Configuring Kudu's integration with Apache Ranger

Apache Ranger has wider adoption and provides a more comprehensive security features (such as attribute based access control, audit, etc) than Sentry. This topic provides information to configure Kudu with Apache Ranger.

  1. After building Kudu from source, find the kudu-subprocess.jar under the build directory, for example build/release/bin.
    Note its path, as it is the one to the JAR file containing the Ranger subprocess, which houses the Ranger client that Kudu will use to communicate with the Ranger server.
  2. Use the kudu table list tool to find any table names in the cluster that are not Ranger-compatible, which are names that begin or end with a period (.). Also check that there are no two table names that only differ by case, since authorization is case-insensitive.
    For those tables that do not comply with the requirements, use the kudu table rename_table tool to rename the tables.
  3. Create a Ranger client ranger-kudu-security.xml configuration file, and note down the directory containing this file.
    <property>
      <name>ranger.plugin.kudu.policy.cache.dir</name>
      <value>policycache</value>
      <description>Directory where Ranger policies are cached after successful retrieval from the Ranger service</description>
    </property>
    <property>
      <name>ranger.plugin.kudu.service.name</name>
      <value>kudu</value>
      <description>Name of the Ranger service repository storing policies for this Kudu cluster</description>
    </property>
    <property>
      <name>ranger.plugin.kudu.policy.rest.url</name>
      <value>http://host:port</value>
      <description>Ranger Admin URL</description>
    </property>
    <property>
      <name>ranger.plugin.kudu.policy.source.impl</name>
      <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
      <description>Ranger client implementation to retrieve policies from the Ranger service</description>
    </property>
    <property>
      <name>ranger.plugin.kudu.policy.rest.ssl.config.file</name>
      <value>ranger-kudu-policymgr-ssl.xml</value>
      <description>Path to the file containing SSL details to connect Ranger Admin</description>
    </property>
    <property>
      <name>ranger.plugin.kudu.policy.pollIntervalMs</name>
      <value>30000</value>
      <description>Ranger client policy polling interval</description>
    </property>
  4. When Secure Socket Layer (SSL) is enabled for Ranger Admin, add the ranger-kudu-policymgr-ssl.xml file to the Ranger client configuration directory with the following configurations:
    <property>
      <name>xasecure.policymgr.clientssl.keystore</name>
      <value>[/path/to/keystore].jks</value>
      <description>Java keystore files</description>
    </property>
    <property>
      <name>xasecure.policymgr.clientssl.keystore.credential.file</name>
      <value>jceks://file/[path/to/credentials].jceks</value>
      <description>Java keystore credential file</description>
    </property>
    <property>
      <name>xasecure.policymgr.clientssl.truststore</name>
      <value>[/path/to/truststore].jks</value>
      <description>Java truststore file</description>
    </property>
    <property>
      <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
      <value>jceks://file/[path/to/credentials].jceks</value>
      <description>Java truststore credential file</description>
    </property>
  5. Set the following configurations on the Kudu master:
    # The path to directory containing Ranger client configuration. This example
    # assumes the path is '/kudu/ranger-config'.
    --ranger_config_path=/kudu/ranger-config
    
    # The path where the Java binary was installed. This example assumes
    # '$JAVA_HOME=/usr/local'
    --ranger_java_path=/usr/local/bin/java
    
    # The path to the JAR file containing the Ranger subprocess. This example
    # assumes '$KUDU_HOME=/kudu'
    --ranger_jar_path=/kudu/build/release/bin/kudu-subprocess.jar
    
    # This example ACL setup allows the 'impala' user to access all data stored in
    # Kudu, assuming Impala will authorize requests on its own. The 'kudu' user is
    # also granted access to all Kudu data, which may facilitate testing and
    # debugging (such as running the 'kudu cluster ksck' tool).
    --trusted_user_acl=impala,kudu
  6. Set the following configurations on the tablet servers:
    --tserver_enforce_access_control=true
  7. Add a Kudu service repository with the following configurations via the Ranger Admin web UI:
    # This example setup configures the Kudu service user as a privileged user to be
    # able to retrieve authorization policies stored in Ranger.
    
    <property>
      <name>policy.download.auth.users</name>
      <value>kudu</value>
    </property>