7.14. System level security with Apache Ranger#
System level security with Apache Ranger requires a valid Starburst Enterprise Presto license.
Policies in Ranger are created with the Ranger user interface and define access
and authorization. Each policy combines user and group information with a
resource and access rights to the resource. Ranger is configured to your
organization’s LDAP system for user and group information. Ranger usage requires
the installation of the Presto Ranger plugin. It creates the Starburst
starburst-enterprise-presto service type, or service
definition, in Ranger. This encompasses a Presto-specific set of resources that
include catalog, schema, table, column, and more, so access rules for there
resources can be configured in Ranger.
The Ranger Presto plugin is responsible for connecting to Ranger from Presto and using the defined policies for Presto resources. Any user action in Presto, such as submitting a query, is validated against the policies from Ranger and potentially prevented.
For example, a query is parsed and analyzed to determine all involved resources such as schemas and tables. Once a list is created, all policies are analyzed in Presto to determine if the user initiating the query has all necessary access rights. Processing only continues if all rights are granted.
Contrary to the Hive level security, the system level Ranger integration is suitable to define role-based access to catalogs using any connector as well as a number of other system resources.
Starting to use of Ranger for role-based access control can be summarized into a few steps:
Install Ranger and add the Presto Ranger plugin
Configure Ranger for user and group information from LDAP
Configure Presto to use Ranger
Define policies with the Ranger user interface
Enjoy the access control for catalogs, schema, tables and more for all users
Details for all these steps and more are documented in the following sections.
Your first important step is the installation and configuration of Ranger, which can be summarized to the following steps:
Install Ranger 2.0.0 or higher
Configure Ranger to access your LDAP system for user, group and role information
Add Presto Ranger plugin to Ranger
AWS CloudFoundation deployment
The Starburst support for Amazon CFT-based installation includes installation of Apache Ranger and all relevant configuration. Detailed information is available in the AWS documentation.
The Starburst support for Kubernetes-based installation includes installation of Apache Ranger and all relevant configuration. Detailed information is available in the Kubernetes documentation.
Connect existing Ranger
Using an existing Ranger 2.0.0 or higher is supported. You just have to make sure that the coordinator has network access to Ranger and LDAP is configured, so that all relevant users, groups and roles are available. As a next step you need install the Presto Ranger Plugin.
Manual Ranger installation
If you are running Presto on-premise or some other custom deployment, you need to install Ranger 2.0.0 or higher following the documentation from the Ranger project.
Connect Ranger to LDAP
Ranger needs to access the information about your users, groups and roles in your LDAP system. With the K8s and AWS installation methods, all details are already configured. For existing Ranger usage or manual installation, you need to ensure that Ranger is connected to your LDAP directory provider and a synchronization process is in place. The process varies based on your LDAP system and documented in the Ranger documentation.
Presto Ranger plugin
The Presto Ranger plugin is automatically installed with Ranger, when using the AWS CFT and Kubernetes installations. For existing Ranger instances or custom Ranger installation, you need follow these steps:
Locate the directory in your SEP distribution
Copy JAR files
presto-jdbc.jarto your Ranger installation into the directory
Restart Ranger. The Presto Ranger plugin automatically creates the service type definition for Presto in Ranger.
Access the Ranger user interface and confirm that you can find the Starburst Enterprise Presto service type
With the Presto Ranger plugin installed in Ranger, you can create one or multiple services with the SEP. This allows you to have separate services for different Presto clusters.
With Ranger installed and configured you are now ready to configure Ranger as
the activated access control system. Update
and set the path to your Ranger access control configuration file:
Subsequently configure details in the file:
access-control.name=ranger ranger.policy-rest-url=http://ranger.example.com:6080 ranger.service-name=presto-production ranger.presto-plugin-username=<username> ranger.presto-plugin-password=<password> ranger.policy-refresh-interval=30s
Set the name of the access control system to
The URL to the Ranger server
Name of the service defined in Ranger for this Presto cluster
Authentication type for Presto connecting to Ranger, currently only
Username for the Ranger Presto plugin to use to connect to Ranger with BASIC authentication
Password for the Ranger Presto plugin to use to connect to Ranger with BASIC authentication
Path to Ranger plugin SSL configuration
Ranger’s client persistent cache for policies
Interval to refresh policies from Ranger
Timeout to use when connecting to Ranger
Timeout to use when reading policies from Ranger
System level security can be configured to use Ranger audit. It automatically verifies, if a user can access queries from
other users. Technically this is performed by accessing the internal table
system.runtime.queries. Any access to the table is logged.
ranger.audit.system-runtime-queries.enabled is set to
by default and controls this logging behavior.
The Web UI makes heavy use of the queries table. As a
result using the web interface causes a flood of audit events. Setting the
false disables this audit logging.
User, groups and roles are sourced from your connected LDAP directory and are used the target users for each policy.
Policy creation and management is performed with the Ranger user interface, or optionally with the Ranger REST API.
A policy is a combination of set of resources and the associated privileges. Specific user interface elements with drop down and auto-completion are available for all resources.
A resource set includes one or more resources of different resource types. Wildcard characters are supported to select a number of resources based on a pattern.
catalog - schema
catalog - schema - table
catalog - schema - table - column
catalog - schema - procedure
catalog - session property
system session property
As you can see from the list above, some resources are hierarchically organized within a catalog and below. This allows you for example to restrict access to a complete catalog, a specific schema, or table or even down to a column or a procedure within a schema.
For example, if you can define a set of resources, that allows you to restrict
access to all the two tables
cards-info in all schemas
Table: credit-info, cards-info
A set of resource works as a primary key for a policy. It needs to be unique. Multiple policies however may cover a single resource because of the wildcard.
A set of privileges consists of one or more user groups, roles and users, and a set of access types for the specified resource set. Privileges can allow or deny operations.
The catalog, schema, table and column resources, which grant access to resources for queries, have the following access types.
SELECTto read data from the resource.
INSERTto add data to the resource.
UPDATEto change data in the resource.
DELETEto remove data from the resource.
OWNERSHIPto claim ownership of the resource, which provides complete access.
In addition there are privileges that determine access to queries and their usage, and are therefore of a more general nature.
SELECTto list queries.
EXECUTEto initiate processing of any query. Without this privilege user action is extremely limited.
KILLto stop processing of any query.