Enabling Ranger for Trino
- Access Apache Ranger interface.
-
Change the role of the Trino user to
Admin
. Admin role is required to download policies. -
SSH to the first master node (mn0) of your ODH cluster where Trino coordinator is installed as
opc
user. -
Navigate to
trino-ranger-plugin
.[opc@mn0 ~]$ cd /usr/odh/current/ranger-trino-plugin [opc@mn0 ranger-trino-plugin]$ ls disable-trino-plugin.sh enable-trino-plugin.sh install install.properties lib ranger_credential_helper.py ranger_credential_helper.pyc ranger_credential_helper.pyo
-
Update the following entries in the
install.properties
file.POLICY_MGR_URL= https://hostname-of-node-where-ranger-runs:ranger-port REPOSITORY_NAME= trino_auth
By default, Ranger runs on the first utility node (
un0
).Important
Note the value ofREPOSITORY_NAME
as it is needed later. -
Run the
enable-trino-plugin.sh
script as theroot
user.[opc@mn0 ranger-trino-plugin]$ sudo su [root@mn0 ranger-trino-plugin] export JAVA_HOME=/etc/alternatives/jre_11_openjdk [root@mn0 ranger-trino-plugin]$ bash enable-trino-plugin.sh
-
Navigate to the Trino config directory
/etc/trino/conf
. -
Update the
access-control.properties
file by adding the following entries.$ cat /usr/lib/trino/etc/access-control.properties access-control.name=ranger ranger.principal=trino/trino-coordinator.example.com@BDSCLOUDSERVICE.ORACLE.COM ranger.keytab=/etc/security/keytabs/trino.service.keytab
- Access Apache Ranger interface.
-
Add a new service under Trino using the same service name you provided as the repository name in
install.properties
. -
Add a catalog level policy for the
system
catalog. Grantselect
,use
, andexecute
permissions for all users (USER
). -
Add a schema level policy for the
system
catalog, and theinformation_schema
andruntime
schema. Grantselect
andexecute
permissions for all users (USER
). -
Modify the
all function
policy and update theALLOW
condition to give all users (USER
) the execute permission. - Access Apache Ambari interface.
- Restart Trino.
-
View the Trino server log. You should see the following.
2022-03-23T04:51:51.753Z INFO main io.trino.security.AccessControlManager -- Loaded system access control ranger -- 2022-03-23T04:51:52.254Z INFO main io.trino.server.Server ======== SERVER STARTED ========