Additional requirements for Atlas with Ranger and Kerberos

Currently additional configuration steps are required for Atlas with Ranger and in Kerberized environments.

Additional Requirements for Atlas with Ranger

When Atlas is used with Ranger, perform the following additional configuration steps:

	Important
	These steps are not required for Ambari-2.4.x and higher versions. For Ambari-2.4.x and higher, these steps will be performed automatically when Atlas is restarted.

Create the following HBase policy:
- table: atlas_titan, ATLAS_ENTITY_AUDIT_EVENTS
  
  user: atlas
  
  permission: Read, Write, Create, Admin

Create following Kafka policies:
- topic=ATLAS_HOOK
  
  permission=publish, create; group=public
  
  permission=consume, create; user=atlas (for non-kerberized environments, set group=public)
- topic=ATLAS_ENTITIES
  
  permission=publish, create; user=atlas (for non-kerberized environments, set group=public)
  
  permission=consume, create; group=public

You should also ensure that an Atlas service is created in Ranger, and that the Atlas service includes the following configuration properties:

Table 2.4. Ranger Atlas Service Kerberos Properties


Property	Value
tag.download.auth.users	atlas
policy.download.auth.users	atlas
ambari.service.check.user	atlas

	Note
If the Ranger Atlas service is not created after enabling the plugin and restarting Atlas, that indicates that either there is already a policy JSON on the Atlas host (in the `/etc/ranger/<service_name>/policycache/` directory), or Ambari was unable to connect to Ranger Admin during the Atlas restart. The solution for the first issue is to delete or move the `policycache` file, then restart Atlas. You can click the Test Connection button on the Ranger Atlas Service Details page to verify the configuration settings. You can also select Audit > Plugins in the Ranger Admin UI to check for the latest Atlas service entry.

Note

If the Ranger Atlas service is not created after enabling the plugin and restarting Atlas, that indicates that either there is already a policy JSON on the Atlas host (in the /etc/ranger/<service_name>/policycache/ directory), or Ambari was unable to connect to Ranger Admin during the Atlas restart. The solution for the first issue is to delete or move the policycache file, then restart Atlas.

You can click the Test Connection button on the Ranger Atlas Service Details page to verify the configuration settings.
You can also select Audit > Plugins in the Ranger Admin UI to check for the latest Atlas service entry.

Additional Requirements for Atlas with Kerberos without Ranger

When Atlas is used in a Kerberized environment without Ranger, perform the following additional configuration steps:

Start the HBase shell with the user identity of the HBase admin user ('hbase')
Execute the following command in HBase shell, to enable Atlas to create necessary HBase tables:
- grant 'atlas', 'RWXCA'
Start (or restart) Atlas, so that Atlas would create above HBase tables
Execute the following commands in HBase shell, to enable Atlas to access necessary HBase tables:
- grant 'atlas', 'RWXCA', 'atlas_titan'
- grant 'atlas', 'RWXCA', 'ATLAS_ENTITY_AUDIT_EVENTS'

Kafka – To grant permissions to a Kafka topic, run the following commands as the Kafka user:

/usr/hdp/current/kafka-broker/bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer 
--authorizer-properties zookeeper.connect=hostname:2181 --add --operation All --allow-principal User:atlas 
--topic ATLAS_HOOK
/usr/hdp/current/kafka-broker/bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer 
--authorizer-properties zookeeper.connect=hostname:2181 --add --operation All --allow-principal User:atlas 
--topic ATLAS_ENTITIES