0


hadoop之ranger权限配置(二)

文章目录

一、编译ranger(node12)

  1. 需要编译的包,我都已经在我上传的资源包https://download.csdn.net/download/weixin_40496191/87358396
  2. 安装依赖软件:yum -y install wget git gcc gcc-c++ make autoconf automake libtool sharutils asciidoc xmlto cmake unzip zip
  3. 安装jdk1.8
  4. 安装maven1)创建文件夹并且进入:mkdir /home/hadoop/maven -->cd /home/hadoop/maven2)下载:wget https://archive.apache.org/dist/maven/maven-3/3.3.9/binaries/apache-maven-3.3.9-bin.tar.gz3)解压:tar -zxvf apache-maven-3.3.9-bin.tar.gz4)配置环境变量:vi /etc/profileexport MAVEN_HOME=/home/hadoop/maven/apache-maven-3.3.9export PATH=${PATH}:${MAVEN_HOME}/bin:/usr/local/python3/bin5)刷新环境变量:source /etc/profile6)测试:mvn -version7)设置仓库:vi /home/hadoop/maven/apache-maven-3.3.9/conf/settings.xml
  5. 安装python(root用户)1)环境设置:yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel libffi-devel 2)创建文件夹并且进入:mkdir /home/hadoop/python–>cd /home/hadoop/python3)下载:wget https://www.python.org/ftp/python/3.7.1/Python-3.7.1.tgz4)解压:tar -xvf Python-3.7.1.tgz5)创建目录: mkdir -p /usr/local/python36)进入目录:cd /home/hadoop/python/Python-3.7.17)安装:./configure --prefix=/usr/local/python38)编译:make9)编译成功后,编译安装:make install10)检查python3.7的编译器:/usr/local/python3/bin/python3.711)建立Python3和pip3的软链:ln -s /usr/local/python3/bin/python3 /usr/bin/python3、ln -s /usr/local/python3/bin/pip3 /usr/bin/pip312)配置环境变量:vi /etc/profileexport PATH=$PATH:$HOME/bin:/usr/local/python3/bin13)刷新环境变量(root用户和hadoop用户):source /etc/profile14) python3测试在这里插入图片描述
  6. 上传包至/home/hadoop/ranger
  7. 解压:tar -xvf apache-ranger-2.2.0.tar.gz
  8. 编译:mvn clean install -DskipTests -Denforcer.skip=true
  9. 在target底下找到ranger-2.2.0-admin.tar.gz包,即为服务安装包。包括其他需要使用的插件包也在此目录底下!
  10. 供参考JDK8 用于运行RangerAdmin、RangerKMSPython2.7 用于Ranger自动化安装Git 用于Ranger编译Maven3.6 用于Ranger编译RDMS 用于存储授权策略,存储Ranger用户/组,存储审核日志Solr(可选) 存储日志Kerberos(可选) 确保所有请求都被认证

二、安装前环境准备(node12)

  1. 上传相关包到/home/hadoop/rpm
  2. 安装:rpm -Uvh --force --nodeps *.rpm
  3. 安装python(见第一步)
  4. 安装mysql,需要安装在跟ranger同一台服务器。可以使用之前hadoop集群安装的mysql

三、安装RangerAdmin(node12)(root)

  1. 新建文件夹:mkdir /opt/Solr
  2. 进入:cd /opt/Solr
  3. 上传solr-8.3.0.tgz包
  4. 解压:tar -xvf solr-8.3.0.tgz
  5. 新建文件夹:mkdir /opt/RangerAdmin
  6. 进入:cd /opt/RangerAdmin
  7. 上传ranger-2.2.0-admin.tar.gz包
  8. 解压:tar -xvf ranger-2.2.0-admin.tar.gz
  9. 创建数据库和用户

mysql -uroot -pffcsict123
CREATE DATABASE ranger DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
grant all privileges on ranger.* to ranger@‘%’ identified by ‘ffcsict123’;
set GLOBAL max_connections=1000;


​    报错:Your password does not satisfy the current policy requirements

​    解决:密码过于简单,可以设置复杂点,也可以降低密码复杂度:set global validate_password_policy=LOW; 

11. 修改配置文件:vi /opt/RangerAdmin/ranger-2.2.0-admin/contrib/solr_for_audit_setup/install.properties

 ```java
 #配置JAVA路径
 JAVA_HOME=/opt/jdk/jdk1.8.0_291
 
 #审计日志保存的最大天数,默认为90天
 MAX_AUDIT_RETENTION_DAYS=90
 
 #联网下载,默认为false
 SOLR_INSTALL=false
 
 solr安装目录
 SOLR_INSTALL_FOLDER=/opt/Solr/solr-8.3.0
 
 solr对接ranger的服务
 SOLR_RANGER_HOME=/opt/Solr/solr-8.3.0/ranger_audit_server
 
 solr连接ranger的端口
 SOLR_RANGER_PORT=6083
 
 solr部署模式
 SOLR_DEPLOYMENT=standalone
 
 solr数据存储目录
 SOLR_RANGER_DATA_FOLDER=/opt/Solr/solr-8.3.0/ranger_audit_server/data
 
 solr单机部署,故为空
 SOLR_ZK=
  1. 上传驱动包到/opt/RangerAdmin/ranger-2.2.0-admin:mysql-connector-java-5.1.31.jar

  2. vi /opt/RangerAdmin/ranger-2.2.0-admin/install.properties

#mysql驱动
SQL_CONNECTOR_JAR=/opt/RangerAdmin/ranger-2.2.0-admin/mysql-connector-java-5.1.35.jar

#mysql的主机名和root用户的用户名密码
db_root_user=root
db_root_password=ffcsict123
db_host=localhost

#ranger需要的数据库名和用户信息,需要和之前创建的信息要一一对应
db_name=ranger
db_user=ranger
db_password=ffcsict123

#其他ranger admin需要的用户密码(最少8个字符)
rangerAdmin_password=ffcsict123
rangerTagsync_password=ffcsict123
rangerUsersync_password=ffcsict123
keyadmin_password=ffcsict123

#ranger存储审计日志的路径和url,默认为solr
audit_store=solr
audit_solr_urls=http://node12:6083/solr/ranger_audits

#策略管理器的url,rangeradmin安装在哪台机器,主机名就为对应的主机名
policymgr_external_url=http://node12:6080

#启动ranger admin进程的linux用户信息
unix_user=hadoop
unix_user_pwd=ffcsict123
unix_group=hadoop

#hadoop的配置文件目录
hadoop_conf=/home/hadoop/module/hadoop-3.2.2/etc/hadoop
  1. 初始化solr安装脚本(root用户):
cd /opt/RangerAdmin/ranger-2.2.0-admin/contrib/solr_for_audit_setup/
./setup.sh
  1. 启动单机版solr:/opt/Solr/solr-8.3.0/ranger_audit_server/scripts/start_solr.sh

  2. 登陆网页查看是否启动成功:http://192.168.248.12:6083/solr/#/

  3. 日志查看:cat /opt/Solr/solr-8.3.0/ranger_audit_server/install_notes.txt

  4. 初始化ranger-admin脚本(需要使用root用户)

ps1:需要保证当前节点有mysql驱动包

ps2:需要python3环境

cd /opt/RangerAdmin/ranger-2.2.0-admin
./setup.sh
  1. 修改conf目录配置文件:vi /opt/RangerAdmin/ranger-2.2.0-admin/ews/webapp/WEB-INF/classes/conf/ranger-admin-site.xml
<property>
        <name>ranger.jpa.jdbc.password</name>
        <value>ffcsict123</value>
        <description />
</property>
<property>
        <name>ranger.service.host</name>
        <value>node12</value>
</property>
  1. 启动ranger-admin:ranger-admin start

  2. 登陆网页查看是否启动成功:http://192.168.248.12:6080 admin/ffcsict123

四、安装RangerUsersync(node12)

RangerUsersync作为Ranger提供的一个管理模块,可以将Linux机器上的用户和组信息同步到RangerAdmin的数据库中进行管理!

  1. 新建文件夹:mkdir /opt/RangerUsersync

  2. 进入:cd /opt/RangerUsersync

  3. 上传之前编译后的包:ranger-2.2.0-usersync.tar.gz

  4. 解压:tar -xvf ranger-2.2.0-usersync.tar.gz

  5. 修改配置文件:vi /opt/RangerUsersync/ranger-2.2.0-usersync/install.properties

#rangeradmin的url
POLICY_MGR_URL =http://node12:6080

#同步间隔时间,单位(分钟)
SYNC_INTERVAL = 1

#运行此进程的linux用户
unix_user=hadoop
unix_group=hadoop

#rangerUserSync的用户密码,参考rangeradmin中install.properties的配置
rangerUsersync_password=ffcsict123

#hadoop的配置文件目录
hadoop_conf=/home/hadoop/module/hadoop-3.2.2/etc/hadoop
  1. 初始化ranger-usersync脚本(root用户)cd /opt/RangerUsersync/ranger-2.2.0-usersync/./setup.sh
  2. 修改conf配置文件:vi /etc/ranger/usersync/conf/ranger-ugsync-site.xmlps:默认参数ranger.usersync.enabled为false,不同步用户,如果需要同步用户则改为true<property><name>ranger.usersync.enabled</name><value>true</value></property>
  3. 查看ranger用户

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-boMhTHIX-1672649270438)(C:\Users\86188\AppData\Roaming\Typora\typora-user-images\image-20221108085618129.png)]

  1. 启动ranger-usersync:ranger-usersync start
  2. 再次查看ranger用户[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-zHlGQUCK-1672649270439)(C:\Users\86188\AppData\Roaming\Typora\typora-user-images\image-20221108085656148.png)]成功!

五、Ranger Hive-plugin(node10)

ps:需要跟hive同一台,如果多台考虑配置多次

  1. 新建文件夹:mkdir /home/hadoop/RangerHive
  2. 进入:cd /home/hadoop/RangerHive
  3. 上传之前编译后的包:ranger-2.2.0-hive-plugin.tar.gz
  4. 解压:tar -xvf ranger-2.2.0-hive-plugin.tar.gz
  5. 修改配置:vi /home/hadoop/RangerHive/ranger-2.2.0-hive-plugin/inistall.propreties#策略管理器的url地址POLICY_MGR_URL=http://node12:6080#组件名称可以自定义REPOSITORY_NAME=rangerhive#hive的安装目录COMPONENT_INSTALL_DIR_NAME=/home/hadoop/module/hive#hive组件的启动用户CUSTOM_USER=hadoop#hive组件启动用户所属组CUSTOM_GROUP=hadoop
  6. 将hive配置文件软连接到Ranger Hive-plugin目录下:ln -s /home/hadoop/module/hive/conf /home/hadoop/RangerHive/ranger-2.2.0-hive-plugin
  7. 拷贝jar包:cp /home/hadoop/module/hadoop-3.2.2/share/hadoop/common/lib/htrace-core4-4.1.0-incubating.jar /home/hadoop/RangerHive/ranger-2.2.0-hive-plugin/install/lib
  8. 使用root用户启动Ranger Hive-plugin(root用户)cd /home/hadoop/RangerHive/ranger-2.2.0-hive-plugin./enable-hive-plugin.sh #关闭./disable-hive-plugin.sh
  9. 会在hive的conf目录下生成配置文件hiveserver2-site.xml,重启hiveserver2生效

六、Ranger Hdfs-plugin(node10、11)

ps:需要跟namenode同一台,如果多台考虑配置多次

  1. 新建文件夹:mkdir /home/hadoop/RangerHdfs
  2. 进入:cd /home/hadoop/RangerHdfs
  3. 上传之前编译后的包:ranger-2.2.0-hdfs-plugin.tar.gz
  4. 解压:tar -xvf ranger-2.2.0-hdfs-plugin.tar.gz
  5. 修改配置:vi /home/hadoop/RangerHdfs/ranger-2.2.0-hdfs-plugin/inistall.propreties#策略管理器的url地址POLICY_MGR_URL=http://node12:6080#组件名称可以自定义REPOSITORY_NAME=rangerhdfs#hdfs的安装目录COMPONENT_INSTALL_DIR_NAME=/home/hadoop/module/hadoop-3.2.2#hdfs组件的启动用户CUSTOM_USER=hadoop#hdfs组件启动用户所属组CUSTOM_GROUP=hadoop
  6. 创建软连接:ln -s /home/hadoop/module/hadoop-3.2.2/etc/hadoop /home/hadoop/RangerHdfs/ranger-2.2.0-hdfs-plugin/conf
  7. 拷贝jar包cp /home/hadoop/module/hadoop-3.2.2/share/hadoop/common/lib/htrace-core4-4.1.0-incubating.jar /home/hadoop/RangerHdfs/ranger-2.2.0-hdfs-plugin/install/libcp /home/hadoop/module/hadoop-3.2.2/share/hadoop/common/lib/commons-lang3-3.7.jar /home/hadoop/RangerHdfs/ranger-2.2.0-hdfs-plugin/install/libcp /home/hadoop/module/hadoop-3.2.2/share/hadoop/common/lib/commons-compress-1.19.jar /home/hadoop/RangerHdfs/ranger-2.2.0-hdfs-plugin/install/lib
  8. 启动Ranger Hive-plugin(root用户)cd /home/hadoop/RangerHdfs/ranger-2.2.0-hdfs-plugin./enable-hdfs-plugin.sh #关闭./disable-hdfs-plugin.sh还需要删除hadoop配置文件中ranger相关的配置文件,并且删除hdfs-site.xml中插件添加的相关配置。
  9. 使用hadoop用户,限制根目录只允许当前用户访问操作:hdfs dfs -chmod 700 /
  10. 重启hdfs生效

七、Ranger Hbase-plugin(所有)

ps:所有的服务器都需要,因为查询表走的是Hmaster,但是查询数据及其他相关操作走的是HRegionServer

  1. 新建文件夹:mkdir /home/hadoop/RangerHbase
  2. 进入:cd /home/hadoop/RangerHbase
  3. 上传之前编译后的包:ranger-2.2.0-hbase-plugin.tar.gz
  4. 解压:tar -xvf ranger-2.2.0-hbase-plugin.tar.gz
  5. 修改配置:vi /home/hadoop/RangerHbase/ranger-2.2.0-hbase-plugin/install.properties#策略管理器的url地址POLICY_MGR_URL=http://node12:6080#组件名称可以自定义REPOSITORY_NAME=rangerhbase#hdfs的安装目录COMPONENT_INSTALL_DIR_NAME=/home/hadoop/hbase/hbase-2.1.0XAAUDIT.SOLR.ENABLE=trueXAAUDIT.SOLR.URL=http://node12:6083/solr/ranger_audits#hdfs组件的启动用户CUSTOM_USER=hadoop#hdfs组件启动用户所属组CUSTOM_GROUP=hadoop
  6. 创建软连接:ln -s /home/hadoop/hbase/hbase-2.1.0/conf /home/hadoop/RangerHbase/ranger-2.2.0-hbase-plugin/conf
  7. 拷贝jar包cp /home/hadoop/module/hadoop-3.2.2/share/hadoop/common/lib/commons-lang3-3.7.jar /home/hadoop/RangerHbase/ranger-2.2.0-hbase-plugin/install/libcp /home/hadoop/module/hadoop-3.2.2/share/hadoop/common/lib/commons-compress-1.19.jar /home/hadoop/RangerHbase/ranger-2.2.0-hbase-plugin/install/lib
  8. 拷贝hbase-protocol-2.3.5.jar包到/home/hadoop/hbase/hbase-2.1.0/lib,并且移除原来的hbase-protocol-2.1.0.jar
  9. 启动Ranger Hbase-plugin(root用户)cd /home/hadoop/RangerHbase/ranger-2.2.0-hbase-plugin./enable-hbase-plugin.sh #关闭./disable-hdfs-plugin.sh还需要删除hadoop配置文件中ranger相关的配置文件,并且删除hdfs-site.xml中插件添加的相关配置。
  10. 赋权:chown -R hadoop /opt、chmod 755 /home/hadoop -R
  11. 重启hbase生效

八、Ranger Yarn-plugin(node10、11)

ps:需要跟resourceManager同一台,如果多台考虑配置多次

  1. 新建文件夹:mkdir /home/hadoop/RangerYarn
  2. 进入:cd /home/hadoop/RangerYarn
  3. 上传之前编译后的包:ranger-2.2.0-yarn-plugin.tar.gz
  4. 解压:tar -xvf ranger-2.2.0-yarn-plugin.tar.gz
  5. 修改配置:vi /home/hadoop/RangerYarn/ranger-2.2.0-yarn-plugin/inistall.propretiesPOLICY_MGR_URL=http://node12:6080REPOSITORY_NAME=rangeryarnCOMPONENT_INSTALL_DIR_NAME=/home/hadoop/module/hadoop-3.2.2CUSTOM_USER=hadoopCUSTOM_GROUP=hadoop
  6. 创建软连接:ln -s /home/hadoop/module/hadoop-3.2.2/etc/hadoop /home/hadoop/RangerYarn/ranger-2.2.0-yarn-plugin/conf
  7. 拷贝jar包cp /home/hadoop/module/hadoop-3.2.2/share/hadoop/common/lib/slf4j-api-1.7.25.jar /home/hadoop/RangerYarn/ranger-2.2.0-yarn-plugin/install/libcp /home/hadoop/module/hadoop-3.2.2/share/hadoop/common/lib/slf4j-log4j12-1.7.25.jar /home/hadoop/RangerYarn/ranger-2.2.0-yarn-plugin/install/libcp /home/hadoop/module/hadoop-3.2.2/share/hadoop/common/lib/log4j-1.2.17.jar /home/hadoop/RangerYarn/ranger-2.2.0-yarn-plugin/install/libcp /home/hadoop/module/hadoop-3.2.2/share/hadoop/common/lib/commons-lang3-3.7.jar /home/hadoop/RangerYarn/ranger-2.2.0-yarn-plugin/install/libcp /home/hadoop/module/hadoop-3.2.2/share/hadoop/common/lib/htrace-core4-4.1.0-incubating.jar /home/hadoop/RangerYarn/ranger-2.2.0-yarn-plugin/install/libcp /home/hadoop/module/hadoop-3.2.2/share/hadoop/common/lib/commons-compress-1.19.jar /home/hadoop/RangerYarn/ranger-2.2.0-yarn-plugin/install/lib
  8. 启动Ranger Hive-plugin(root用户)cd /home/hadoop/RangerYarn/ranger-2.2.0-yarn-plugin./enable-yarn-plugin.sh #关闭./disable-yarn-plugin.sh还需要删除hadoop配置文件中ranger相关的配置文件,并且删除yarn-site.xml中插件添加的相关配置。
  9. 修改配置文件:vi /home/hadoop/module/hadoop-3.2.2/etc/hadoop/ranger-yarn-security.xml,添加配置<property><name>ranger.add-yarn-authorization</name><value>false</value></property>
  10. 重启yarn生效

本文转载自: https://blog.csdn.net/weixin_40496191/article/details/128522325
版权归原作者 懒惰の天真热 所有, 如有侵权,请联系我们删除。

“hadoop之ranger权限配置(二)”的评论:

还没有评论