Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how to carry out the internal analysis of Apache Ranger. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

First, let's take a look at all the parts inside Ranger:

Ranger Admin Server/Portal

Ranger Policy Server

Ranger Plugins

Ranger User/Group Sync

Ranger Tag Sync

Ranger Audit Server

The following architecture diagram shows the relationship between each part:

Let's take a look at more details of each part.

Ranger Admin Server/Portal

Centralized interface for security management

Administrators can

Define repositories

Create and update policies

Manage Ranger users / groups

Define audit policy

View audit events

Running in a Tomcat service

Provide Ranger API

Ranger Policy Server

Allow administrators to define / update policy details

Allows administrators to specify which users are agent administrators and who can access the modify policy

Policies can be divided into different security zones

A resource can only be allocated to one security zone

If the resources match, only the policies in the defined areas are checked

If no resources match, the policy under the default zone (no name) will be used

Both allow and deny policies are supported

The deny policy is checked before permission is allowed

Policies apply to users or groups

Ranger User/Group Sync

The synchronizer pulls users and user groups and supports synchronizing users / groups from the following sources:

Unix

LDAP

AD

User / group information is stored in the Ranger management policy database and used for policy definition

Ranger Plugins

Lightweight Java components installed in Hadoop components, such as HDFS or Hive.

Periodically extract policies from Admin Server and cache them locally

Act as an authorization module and evaluate user requests according to security policy

If no policy is found, fallback to use HDFS ACLs while denying access to all other components

Trigger audit data storage request (sent to both HDFS and Solr)

Ranger Audit Server

Audit is configured through policy (user specifies whether audit needs to be enabled, if this policy applies)

By default, audit data is stored in HDFS and Solr

The data in Solr will be used to display audit data in Ranger admin UI

The data in HDFS will not be used as a backup (as far as I know)

Storage of audit data in DB is no longer supported since 0. 5

Support for audit log summary (Audit Log Summarisation)

Starting with Apache Ranger0.5

During the defined period, only similar logs with different timestamps will be summarized into a single audit entry to avoid a large number of audit logs

The default is 5 seconds.

Ranger Tag Sync

Starting with Apache Ranger 0.6

It separates resource classification from access authorization

You can apply a tag policy to multiple components as long as the resource has the same tag attached to it

Help reduce the number of policies required in Ranger

Apache Atlas is required to manage metadata (Hive databases / tables, HDFS paths, Kafka Topic, tags / classifications, etc.)

Event-based

Any changes in Hive, etc., will send the event to Kafka topic (ATLAS_HOOK), and then Atlas will get the change

Any changes in Atlas will send the event to Kafka topic (ATLAS_ENTITIES), and Ranger Tag Sync will get the changes

Label policies will be evaluated before resource-based policies

As you can see, Ranger includes many other components, according to the description of this article should give you a clear understanding of the overall function of Ranger.

After reading the above, do you have any further understanding of how to conduct the internal analysis of Apache Ranger? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.