5.9. Ranger#

You can install Apache Ranger in your Presto cluster to use the system level security support of Starburst Enterprise Presto.

Warning

The k8s provisioning and configuration of Ranger is currently available as beta release only. Work with the Starburst support team, if you are planning to use this feature in production.

Overview#

Ranger is installed on a separate pod within the cluster with the help of a Helm chart and referenced Docker images and custom configuration. The Presto Ranger plugin is automatically installed and it is configured to connect to Presto in the cluster.

Users can manage the security policies with the Ranger user interface. Ranger stores the policies in a separate PostgreSQL database.

Requirements#

The following requirements apply for the Ranger installation, in addition to the normal deployment prerequisites.

  • Access to the Ranger Helm chart for the installation from Starburst, available as starburst-ranger in the Starburst Helm chart repository
  • Access to the Docker images or the Starburst Docker container registry
  • Kubernetes cluster for shared Presto and Ranger usage
  • Installation of the starburst-platform-manifest in the same namespace on the cluster, it contains configuration details about Presto, that can be used by the Ranger installation.
  • External PostgreSQL database to use for Ranger with necessary network access for production usage, alternatively a cluster internal database, with option to use persistent volume storage, can be used for testing.
  • Helm version 3.x on the machine used to configure the cluster

Installation#

With the prerequisites satisfied, installing Ranger follows a few simple steps

  • Download and extract the chart, creating the starburst-ranger directory

  • Update the configuration properties in starburst-ranger/values.yml

  • Install the configured chart:

    helm install starburst-ranger ./starburst-ranger
    

Results of the installation:

  • Pod with Ranger with the Presto Ranger plugin deployed and configured to connect to Presto
  • Optionally a pod with Ranger LDAP user synchronization system deployed and configured
  • Optionally a pod with a PostgreSQL database backend for Ranger

Configuration properties#

You can configure the Helm chart by setting parameters in the values.yaml. The following sections details various aspects of the file.

Container registry credentials#

Optionally configure the URL of your container registry, which contains the Ranger container image, with the registry field. Username and password can be used if authentication is required.

Ranger configuration#

The admin block is preconfigured with suitable values for the Ranger container.

Select admin properties#
Property name Default Description
serviceUser presto_service  
passwords   A number of passwords need to be set to any desired values. They are used for administrative and Ranger internal purposes and do not need to be changed or used elsewhere.

LDAP user synchronization#

You can use the usersync block to configure the details of the synchronization of users and groups between Ranger and your LDAP system. It runs on a separate pod when deployed.

Select usersync properties#
Property name Default Description
enabled true Enable or disable user synchronization feature
name ranger-usersync Name of the pod
env   a map of Ranger config variables related to the user synchronization
env / RANGER__SYNC_LDAP_URL ldap://ranger-ldap:389 URL to the LDAP server
env / RANGER__SYNC_LDAP_BIND_DN cn=admin,dc=ldap,dc=example,dc=org Bind DN for the LDAP connection
env / RANGER__SYNC_LDAP_BIND_PASSWORD cieX7moong3u password for the bind operation
env / RANGER__SYNC_LDAP_SEARCH_BASE dc=ldap,dc=example,dc=org search base in the LDAP directory
env / RANGER__SYNC_LDAP_USER_SEARCH_BASE ou=users,dc=ldap,dc=example,dc=org user information search base in the LDAP directory
env / RANGER__SYNC_LDAP_USER_OBJECT_CLASS person object class for users
env / RANGER__SYNC_GROUP_SEARCH_ENABLED true Enable or disable group search
env / RANGER__SYNC_GROUP_USER_MAP_SYNC_ENABLED true Enable or disable synchronization of group-user mapping
env / RANGER__SYNC_GROUP_SEARCH_BASE ou=groups,dc=ldap,dc=example,dc=org Group information search base in the LDAP directory
env / RANGER__SYNC_GROUP_OBJECT_CLASS groupOfNames Object class for groups

Ranger PostgreSQL database backend#

You can use a PostgreSQL database within the cluster, created by the chart, as backend for the policy storage of Ranger in the database block for testing.

Alternatively, you can use an external PostgreSQL database for production usage. You have to manage this server and database yourself.

Select database properties#
Property name Default Description
type internal Use a database deployed in the cluster internal, or outside external
internal / databaseName ranger Name of the internal database
internal / databaseUser ranger User to connect to the internal database
internal / databasePassword RangerPass123 Password to connect to internal database
internal / databaseRootUser rangeradmin User to administrate the internal database for creating and updating tables and similar operations
internal / databaseRootPassword RangerAdminPass123 Password for the administrator to connect to the the internal database
external / port:   Port to access the external database
external / host:   Host of the external database
external / databaseName:    
external / databaseUser:   User to connect to the internal database
external / databasePassword:    
external / databaseRootUser:   User to administrate the external database by creating and updating tables and similar operations
external / databaseRootPassword:   Password for the administrator to connect to the external database

Service definition#

The service network and type definition allows you to configure ports, ingress and other network properties for the Ranger pod in the expose block.

You can set the type to clusterIp (default), nodePort, loadBalancer, or ingress and configure details like ports in the relevant blocks.