Enabling and disabling Ranger security support for Big SQL

Ranger support is available for the Big SQL service. Ranger is a framework to enable, monitor and manage comprehensive data security across the Hadoop platform. The Big SQL Ranger plugin can be enabled to control access to tables and views. Big SQL native authorization controls can be used for other database objects.

For details about security functions performed by Ranger see Operations managed by the Big SQL Ranger plugin.

For details about how the Big SQL Ranger plugin affects access to other HDP service Ranger plugins see Big SQL compatibility with Ranger plugins for other HDP services.

Before you begin

You must first install Ranger. For complete instructions, see Installing Ranger.

Procedure

Before enabling the Big SQL Ranger plugin, manually create the user amb_ranger_admin in Ranger as follows:
  1. From the Ranger UI, go to Settings and then choose Users/Groups.
  2. Check if the amb_ranger_admin user already exists. If so, no further action is required.
  3. Select Add New User.
  4. Enter the following user details:
    1. User Name = amb_ranger_admin
    2. New Password = the same password entered for amb_ranger_admin in Ranger > Configs > Advanced > Admin Settings. A default password is in place if the password was not modified during the install. In such a case, update the password to a matching value in both the Ranger UI and the Ambari UI.
    3. First Name = amb_ranger_admin
    4. Select Role = Admin
  5. Click Save.

To enable the Big SQL Ranger plugin:
On the Ambari page of Big SQL, select Service Actions > Enable Ranger Plugin. This sets up Ranger as the authorizer for Big SQL tables and views by updating the bigsql.external.access.control.manager property in bigsql-conf.xml and then restarts the Big SQL service in order for the change to take effect. The action also updates the available action in metainfo.xml to Disable Ranger Plugin and so restarts ambari-server too. The status of the Custom Actions task executed by the Ambari server will not appear green, indicating "Normal running state", but rather show up as orange. The orange color does not indicate a problem in the execution of the Custom Actions and is expected behavior. For a discussion about why Big SQL restarts the Ambari Server see the IBM developerWorks article Why Big SQL performs an Ambari Server restart.

Note:
  1. Impersonation is supported with the Big SQL Ranger plugin. Whether or not Impersonation is enabled, all authorizations in the Big SQL Ranger plugin are performed as the connected user. When Impersonation is enabled, the bigsql.impersonation.create.table.grant.public configuration parameter controls whether access is automatically granted to public for any new Hadoop table. This configuration parameter does not trigger the creation of new Ranger policies. If you want all I/O authorization control for a particular Hadoop table to occur only in HDFS, manually create a policy in the Big SQL Ranger plugin for the table granting access to all required users or groups.
  2. The Big SQL Ranger plugin does not currently support the Ranger UI auto-complete feature.
  3. Update $BIGSQL_HOME/conf/ranger-bigsql-security.xml to update these properties, otherwise the defaults will be used:
    Table 1.
    Property Name Default Value Unit
    ranger.plugin.bigsql.policy.pollIntervalMs 30000 Milliseconds
    ranger.plugin.bigsql.policy.rest.client.connection.timeoutMs 120000 Milliseconds
    ranger.plugin.bigsql.policy.rest.client.read.timeoutMs 30000 Milliseconds
  4. Update $BIGSQL_HOME/conf/ranger-bigsql-audit.xml to update these properties, otherwise the defaults will be used:
    Property Name Default Value
    xasecure.audit.destination.hdfs.batch.filespool.dir /tmp/audit/hdfs/spool

To disable the Big SQL Ranger plugin:
On the Ambari page of Big SQL, select Service Actions > Disable Ranger Plugin. This removes the Big SQL service for the cluster from Ranger, including all the policies therein. It then resets the bigsql.external.access.control.manager property in bigsql-conf.xml and restarts Big SQL for the change to take effect. The action also updates the available action in metainfo.xml to Enable Ranger Plugin and so restarts ambari-server too.

Disabling the Big SQL Ranger plugin will wipe out all existing policies. Before disabling the plugin you may want to export the policies using the export feature in the Ranger UI.

When the Big SQL Ranger plugin is disabled, the system reverts to using native Big SQL authorization controls. Native Big SQL security authorizations should be examined in detail to ensure only the desired object access is granted. One key difference is when the Big SQL Ranger plugin is disabled, users will have full access to objects they own. This is different from when the Big SQL Ranger plugin was enabled, in which case a Ranger policy was required to grant a user access to an object that they own.

Ranger audit support

All access to Big SQL tables that is authorized by Ranger is automatically audited by Ranger. Audit destination of HDFS or Solr is supported. The audit configurations are copied over from Ranger during the 'Enable Ranger plugin' operation. Any updates to Auditing inside the Ranger service after enabling the Big SQL Ranger plugin will have to be done manually to the Big SQL audit config at $BIGSQL_HOME/conf/ranger-bigsql-audit.xml.

For Big SQL audits to be available on a Kerberos enabled cluster, you need to perform the following steps:
  1. In the Ambari-infra service, add the bigsql user to the property Ranger audit service users in Advanced infra-solr-security-json config.
  2. Restart the Big SQL service.

What to do next

To set up SSL for the Big SQL Ranger plugin see Configuring the Big SQL Ranger plugin for SSL using self-signed certificates.