Configuring Apache Atlas
Also available as:
PDF

Additional requirements for Atlas with Ranger and Kerberos

Currently additional configuration steps are required for Atlas with Ranger and in Kerberized environments.

Additional Requirements for Atlas with Ranger

When Atlas is used with Ranger, perform the following additional configuration steps:

Important
Important
These steps are not required for Ambari-2.4.x and higher versions. For Ambari-2.4.x and higher, these steps will be performed automatically when Atlas is restarted.
  • Create the following HBase policy:

    • table: atlas_titan, ATLAS_ENTITY_AUDIT_EVENTS

      user: atlas

      permission: Read, Write, Create, Admin

  • Create following Kafka policies:

    • topic=ATLAS_HOOK

      permission=publish, create; group=public

      permission=consume, create; user=atlas (for non-kerberized environments, set group=public)

    • topic=ATLAS_ENTITIES

      permission=publish, create; user=atlas (for non-kerberized environments, set group=public)

      permission=consume, create; group=public

You should also ensure that an Atlas service is created in Ranger, and that the Atlas service includes the following configuration properties:

Table 2.4. Ranger Atlas Service Kerberos Properties

Property Value
tag.download.auth.users atlas
policy.download.auth.users atlas
ambari.service.check.user atlas

Note
Note
If the Ranger Atlas service is not created after enabling the plugin and restarting Atlas, that indicates that either there is already a policy JSON on the Atlas host (in the /etc/ranger/<service_name>/policycache/ directory), or Ambari was unable to connect to Ranger Admin during the Atlas restart. The solution for the first issue is to delete or move the policycache file, then restart Atlas.
  • You can click the Test Connection button on the Ranger Atlas Service Details page to verify the configuration settings.
  • You can also select Audit > Plugins in the Ranger Admin UI to check for the latest Atlas service entry.

Additional Requirements for Atlas with Kerberos without Ranger

When Atlas is used in a Kerberized environment without Ranger, perform the following additional configuration steps:

  • Start the HBase shell with the user identity of the HBase admin user ('hbase')

  • Execute the following command in HBase shell, to enable Atlas to create necessary HBase tables:

    • grant 'atlas', 'RWXCA'

  • Start (or restart) Atlas, so that Atlas would create above HBase tables

  • Execute the following commands in HBase shell, to enable Atlas to access necessary HBase tables:

    • grant 'atlas', 'RWXCA', 'atlas_titan'

    • grant 'atlas', 'RWXCA', 'ATLAS_ENTITY_AUDIT_EVENTS'

  • Kafka – To grant permissions to a Kafka topic, run the following commands as the Kafka user:

    /usr/hdp/current/kafka-broker/bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer 
    --authorizer-properties zookeeper.connect=hostname:2181 --add --operation All --allow-principal User:atlas 
    --topic ATLAS_HOOK
    /usr/hdp/current/kafka-broker/bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer 
    --authorizer-properties zookeeper.connect=hostname:2181 --add --operation All --allow-principal User:atlas 
    --topic ATLAS_ENTITIES