------
Do you confirm the details for configuration (yes/no): yes Enter
RangerProxy server configuration done successfully, restart rangerproxy-server to load the rangerproxy server
--------------------------------------------------------------------------------------------------------
Note: You can edit the configuration values anytime in: /etc/wandisco/live-ranger-proxy/rangerproxy-server-site.xml
The rangerproxy-server must be restarted for the changes to take effect
----------------------------------------------------------------------------------------------------

An example (non-interactive mode):

Enter configuration values in defines_tmpl.sh file, e.g.
LISTEN_HOST="rpxy01-vm1.bdfrem.wandisco.com"
LISTEN_PORT="8072"
PROXY_SERVER_SSL="no"
KEY_STORE_PATH=""
KEY_STORE_PASS=""
PROXY_SERVER_KERBEROS="yes"
KERBEROS_READ_ONLY_USERS_LIST="Ranger"
KERBEROS_SPNEGO_PRINCIPAL="HTTP/rpxy01-vm1.bdfrem.wandisco.com@WANDISCO.HADOOP"
KERBEROS_SPNEGO_KEYTAB="/etc/security/keytabs/spnego.service.keytab"
KERBEROS_PRINCIPAL="rangerproxy@WANDISCO.HADOOP"
KERBEROS_KEYTAB_PATH="/ertc/security/keytabs/rangerproxy.keytab"
RANGER_ADMIN_USERNAME="admin"
RANGER_ADMIN_PASSWORD="*****"
ZONE_NAME="zone01"
RANGER_POLICYMGR_URL="http://rpxy01-vm0.bdfrem.wandisco.com:6080"
CLUSTER_NAME="RPXY-01"
PROXY_SERVER_USER_DEFAULT="root"
PROXY_SERVER_GROUP_DEFAULT="root"
PROXY_SERVER_MEM_LOW_DEFAULT="512m"
PROXY_SERVER_MEM_MAX_DEFAULT="1024m"
Execute the configuration script
# ./configure-proxy-server --config=defines_tmpl.sh Enter

Once completed, the script will produce the configuration file at etc/wandisco/live-ranger-proxy/proxy-server-site.xml. You can modify this file later if required.

Start the Ranger Proxy server
# rangerproxy-server start Enter

4.3. Upgrade

The release can be upgraded from prior versions with the following steps:

Stop the WANdisco Fusion server
# server fusion-server stop Enter
Stop the Ranger Proxy server
# server rangerproxy-server stop Enter
Upgrade the plugin RPM
# rpm -U fusion-ranger-plugin-hdp-2.6.4-2.0-100.noarch.rpm Enter
Upgrade the proxy RPM
# rpm -U fusion-ranger-proxy-hdp-2.6.4-2.0-100.noarch.rpm Enter
Start the WANdisco Fusion server
# server fusion-server start Enter
Start the Ranger Proxy server
# server rangerproxy-server start Enter

4.4. Validation

Once you installation has been completed, verify that simple service replication is working as expected. For example:

Create a new service in one zone ("ZoneA" here)
# curl -iv -u <user>:<pass> -X POST -H "Content-Type: application/json" http://<zoneA-rangerproxy-server-host>:<zoneA-rangerproxy-server-port>/service/plugins/services -d '{json_data}' Enter
Check that the service exists in a replicated zone ("ZoneB" here)
# curl -iv -u <user>:<pass> -X GET -H "Content-Type: application/json" http://<zoneB-rangerproxy-server-host>:<zoneB-rangerproxy-server-port>/service/plugins/services/<service_id>; Enter

4.5. Uninstallation

Uninstallation is simple, and can be done with the following steps.

Stop the WANdisco Fusion server
# server fusion-server stop Enter
Stop the Ranger Proxy server
# server rangerproxy-server stop Enter
Uninstall
# rpm -e fusion-ranger-plugin-hdp-2.6.4-2.0-100.noarch.rpm Enter
# rpm -e fusion-ranger-proxy-hdp-2.6.4-2.0-100.noarch.rpm Enter
Start the WANdisco Fusion server
# server fusion-server start Enter

4.6. Ambari Installation

An alternative Ambari-based installation has been introduced with the 2.0 release of the Fusion Plugin for Live Ranger. The details provided here are subject to change with minor updates.

Details on the availability of the Ambari Management Pack required to follow this installation process can be obtained from Wandisco Inc. support.

4.6.1. Obtain Installation Components

The Ambari Management Pack for the Fusion Plugin for Live Ranger can be provided by Wandisco Inc. support: fusion-ranger-proxy-hdp-2.6.4_1.1-RC0-<os>.stack.tar.gz.

Copy the Management Pack to the Ambari server
# scp fusion-ranger-proxy-hdp-2.6.4_1.1-RC0-<os>.stack.tar.gz root@<ambari-serve-rhost>:/ Enter
Install the Management Pack in Ambari

On the Ambari server host:

# service ambari-server stop Enter
# ambari-server install-mpack --mpack=/fusion-ranger-proxy-hdp-2.6.4_1.1-RC0-<os>.stack.tar.gz -v Enter
...
INFO: Management pack liveranger-mpack-1.0 successfully installed! Please restartambari-server.
INFO: Loading properties from /etc/ambari-server/conf/ambari.properties Ambari Server 'install-mpack' completed successfully.)
Restart the Ambari server
# service ambari-server start Enter
# service ambari-serfver restart Enter

4.6.2. Access the Ambari user interface and follow the steps below.

Click on Actions > Add Service

Add Service

Adding the Service
Check "Fusion Live Ranger"

Click "Next"

Select Fusion Live Ranger
Assign Masters

Select the node where you want to deploy (the node that has the server RPM)

Select Masters
Assign Slaves

Deploy slave roles to the nodes where the WANdisco Fusion server is installed.

Select Slaves
Configure Services

Provide the necessary configuration values.

Customize Services
Configure Plugin

Provide configuration for plugin items also.

Configure Plugin
Configure Server

Provide server configuration details.

Configure Server
Configure Server2
Review Details

Review the configuration and click "Deploy"

Review Configuration
Install, Start, Test

Confirm successfull deployment and client "Next"

Install
Access Fusion Live Ranger

Click on "Quick Links" > "Live Ranger UI"

Live Ranger UI
Administer Ranger

Ranger should be accessible

Ranger UI

5. Operation

Once configured, restart the WANdisco Fusion server to use the configuration applied:

# service fusion-server restart Enter

Then start each Ranger Proxy server:

# service rangerproxy-server start Enter

5.1. Configuration

Configuration of the Fusion Plugin for Live Ranger proxy and server is performed with changes to the configuration files generated at installation time:

  • /etc/wandisco/fusion/plugins/live-ranger/rangerproxy-plugin-site.xml

  • /etc/wandisco/live-ranger-proxy/rangerproxy-server-site.xml

The Ranger Administration UI can be enabled for access via SSL. For full details of how to configure the Fusion Plugin for Live Ranger for interoperability with SSL-enabled Ranger installations, please contact Wandisco Inc. support.

5.2. Live Ranger Replication Rules

System critical rules, such as the Live Ranger plugin’s default rules are not displayed in the UI due to their sensitive nature. These rules are critical to the working of the plugin and should never be modified. For this reason the default rules are not exposed through the UI.

Default plugin replication rules will not appear in the Live Ranger UI, although, if required, you can interact with them through the REST API.

6. Reference Guide

The Fusion Plugin for Live Ranger exposes functionality using a REST API. Operations that can be performed using this API are described below.

6.1. Consistency Check

A Consistency Check is used to identify whether there are differences between the policy definitions of each participating Ranger deployment. Consistency checks can be long-lived tasks, and are associated with a task identifier that can be used to determine their progress, and to obtain results when a consistency check is complete.

Examples of consistency check operations are given below:

Start a consistency check
# curl --negotiate -u : -v -s -X POST "http://localhost:8082/plugin/rangerproxy/cc?path=/rangerproxy" Enter
HTTP/1.1 202 Accepted
Content-Location: http://localhost:8082/fusion/task/<taskId>;
Content-Length: 1221
Server: Jetty(6.1.26.hwx)

The <taskId> value returned by the operation to start a consistency check is used for subsequent operations that check on status or provide a consistency check report.

Check on status
# curl --negotiate -u : -v -s -X GET "http://localhost:8082/fusion/task/<taskId>" Enter
HTTP/1.1 200 OK
Content-Length: 1221
Content-Type: application/xml
Server: Jetty(6.1.26.hwx)
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<task>
<taskId>9ee718f2-2122-11e8-a5bc-f2c1622b4ea1</taskId>
<timeCreated>1520329321377</timeCreated>
<creatorNodeId>a8446f91-083e-446b-a88e-536efd91aee8</creatorNodeId>
<timeUpdated>1520329324352</timeUpdated>
<isDone>true</isDone>
<aborted>false</aborted>
<properties>
<entry>
<key>CC_REPORT_PATH</key>
<value>/rangerproxy/.fusion/50c60f07-1c62-11e8-929c-c6059be1e476/metadata/9ee718f2-2122-11e8-a5bc-f2c1622b4ea1/cc-report</value>
</entry>
<entry>
<key>TOTAL_INCONSISTENCIES_FOUND</key>
<value>GroupDiff=0; UserDiff=11; PermModelDiff=4; ServiceDefDiff=0; ServiceDiff=21; PolicyDiff=42</value>
</entry>
<entry>
<key>TASK_TYPE</key>
<value>RANGERPROXY_CONSISTENCY_CHECK</value>
</entry>
<entry>
<key>LOCAL_COMPLETE</key>
<value>1520329324352</value>
</entry>
<entry>
<key>CC_REPORT_SUMMARY_PATH</key>
<value>/rangerproxy/.fusion/50c60f07-1c62-11e8-929c-c6059be1e476/metadata/9ee718f2-2122-11e8-a5bc-f2c1622b4ea1/cc-report-summary</value>
</entry>
<entry>
<key>LOCAL_START</key>
<value>1520329321377</value>
</entry>
<entry>
<key>CONSISTENCY_CHECK_STATUS</key>
<value>INCONSISTENT</value>
</entry>
</properties>
<previousTask xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
</task>
Obtain a consistency check report
# curl --negotiate -u : -v -s -X GET "http://localhost:8082/plugin/rangerproxy/cc/report/<taskId>?path=/rangerproxy&withconsistencyreport=true" Enter
HTTP/1.1 200 OK
Content-Length: 1221
Content-Type: application/xml
Server: Jetty(6.1.26.hwx)


{
"Totals": {
"users": {
"zone-01": 24,
"zone-02": 23
},
"groups": {
"zone-01": 9,
"zone-02": 9
},
"permissionModels": {
"zone-01": 6,
"zone-02": 6
},
"policies": {
"zone-01": 22,
"zone-02": 28
},
"services": {
"zone-01": 12,
"zone-02": 13
},
"servicedefinitions": {
"zone-01": 11,
"zone-02": 11
}
},
"Deltas": [
{
"zoneName": "zone-02",
"+users": {
"zone-01": 6
},
"-users": {
"zone-01": 5
},
"+groups": {
"zone-01": 0
},
"-groups": {
"zone-01": 0
},
"+permissionModels": {
"zone-01": 2
},
"-permissionModels": {
"zone-01": 2
},
"+policies": {
"zone-01": 18
},
"-policies": {
"zone-01": 24
},
"+services": {
"zone-01": 10
},
"-services": {
"zone-01": 11
},
"+servicedefinitions": {
"zone-01": 0
},
"-servicedefinitions": {
"zone-01": 0
}
},
{
"zoneName": "zone-01",
"+users": {
"zone-02": 5
},
"-users": {
"zone-02": 6
},
"+groups": {
"zone-02": 0
},
"-groups": {
"zone-02": 0
},
"+permissionModels": {
"zone-02": 2
},
"-permissionModels": {
"zone-02": 2
},
"+policies": {
"zone-02": 24
},
"-policies": {
"zone-02": 18
},
"+services": {
"zone-02": 11
},
"-services": {
"zone-02": 10
},
"+servicedefinitions": {
"zone-02": 0
},
"-servicedefinitions": {
"zone-02": 0
}
}
]
}

6.2. Repair

A Repair is used to resolve inconsistencies between the policy definitions of each participating Ranger deployment. Repair tasks can be long-lived, and are associated with a task identifier that can be used to determine their progress.

Examples of repair operations are given below:

Start a repair
# curl -v -s -X POST "http://localhost:8082/plugin/rangerproxy/repair/<taskId>?path=/rangerproxy&srcZone=<Source-zone-name>" Enter
HTTP/1.1 200 OK
< Content-Location: http://localhost:8082/fusion/task/cd2826ca-2124-11e8-a5bc-f2c1622b4ea1
< Content-Length: 0
< Server: Jetty(6.1.26.hwx)
Check on repair status
# curl --negotiate -u : -v -s -X GET "http://localhost:8082/fusion/task/<repair-taskId>" Enter
HTTP/1.1 200 OK
Content-Length: 1221
Content-Type: application/xml
Server: Jetty(6.1.26.hwx)
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<task>
<taskId>cd2826ca-2124-11e8-a5bc-f2c1622b4ea1</taskId>
<timeCreated>1520330257985</timeCreated>
<creatorNodeId>a8446f91-083e-446b-a88e-536efd91aee8</creatorNodeId>
<timeUpdated>1520330258073</timeUpdated>
<isDone>true</isDone>
<aborted>false</aborted>
<properties>
<entry>
<key>TASK_TYPE</key>
<value>REPAIR_TASK</value>
</entry>
<entry>
<key>UPDATE_PENDING_ZONES</key>
<value/>
</entry>
<entry>
<key>REPAIR_STATUS</key>
<value>COMPLETED</value>
</entry>
<entry>
<key>LOCAL_COMPLETE</key>
<value>1520330258073</value>
</entry>
<entry>
<key>LOCAL_START</key>
<value>1520330257985</value>
</entry>
</properties>
<previousTask xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
</task>
1. While operation is supported with Azure HDInsight 3.6, there is no automated installation process for it because its version of Ambari prevents the deployment of additional stacks.