# 集成权限管理Ranger ## 前提 1. 假定我们已经完成`HBase`服务端部署,角色规划如下: | Hostname | oushu1 | oushu2 | Oushu3 | | ------------------ | ------------ | ------------ | ------------ | | IP | 192.168.1.11 | 192.168.1.12 | 192.168.1.13 | | HBase Master | yes | yes | no | | HBase Regionserver | yes | yes | yes | 2. 假定我们已经完成`Ranger`服务部署,角色规划如下: | Hostname | ranger1 | | ------------------ | ------------ | | IP | 192.168.1.14 | | Role | Ranger Admin | ## 安装ranger-hbase-plugin - 创建一个hostfile文件,包含cluster中的所有机器: ```shell touch ~/hostfile ``` - 编辑hostfile文件内容如下(集群各机器的hostname): ```shell oushu1 oushu2 oushu3 ``` - 所有节点执行yum install安装 ```shell lava ssh -f ~/hostfile -e "sudo yum install -y ranger-hbase-plugin" ``` ## 修改配置 - `/usr/local/oushu/ranger-hbase-plugin_2.3.0/install.properties`文件修改如下配置(POLICY_MGR_URL中请配置ranger服务所在IP): ```properties POLICY_MGR_URL=http://192.168.1.14:6080 REPOSITORY_NAME=hbasedev COMPONENT_INSTALL_DIR_NAME=/usr/local/oushu/hbase CUSTOM_USER=hbase CUSTOM_GROUP=hbase ``` - 将`install.properties`分发到所有机器 ```shell lava scp -f ~/hostfile /usr/local/oushu/ranger-hbase-plugin_2.3.0/install.properties =:/usr/local/oushu/ranger-hbase-plugin_2.3.0/install.properties ``` - 在`enable-hbase-plugin.sh`第一行添加JAVA_HOME ```shell JAVA_HOME=/usr/lib/jvm/java ``` - 将`enable-hbase-plugin.sh`分发到所有机器 ```shell lava scp -f ~/hostfile /usr/local/oushu/ranger-hbase-plugin_2.3.0/enable-hbase-plugin.sh =:/usr/local/oushu/ranger-hbase-plugin_2.3.0/enable-hbase-plugin.sh ``` - 使用sudo权限执行`enable-hbase-plugin.sh` ```shell lava ssh -f ~/hostfile -e "sudo /usr/local/oushu/ranger-hbase-plugin_2.3.0/enable-hbase-plugin.sh" ``` `enable-hbase-plugin.sh` 脚本会自动往HBase的配置文件路径追加如下文件(检查是否存在): ``` -rw-r--r-- 1 hbase hbase 10175 Nov 17 17:50 ranger-hbase-audit.xml -rw-r--r-- 1 hbase hbase 2918 Nov 17 17:50 ranger-hbase-security.xml -rw-r--r-- 1 hbase hbase 1910 Nov 17 17:50 ranger-policymgr-ssl.xml -rw-r--r-- 1 hbase hbase 69 Nov 17 17:50 ranger-security.xml ``` 同时还会修改`hbase-site.xml`文件,自动追加如下配置(检查是否存在): ```xml hbase.security.authorization true hbase.coprocessor.master.classes org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor hbase.coprocessor.region.classes org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor ``` - 使用hbase用户登陆oushu1机器,手动修改`hbase-site.xml`,追加如下配置: ```xml hbase.superuser hbase ``` - 分发`hbase-site.xml`到所有机器 ```shell lava scp -f ~/hostfile /usr/local/oushu/conf/hbase/hbase-site.xml =:/usr/local/oushu/conf/hbase/hbase-site.xml ``` - 重启HBase ```shell lava ssh -f ~/hbasemaster -e "sudo -u hbase /usr/local/oushu/hbase/bin/hbase-daemon.sh stop master" lava ssh -f ~/regionserver -e "sudo -u hbase /usr/local/oushu/hbase/bin/hbase-daemon.sh stop regionserver" lava ssh -f ~/hbasemaster -e "sudo -u hbase /usr/local/oushu/hbase/bin/hbase-daemon.sh start master" lava ssh -f ~/regionserver -e "sudo -u hbase /usr/local/oushu/hbase/bin/hbase-daemon.sh start regionserver" ``` ## 在rangerUI 上配置用户权限策略 ### 创建`HBase Service`服务 - 登陆rangerUI http://192.168.1.14:6080,点击➕号添加`HBase Service` ![image](./images/hbase-ranger-add-service.png) - 具体参数释义如下: | 参数 | 释义 | 推荐值 | | :---------------------------------- | :---------------------------------------------------------- | :------: | | Service Name | 服务名
注意需要和之前步骤中`install.properties`文件里的`REPOSITORY_NAME`名称保持一致 | hbasedev | | Display Name | 非必填 | | | Description | 非必填 | | | Active Status | 是否生效,默认生效 | Enabled | | Select Tag Service | 非必填 | | | Username | 用户名 | hbase | | Password | 密码,随意输入即可 | | | hadoop.security.authentication | 普通`HBase`集群选Simple;
带`kerberos`认证的集群选Kerberos | | | hbase.master.kerberos.principal | 普通`HBase`集群,置空即可;
带`kerberos`认证的集群,与`hbase-site.xml`中相应key保持一致| | | hbase.security.authentication | 普通`HBase`集群选Simple;
带`kerberos`认证的集群选Kerberos | | | hbase.zookeeper.property.clientPort | 与`hbase-site.xml`中相应key保持一致 | 2181 | | hbase.zookeeper.quorum | 与`hbase-site.xml`中相应key保持一致 | | | zookeeper.znode.parent | 与`hbase-site.xml`中相应key保持一致 | | | Common Name for Certificate | 非必填 | | | Add New Configurations | 普通`HBase`集群选,可以不追加其它参数;
带`kerberos`认证的集群,需要添加以下参数:
``` hbase.security.authorization: true``` | | - 点击‘Test Connection’按钮,测试是否连接成功 ![image](./images/hbase-ranger-add-service-test-connection.png) - 点击‘Save’按钮,保存服务 ![image](./images/hbase-ranger-add-service-complete.png) ### 创建访问策略 - 找到刚刚创建的服务,点击名称 ![image](./images/hbase-ranger-add-policy-1.png) - 点击'Add New Policy'按钮 ![image](./images/hbase-ranger-add-policy-2.png) - 为‘t1’表设置访问策略 ![image](./images/hbase-ranger-add-policy-3.png) - 设置只有'oushu2'用户可以访问 ![image](./images/hbase-ranger-add-policy-4.png) ## 测试访问策略是否生效 - 登陆oushu1机器,使用oushu2用户访问t1表,可以成功访问 ```shell -bash-4.2$ whoami oushu2 -bash-4.2$ /usr/local/oushu/hbase/bin/hbase shell hbase:001:0> scan 't1' ROW COLUMN+CELL 1001 column=f1:name1, timestamp=2022-11-16T23:09:14.940, value=n1 1 row(s) Took 0.4540 seconds hbase:002:0> quit ``` - 登陆oushu1机器,使用oushu1用户访问t1表,访问被拒绝 ```shell -bash-4.2$ whoami oushu1 -bash-4.2$ /usr/local/oushu/hbase/bin/hbase shell hbase:001:0> list TABLE 0 row(s) Took 0.3783 seconds => [] hbase:002:0> scan 't1' ROW COLUMN+CELL 2022-11-17 20:25:41,926 WARN [hconnection-0x639cb788-shared-pool-0] shortcircuit.DomainSocketFactory: The short-circuit local reads feature cannot be used because libhadoop cannot be loaded. org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘oushu1',action: scannerOpen, tableName:t1, family:f1. ```