Enabling Ranger for Trino

  1. Access Apache Ranger interface.
  2. Change the role of the Trino user to Admin. Admin role is required to download policies.
  3. SSH to the first master node (mn0) of your ODH cluster where Trino coordinator is installed as opc user.
  4. Navigate to trino-ranger-plugin.
    [opc@mn0 ~]$ cd /usr/odh/current/ranger-trino-plugin
    [opc@mn0 ranger-trino-plugin]$ ls
    disable-trino-plugin.sh  enable-trino-plugin.sh  install  install.properties  lib  ranger_credential_helper.py  ranger_credential_helper.pyc  ranger_credential_helper.pyo
    
  5. Update the following entries in the install.properties file.
    POLICY_MGR_URL= https://hostname-of-node-where-ranger-runs:ranger-port
    REPOSITORY_NAME= trino_auth

    By default, Ranger runs on the first utility node (un0).

    Important

    Note the value of REPOSITORY_NAME as it is needed later.
  6. Run the enable-trino-plugin.sh script as the root user.
    [opc@mn0 ranger-trino-plugin]$ sudo su
    [root@mn0 ranger-trino-plugin] export JAVA_HOME=/etc/alternatives/jre_11_openjdk
    [root@mn0 ranger-trino-plugin]$ bash enable-trino-plugin.sh
  7. Navigate to the Trino config directory /etc/trino/conf.
  8. Update the access-control.properties file by adding the following entries.
    $ cat /usr/lib/trino/etc/access-control.properties
    access-control.name=ranger
    ranger.principal=trino/trino-coordinator.example.com@BDSCLOUDSERVICE.ORACLE.COM
    ranger.keytab=/etc/security/keytabs/trino.service.keytab
  9. Access Apache Ranger interface.
  10. Add a new service under Trino using the same service name you provided as the repository name in install.properties.
  11. Add a catalog level policy for the system catalog. Grant select, use, and execute permissions for all users (USER).
  12. Add a schema level policy for the system catalog, and the information_schema and runtime schema. Grant select and execute permissions for all users (USER).
  13. Modify the all function policy and update the ALLOW condition to give all users (USER) the execute permission.
  14. Access Apache Ambari interface.
  15. Restart Trino.
  16. View the Trino server log. You should see the following.
    2022-03-23T04:51:51.753Z    INFO    main    io.trino.security.AccessControlManager  -- Loaded system access control ranger --
     2022-03-23T04:51:52.254Z    INFO    main    io.trino.server.Server  ======== SERVER STARTED ========