What's New in This Release
New features and changes for Apache Ranger and Apache Knox have been introduced in Hortonworks Data Platform, version 2.6.x, along with documentation updates. New features are described in the following sections.
Hortonworks Data Platform 2.6.0
Authentication
New Identity Assertion Provider: HadoopGroupProvider
The Hadoop Group Lookup identity assertion provider looks up the user’s ‘group membership’ for authenticated users using Hadoop’s group mapping service (GroupMappingServiceProvider).
This allows existing investments in the Hadoop to be leveraged within Knox and used within the access control policy enforcement at the perimeter.
Support for PAM Authentication
PAM authentication is configured by adding a "ShiroProvider" authentication provider to the cluster's topology file with PAM parameters.
There are a large number of pluggable authentication modules available for authenticating access to Hadoop through the Knox Gateway. ShiroProvider, in addition to LDAP support, also includes support for PAM-based authentication for unix-based systems.
WebSocket is a communication protocol that allows full duplex communication over single TCP connection. Knox provides out-of-the-box support for WebSocket protocol, but currently, only text-based messages are supported.
Authorization
Export and import tag-based and resource-based policies
Export and import policies from Ranger Admin UI from one cluster to another when launching new clusters or moving policies from test to production clusters. Export/import a specific subset of policies (such as those that pertain to specific resources or user/groups) or clone the entire repository or multiple repositories via Ranger Admin UI.
When enabled, Ranger Usersync saves the latest timestamp of all the objects that are synced previously and uses that timestamp to perform the next sync. Usersync uses a polling mechanism to perform incremental sync by using LDAP attributes uSNChanged (for AD) or modifytimestamp (for LDAP). Recommended for large deployments.
Support for {USER} variable in Ranger policies
The variable
{USER}
can be used to autofill the accessing user.
Auditing
New Plugin Status page under Audits
This tab shows policies in effect for each plugin. Includes the relevant host info and when the plugin downloaded and started enforcing the policies.
Miscellaneous
Bug fixes