Ranger#
You can install Apache Ranger in your Presto cluster to use the system level security support of Starburst Enterprise Presto.
Ranger is installed on a separate pod within the cluster with the help of a Helm chart and referenced Docker images and custom configuration. The Presto Ranger plugin is automatically installed and it is configured to connect to Presto in the cluster.
Users can manage the security policies with the Ranger user interface. Ranger stores the policies in a separate PostgreSQL database.
Requirements#
The following requirements apply for the Ranger installation, in addition to the normal deployment prerequisites.
Access to the Ranger Helm chart for the installation from Starburst, available as
starburst-ranger
in the Starburst Helm chart repositoryAccess to the Docker images or the Starburst Docker container registry
Kubernetes cluster for shared Presto and Ranger usage
Installation of the starburst-platform-manifest in the same namespace on the cluster, it contains configuration details about Presto, that can be used by the Ranger installation.
External PostgreSQL database to use for Ranger with necessary network access for production usage, alternatively a cluster internal database, with option to use persistent volume storage, can be used for testing.
Helm version 3.x on the machine used to configure the cluster
Installation#
With the prerequisites satisfied, installing Ranger follows a few simple steps
Download and extract the chart, creating the
starburst-ranger
directoryUpdate the configuration properties in
starburst-ranger/values.yml
Install the configured chart:
helm install starburst-ranger ./starburst-ranger
Results of the installation:
Pod with Ranger with the Presto Ranger plugin deployed and configured to connect to Presto
Optionally a pod with Ranger LDAP user synchronization system deployed and configured
Optionally a pod with a PostgreSQL database backend for Ranger
Configuration properties#
You can configure the Helm chart by setting parameters in the values.yaml
.
The following sections details various aspects of the file.
Container registry credentials#
Optionally configure the URL of your container registry, which contains the
Ranger container image, with the registry
field. Username and password can
be used if authentication is required.
Ranger configuration#
The admin
block is preconfigured with suitable values for the Ranger
container.
Property name |
Default |
Description |
---|---|---|
serviceUser |
presto_service |
|
passwords |
A number of passwords need to be set to any desired values. They are used for administrative and Ranger internal purposes and do not need to be changed or used elsewhere. |
LDAP user synchronization#
You can use the usersync
block to configure the details of the
synchronization of users and groups between Ranger and your LDAP system. It runs
on a separate pod when deployed.
Property name |
Default |
Description |
---|---|---|
enabled |
true |
Enable or disable user synchronization feature |
name |
ranger-usersync |
Name of the pod |
tls / enabled |
false |
Enable or disable TLS for usersync |
tls / truststore / secret |
Name of the secret created from the truststore |
|
tls / truststore / password |
Password for the truststore |
|
env |
a map of Ranger config variables related to the user synchronization |
|
env / RANGER__SYNC_LDAP_URL |
URL to the LDAP server |
|
env / RANGER__SYNC_LDAP_BIND_DN |
cn=admin,dc=ldap,dc=example,dc=org |
Bind DN for the LDAP connection |
env / RANGER__SYNC_LDAP_BIND_PASSWORD |
cieX7moong3u |
password for the bind operation |
env / RANGER__SYNC_LDAP_SEARCH_BASE |
dc=ldap,dc=example,dc=org |
search base in the LDAP directory |
env / RANGER__SYNC_LDAP_USER_SEARCH_BASE |
ou=users,dc=ldap,dc=example,dc=org |
user information search base in the LDAP directory |
env / RANGER__SYNC_LDAP_USER_OBJECT_CLASS |
person |
object class for users |
env / RANGER__SYNC_GROUP_SEARCH_ENABLED |
true |
Enable or disable group search |
env / RANGER__SYNC_GROUP_USER_MAP_SYNC_ENABLED |
true |
Enable or disable synchronization of group-user mapping |
env / RANGER__SYNC_GROUP_SEARCH_BASE |
ou=groups,dc=ldap,dc=example,dc=org |
Group information search base in the LDAP directory |
env / RANGER__SYNC_GROUP_OBJECT_CLASS |
groupOfNames |
Object class for groups |
The following steps can be used to enable TLS with the LDAP server:
Create a truststore file named
truststore.jks
from the LDAP serverCreate a Kubernetes secret
ldap-cert
from the truststore filekubectl create secret generic ldap-cert --from-file truststore.jks
Update values to reflect the secret name in the
tls
sectionUpdate truststore password in the
tls
sectiontls: enabled: true truststore: secret: ldap-cert password: "truststore password"
Ranger PostgreSQL database backend#
You can use a PostgreSQL database within the cluster, created by the chart, as
backend for the policy storage of Ranger in the database
block for testing.
Alternatively, you can use an external PostgreSQL database for production usage. You have to manage this server and database yourself.
Property name |
Default |
Description |
---|---|---|
type |
internal |
Use a database deployed in the cluster |
internal / databaseName |
ranger |
Name of the internal database |
internal / databaseUser |
ranger |
User to connect to the internal database |
internal / databasePassword |
RangerPass123 |
Password to connect to internal database |
internal / databaseRootUser |
rangeradmin |
User to administrate the internal database for creating and updating tables and similar operations |
internal / databaseRootPassword |
RangerAdminPass123 |
Password for the administrator to connect to the the internal database |
external / port: |
Port to access the external database |
|
external / host: |
Host of the external database |
|
external / databaseName: |
||
external / databaseUser: |
User to connect to the internal database |
|
external / databasePassword: |
||
external / databaseRootUser: |
User to administrate the external database by creating and updating tables and similar operations |
|
external / databaseRootPassword: |
Password for the administrator to connect to the external database |
Service definition#
The service network and type definition
allows you to configure ports, ingress and other network properties for the
Ranger pod in the expose
block.
You can set the type
to clusterIp
(default), nodePort
,
loadBalancer
, or ingress
and configure details like ports in the
relevant blocks.