Ranger#

You can install Apache Ranger in your Presto cluster to use the system level security support of Starburst Enterprise Presto.

Ranger is installed on a separate pod within the cluster with the help of a Helm chart and referenced Docker images and custom configuration. The Presto Ranger plugin is automatically installed and it is configured to connect to Presto in the cluster.

Users can manage the security policies with the Ranger user interface. Ranger stores the policies in a separate PostgreSQL database.

Requirements#

The following requirements apply for the Ranger installation, in addition to the normal deployment prerequisites.

  • Access to the Ranger Helm chart for the installation from Starburst, available as starburst-ranger in the Starburst Helm chart repository

  • Access to the Docker images or the Starburst Docker container registry

  • Kubernetes cluster for shared Presto and Ranger usage

  • Installation of the starburst-platform-manifest in the same namespace on the cluster, it contains configuration details about Presto, that can be used by the Ranger installation.

  • External PostgreSQL database to use for Ranger with necessary network access for production usage, alternatively a cluster internal database, with option to use persistent volume storage, can be used for testing.

  • Helm version 3.x on the machine used to configure the cluster

Installation#

With the prerequisites satisfied, installing Ranger follows a few simple steps

  • Download and extract the chart, creating the starburst-ranger directory

  • Update the configuration properties in starburst-ranger/values.yml

  • Install the configured chart:

    helm install starburst-ranger ./starburst-ranger
    

Results of the installation:

  • Pod with Ranger with the Presto Ranger plugin deployed and configured to connect to Presto

  • Optionally a pod with Ranger LDAP user synchronization system deployed and configured

  • Optionally a pod with a PostgreSQL database backend for Ranger

Configuration properties#

You can configure the Helm chart by setting parameters in the values.yaml. The following sections details various aspects of the file.

Container registry credentials#

Optionally configure the URL of your container registry, which contains the Ranger container image, with the registry field. Username and password can be used if authentication is required.

Ranger configuration#

The admin block is preconfigured with suitable values for the Ranger container.

Select admin properties#

Property name

Default

Description

serviceUser

presto_service

passwords

A number of passwords need to be set to any desired values. They are used for administrative and Ranger internal purposes and do not need to be changed or used elsewhere.

LDAP user synchronization#

You can use the usersync block to configure the details of the synchronization of users and groups between Ranger and your LDAP system. It runs on a separate pod when deployed.

Select usersync properties#

Property name

Default

Description

enabled

true

Enable or disable user synchronization feature

name

ranger-usersync

Name of the pod

tls / enabled

false

Enable or disable TLS for usersync

tls / truststore / secret

Name of the secret created from the truststore

tls / truststore / password

Password for the truststore

env

a map of Ranger config variables related to the user synchronization

env / RANGER__SYNC_LDAP_URL

ldap://ranger-ldap:389

URL to the LDAP server

env / RANGER__SYNC_LDAP_BIND_DN

cn=admin,dc=ldap,dc=example,dc=org

Bind DN for the LDAP connection

env / RANGER__SYNC_LDAP_BIND_PASSWORD

cieX7moong3u

password for the bind operation

env / RANGER__SYNC_LDAP_SEARCH_BASE

dc=ldap,dc=example,dc=org

search base in the LDAP directory

env / RANGER__SYNC_LDAP_USER_SEARCH_BASE

ou=users,dc=ldap,dc=example,dc=org

user information search base in the LDAP directory

env / RANGER__SYNC_LDAP_USER_OBJECT_CLASS

person

object class for users

env / RANGER__SYNC_GROUP_SEARCH_ENABLED

true

Enable or disable group search

env / RANGER__SYNC_GROUP_USER_MAP_SYNC_ENABLED

true

Enable or disable synchronization of group-user mapping

env / RANGER__SYNC_GROUP_SEARCH_BASE

ou=groups,dc=ldap,dc=example,dc=org

Group information search base in the LDAP directory

env / RANGER__SYNC_GROUP_OBJECT_CLASS

groupOfNames

Object class for groups

The following steps can be used to enable TLS with the LDAP server:

  • Create a truststore file named truststore.jks from the LDAP server

  • Create a Kubernetes secret ldap-cert from the truststore file

    kubectl create secret generic ldap-cert --from-file truststore.jks
    
  • Update values to reflect the secret name in the tls section

  • Update truststore password in the tls section

    tls:
      enabled: true
      truststore:
        secret: ldap-cert
        password: "truststore password"
    

Ranger PostgreSQL database backend#

You can use a PostgreSQL database within the cluster, created by the chart, as backend for the policy storage of Ranger in the database block for testing.

Alternatively, you can use an external PostgreSQL database for production usage. You have to manage this server and database yourself.

Select database properties#

Property name

Default

Description

type

internal

Use a database deployed in the cluster internal, or outside external

internal / databaseName

ranger

Name of the internal database

internal / databaseUser

ranger

User to connect to the internal database

internal / databasePassword

RangerPass123

Password to connect to internal database

internal / databaseRootUser

rangeradmin

User to administrate the internal database for creating and updating tables and similar operations

internal / databaseRootPassword

RangerAdminPass123

Password for the administrator to connect to the the internal database

external / port:

Port to access the external database

external / host:

Host of the external database

external / databaseName:

external / databaseUser:

User to connect to the internal database

external / databasePassword:

external / databaseRootUser:

User to administrate the external database by creating and updating tables and similar operations

external / databaseRootPassword:

Password for the administrator to connect to the external database

Service definition#

The service network and type definition allows you to configure ports, ingress and other network properties for the Ranger pod in the expose block.

You can set the type to clusterIp (default), nodePort, loadBalancer, or ingress and configure details like ports in the relevant blocks.