Enabling and disabling Ranger security support for Db2 Big SQL
Ranger integration is available for the Db2® Big SQL service. Ranger is a framework to enable, monitor, and manage comprehensive data security across the Hadoop platform. You can enable Db2 Big SQL integration with Ranger to control access to tables, views, and nicknames. Db2 Big SQL native access controls can be used for other database objects.
For details about security functions that are performed by Ranger, see Db2 Big SQL operations that are managed by Ranger.
Enabling Db2 Big SQL integration with Ranger
./bigsql-config -enableRanger
This process updates the bigsql.external.access.control.manager property in bigsql-conf.xml, setting up Ranger to perform authorization checks for Db2 Big SQL tables, views, and nicknames. It also creates the Db2 Big SQL plugin in the Ranger service and generates configuration files for calling out to the Hadoop SQL (Hive) and HBase plugins.
- $BIGSQL_HOME/conf/ranger-bigsql-security.xml
- $BIGSQL_HOME/conf/ranger-bigsql-audit.xml
- $BIGSQL_HOME/conf/ranger-hive-security.xml
- $BIGSQL_HOME/conf/ranger-hive-audit.xml
- $BIGSQL_HOME/conf/ranger-hbase-security.xml
- $BIGSQL_HOME/conf/ranger-hbase-audit.xml
Before authorization checks against the Hadoop SQL (Hive) and HBase services in Ranger can be performed, the Db2 Big SQL administrative user (bigsql) must be in the list of users that are permitted to download policies. Navigate to the Service Manager page of the Ranger UI and click the edit icon to edit the Hadoop SQL entry for cm_hive. If the bigsql user is not listed in the tag.download.auth.users and policy.download.auth.users properties, add it and click Save. Repeat these actions for the HBase entry, cm_hbase.
What to do next
If SSL is enabled for Ranger, additional configuration changes are needed for Db2 Big SQL to communicate with Ranger. See Configuring Db2 Big SQL for Ranger TLS/SSL.
Disabling Db2 Big SQL integration with Ranger
Before disabling Ranger integration, you might want to export the policies by using the export feature in the Ranger UI. This will enable you to import the saved policies if you choose to re-enable Ranger integration later.
./bigsql-config -disableRanger
This removes the Db2 Big SQL service for the cluster, and all included policies, from Ranger. It
then resets the bigsql.external.access.control.manager property in
bigsql-conf.xml.After Ranger integration with Db2 Big SQL is disabled, the system reverts to using native Db2 Big SQL authorization controls.