Enabling and disabling Ranger security support for Db2 Big SQL

Ranger integration is available for the Db2® Big SQL service. Ranger is a framework to enable, monitor, and manage comprehensive data security across the Hadoop platform. You can enable Db2 Big SQL integration with Ranger to control access to tables, views, and nicknames. Db2 Big SQL native access controls can be used for other database objects.

For details about security functions that are performed by Ranger, see Db2 Big SQL operations that are managed by Ranger.

Enabling Db2 Big SQL integration with Ranger

To enable Ranger integration with Db2 Big SQL, run the bigsql-config script with the -enableRanger option. This script must be run as a superuser (that is, root) with passwordless SSH to the Ranger Admin host.
Important: If Ranger administration high availability (HA) is enabled, the bigsql-config script requires that both instances of Ranger Admin are running.
The script is located in the /usr/ibmpacks/IBM-Big_SQL/ directory.
./bigsql-config -enableRanger

This process updates the bigsql.external.access.control.manager property in bigsql-conf.xml, setting up Ranger to perform authorization checks for Db2 Big SQL tables, views, and nicknames. It also creates the Db2 Big SQL plugin in the Ranger service and generates configuration files for calling out to the Hadoop SQL (Hive) and HBase plugins.

After Ranger is enabled, you can examine and, if necessary, modify the set of default configuration parameters in the following configuration files:
  • $BIGSQL_HOME/conf/ranger-bigsql-security.xml
  • $BIGSQL_HOME/conf/ranger-bigsql-audit.xml
The ranger-hive-* and ranger-hbase-* configuration files are generated by using property values from the Hive and HBase services. If updates are made to properties in these files, the next Db2 Big SQL restart updates the local copies of the following configuration files that Db2 Big SQL stores:
  • $BIGSQL_HOME/conf/ranger-hive-security.xml
  • $BIGSQL_HOME/conf/ranger-hive-audit.xml
  • $BIGSQL_HOME/conf/ranger-hbase-security.xml
  • $BIGSQL_HOME/conf/ranger-hbase-audit.xml

Before authorization checks against the Hadoop SQL (Hive) and HBase services in Ranger can be performed, the Db2 Big SQL administrative user (bigsql) must be in the list of users that are permitted to download policies. Navigate to the Service Manager page of the Ranger UI and click the edit icon to edit the Hadoop SQL entry for cm_hive. If the bigsql user is not listed in the tag.download.auth.users and policy.download.auth.users properties, add it and click Save. Repeat these actions for the HBase entry, cm_hbase.

The Db2 Big SQL administrative user (bigsql) is not automatically granted any access in Hadoop SQL or HBase resource policies. The bigsql user performs operations in Hive and HBase on behalf of the connected user, and requires some level of access to each service. A security administrator should grant the bigsql user access to Hadoop and HBase tables by creating a resource-based policy for each service.
Tip: It is good practice to grant the bigsql user global access, even though the requirement is to allow access to only those tables and Hive databases that will be the target of SQL operations running through Db2 Big SQL.

What to do next

If SSL is enabled for Ranger, additional configuration changes are needed for Db2 Big SQL to communicate with Ranger. See Configuring Db2 Big SQL for Ranger TLS/SSL.

Disabling Db2 Big SQL integration with Ranger

Before disabling Ranger integration, you might want to export the policies by using the export feature in the Ranger UI. This will enable you to import the saved policies if you choose to re-enable Ranger integration later.

To disable Ranger integration with Db2 Big SQL, run the bigsql-config script with the -disableRanger option.
./bigsql-config -disableRanger
This removes the Db2 Big SQL service for the cluster, and all included policies, from Ranger. It then resets the bigsql.external.access.control.manager property in bigsql-conf.xml.

After Ranger integration with Db2 Big SQL is disabled, the system reverts to using native Db2 Big SQL authorization controls.