{ “title”: “Integration with Apache Ranger”, “language”: “en” }
Apache Ranger is a security framework used to monitor, enable services, and manage all-round data security access on the Hadoop platform.
In version 2.1.0, Doris supports unified permission management by integrating Apache Ranger.
Note:
This feature is currently experimental, and the resource objects and permissions configurable in Ranger may change in subsequent versions.
Apache Ranger version needs to be above 2.4.0.
Installation
Install Doris Ranger plug-in
Download the following files
Place the downloaded file in the
ranger-plugins/dorisdirectory of the Ranger service, such as:/usr/local/service/ranger/ews/webapp/WEB-INF/classes/ranger-plugins/doris/ranger-doris-plugin-3.0.0-SNAPSHOT.jar /usr/local/service/ranger/ews/webapp/WEB-INF/classes/ranger-plugins/doris/mysql-connector-java-8.0.25.jar
Restart the Ranger service.
Download ranger-servicedef-doris.json
Execute the following command to upload the definition file to the Ranger service:
curl -u user:password -X POST \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ http://172.21.0.32:6080/service/plugins/definitions \ -d@ranger-servicedef-doris.json
The username and password are the username and password used to log in to Ranger WebUI.
The service address port can be viewed in the
ranger.service.http.portconfiguration item of theranger-admin-site.xmlconfiguration file.If the execution is successful, the service definition in JSON format will be returned, such as:
{ "id": 207, "guid": "d3ff9e41-f9dd-4217-bb5f-3fa9996454b6", "isEnabled": true, "createdBy": "Admin", "updatedBy": "Admin", "createTime": 1705817398112, "updateTime": 1705817398112, "version": 1, "name": "doris", "displayName": "Apache Doris", "implClass": "org.apache.ranger.services.doris.RangerServiceDoris", "label": "Doris", "description": "Apache Doris", "options": { "enableDenyAndExceptionsInPolicies": "true" }, ... }If you want to recreate it, you can use the following command to delete the service definition and then upload it again:
curl -v -u user:password -X DELETE \ http://172.21.0.32:6080/service/plugins/definitions/207
Where
207is the id returned when created. Before deletion, you need to delete the created Doris service in the Ranger WebUI.You can also use the following command to list the currently added service definitions in order to obtain the id:
curl -v -u user:password -X GET \ http://172.21.0.32:6080/service/plugins/definitions/
Configure the Doris Ranger plug-in
After the installation is complete, open the Ranger WebUI and you can see the Apache Doris plug-in in the Service Manger interface:
Click the + button next to the plugin to add a Doris service:
The meaning of some parameters of Config Properties is as follows:
Username/Password: the username and password of the Doris cluster. It is recommended to use the Admin user here.jdbc.driver_class: Connect to the JDBC driver used by Doris.com.mysql.cj.jdbc.Driverjdbc.url: JDBC url connection string of Doris cluster.jdbc:mysql://172.21.0.101:9030?useSSL=false- Additional parameters:
resource.lookup.timeout.value.in.ms: timeout for obtaining meta-information. It is recommended to fill in10000, which is 10 seconds.
You can click Test Connection to check whether the connection can be made.
Then click Add to add the service.
Afterwards, you can see the created service in the Apache Doris plug-in on the Service Manger page. Click on the service to start configuring Ranger.
Configure Doris cluster
Create a
ranger-doris-security.xmlfile in the conf directory of all FEs with the following content:<?xml version="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xsl" href="configuration.xsl"?> <configuration> <property> <name>ranger.plugin.doris.policy.cache.dir</name> <value>/path/to/ranger/cache/</value> </property> <property> <name>ranger.plugin.doris.policy.pollIntervalMs</name> <value>30000</value> </property> <property> <name>ranger.plugin.doris.policy.rest.client.connection.timeoutMs</name> <value>60000</value> </property> <property> <name>ranger.plugin.doris.policy.rest.client.read.timeoutMs</name> <value>60000</value> </property> <property> <name>ranger.plugin.doris.policy.rest.url</name> <value>http://172.21.0.32:6080</value> </property> <property> <name>ranger.plugin.doris.policy.source.impl</name> <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value> </property> <property> <name>ranger.plugin.doris.service.name</name> <value>doris</value> </property> </configuration>
You need to change
ranger.plugin.doris.policy.cache.dirandranger.plugin.doris.policy.rest.urlto actual values.Create a
ranger-doris-audit.xmlfile in the conf directory of all FEs with the following content:<?xml version="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xsl" href="configuration.xsl"?> <configuration> </configuration>
Create a
log4j.propertiesfile in the conf directory of all FEs with the following content:log4j.rootLogger = warn,stdout,D log4j.appender.stdout = org.apache.log4j.ConsoleAppender log4j.appender.stdout.Target = System.out log4j.appender.stdout.layout = org.apache.log4j.PatternLayout log4j.appender.stdout.layout.ConversionPattern = [%-5p] %d{yyyy-MM-dd HH:mm:ss,SSS} method:%l%n%m%n log4j.appender.D = org.apache.log4j.DailyRollingFileAppender log4j.appender.D.File = /path/to/fe/log/ranger.log log4j.appender.D.Append = true log4j.appender.D.Threshold = INFO log4j.appender.D.layout = org.apache.log4j.PatternLayout log4j.appender.D.layout.ConversionPattern = %-d{yyyy-MM-dd HH:mm:ss} [ %t:%r ] - [ %p ] %m%nYou need to change
log4j.appender.D.Fileto the actual value, which is used to store the log of the Ranger plug-in.Add configuration in fe.conf of all FEs:
access_controller_type=ranger-dorisRestart all FE nodes.
Resources and permissions
Doris resources currently supported in Ranger include:
CatalogDatabaseTableColumnResourceWorkload Group
Doris permissions currently supported in Ranger include:
SHOWSHOW_VIEWSHOW_RESOURCESSHOW_WORKLOAD_GROUPLOADALTERCREATEALTER_CREATEALTER_CREATE_DROPDROPSELECTUSAGE
Best Practices
Configuring Permissions
- Create
user1in Doris. - Using the
adminuser in Doris, create a Catalog namedhive. - Create
user1in Ranger.
Global Privileges
Equivalent to Doris' internal authorization statement grant select_priv on *.*.* to user1;
The global option can be found in the dropdown menu of the same level in the catalog
Only
*can be entered in the input box
Catalog Privileges
Equivalent to Doris' internal authorization statement grant select_priv on hive.*.* to user1;
Database Privileges
Equivalent to Doris' internal authorization statement grant select_priv on hive.tpch.* to user1;
Table Privileges
Equivalent to Doris' internal authorization statement grant select_priv on hive.tpch.user to user1;
Column Privileges
Equivalent to Doris' internal authorization statement grant select_priv(name,age) on hive.tpch.user to user1;
Resource Privileges
Equivalent to Doris' internal authorization statement grant usage_priv on resource 'resource1' to user1;
- The resource option can be found in the dropdown menu of the same level in the catalog
Workload Group Privileges
Equivalent to Doris' internal authorization statement grant usage_priv on workload group 'group1' to user1;
- The workload group option can be found in the dropdown menu of the same level in the catalog
Row Policy Example
Supported in version 2.1.3
Refer to Configuring Permissions to assign select permissions for the table internal.db1.user to user1.
Add a Row Level Filter policy in Ranger
Log in to Doris as user1. Execute
select * from internal.db1.userand only see data that satisfiesid > 3andage = 2.
Data Mask Example
Supported in version 2.1.3
Refer to Configuring Permissions to assign select permissions for the table internal.db1.user to user1.
Add a Masking policy in Ranger
Log in to Doris as user1. Execute
select * from internal.db1.userand observe that the phone numbers are masked according to the specified rules.