乐趣区

关于大数据:开源大数据集群部署十三Ranger-集成Trino

作者:櫰木

1、装置 ranger trino 插件

在 trino 的 coordinator 节点部署

  • 解压 ranger-2.3.0-trino-plugin.tar.gz

    [root@hd2.dtstack.com]#tar -zxvf ranger-2.3.0-trino-plugin.tar.gz -C /opt
  • 配置 ranger trino 插件文件 install.properties,内容如下:

    # Licensed to the Apache Software Foundation (ASF) under one or more
    # contributor license agreements.  See the NOTICE file distributed with
    # this work for additional information regarding copyright ownership.
    # The ASF licenses this file to You under the Apache License, Version 2.0
    # (the "License"); you may not use this file except in compliance with
    # the License.  You may obtain a copy of the License at
    #
    #     http://www.apache.org/licenses/LICENSE-2.0
    #
    # Unless required by applicable law or agreed to in writing, software
    # distributed under the License is distributed on an "AS IS" BASIS,
    # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    # See the License for the specific language governing permissions and
    # limitations under the License.
     
    #
    # Location of Policy Manager URL
    #
    # Example:
    # POLICY_MGR_URL=http://policymanager.xasecure.net:6080
    #
    POLICY_MGR_URL=http://hd1.dtstack.com:6080/
     
    #
    # This is the repository name created within policy manager
    #
    # Example:
    # REPOSITORY_NAME=trinodev
    #
    REPOSITORY_NAME=trinodev
     
    # Configure INSTALL_ENV=docker if running trino in docker environment
    #INSTALL_ENV=docker
    #
    # Name of the directory where the component's lib and conf directory exist.
    # This location should be relative to the parent of the directory containing
    # the plugin installation files.
    #
    COMPONENT_INSTALL_DIR_NAME=/opt/trino
     
    # Enable audit logs to Solr
    XAAUDIT.SUMMARY.ENABLE=false
    #Example
    #XAAUDIT.SOLR.ENABLE=true
    #XAAUDIT.SOLR.URL=http://localhost:6083/solr/ranger_audits
    #XAAUDIT.SOLR.ZOOKEEPER=
    #XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/trino/audit/solr/spool
     
    XAAUDIT.SOLR.ENABLE=false
    XAAUDIT.SOLR.URL=http://hd1.dtstack.com:8983/solr/ranger_audits
    XAAUDIT.SOLR.USER=NONE
    XAAUDIT.SOLR.PASSWORD=NONE
    XAAUDIT.SOLR.ZOOKEEPER=hd1:2181,hd2:2181,hd3:2181/ranger_audits
    XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/trino/audit/solr/spool
     
    # Enable audit logs to ElasticSearch
    #Example
    #XAAUDIT.ELASTICSEARCH.ENABLE=true
    #XAAUDIT.ELASTICSEARCH.URL=localhost
    #XAAUDIT.ELASTICSEARCH.INDEX=audit
     
    XAAUDIT.ELASTICSEARCH.ENABLE=false
    XAAUDIT.ELASTICSEARCH.URL=NONE
    XAAUDIT.ELASTICSEARCH.USER=NONE
    XAAUDIT.ELASTICSEARCH.PASSWORD=NONE
    XAAUDIT.ELASTICSEARCH.INDEX=NONE
    XAAUDIT.ELASTICSEARCH.PORT=NONE
    XAAUDIT.ELASTICSEARCH.PROTOCOL=NONE
     
    # Enable audit logs to HDFS
    #Example
    #XAAUDIT.HDFS.ENABLE=true
    #XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit
    #  If using Azure Blob Storage
    #XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
    #XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit
    #XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/trino/audit/hdfs/spool
     
    XAAUDIT.HDFS.ENABLE=false
    XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit
    XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/trino/audit/hdfs/spool
     
    # Following additional propertis are needed When auditing to Azure Blob Storage via HDFS
    # Get these values from your /etc/hadoop/conf/core-site.xml
    #XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
    XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
    XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
    XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
    XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
     
    #Log4j Audit Provider
    XAAUDIT.LOG4J.ENABLE=false
    XAAUDIT.LOG4J.IS_ASYNC=false
    XAAUDIT.LOG4J.ASYNC.MAX.QUEUE.SIZE=10240
    XAAUDIT.LOG4J.ASYNC.MAX.FLUSH.INTERVAL.MS=30000
    XAAUDIT.LOG4J.DESTINATION.LOG4J=true
    XAAUDIT.LOG4J.DESTINATION.LOG4J.LOGGER=xaaudit
     
    # Enable audit logs to Amazon CloudWatch Logs
    #Example
    #XAAUDIT.AMAZON_CLOUDWATCH.ENABLE=true
    #XAAUDIT.AMAZON_CLOUDWATCH.LOG_GROUP=ranger_audits
    #XAAUDIT.AMAZON_CLOUDWATCH.LOG_STREAM={instance_id}
    #XAAUDIT.AMAZON_CLOUDWATCH.FILE_SPOOL_DIR=/var/log/hive/audit/amazon_cloudwatch/spool
     
    XAAUDIT.AMAZON_CLOUDWATCH.ENABLE=false
    XAAUDIT.AMAZON_CLOUDWATCH.LOG_GROUP=NONE
    XAAUDIT.AMAZON_CLOUDWATCH.LOG_STREAM_PREFIX=NONE
    XAAUDIT.AMAZON_CLOUDWATCH.FILE_SPOOL_DIR=NONE
    XAAUDIT.AMAZON_CLOUDWATCH.REGION=NONE
     
    # End of V3 properties
     
     
    #
    #  Audit to HDFS Configuration
    #
    # If XAAUDIT.HDFS.IS_ENABLED is set to true, please replace tokens
    # that start with __REPLACE__ with appropriate values
    #  XAAUDIT.HDFS.IS_ENABLED=true
    #  XAAUDIT.HDFS.DESTINATION_DIRECTORY=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%
    #  XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=__REPLACE__LOG_DIR/trino/audit
    #  XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=__REPLACE__LOG_DIR/trino/audit/archive
    #
    # Example:
    #  XAAUDIT.HDFS.IS_ENABLED=true
    #  XAAUDIT.HDFS.DESTINATION_DIRECTORY=hdfs://namenode.example.com:8020/ranger/audit/%app-type%/%time:yyyyMMdd%
    #  XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=/var/log/trino/audit
    #  XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=/var/log/trino/audit/archive
    #
    XAAUDIT.HDFS.IS_ENABLED=false
    XAAUDIT.HDFS.DESTINATION_DIRECTORY=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%
    XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=__REPLACE__LOG_DIR/trino/audit
    XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=__REPLACE__LOG_DIR/trino/audit/archive
     
    XAAUDIT.HDFS.DESTINTATION_FILE=%hostname%-audit.log
    XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS=900
    XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS=86400
    XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS=60
    XAAUDIT.HDFS.LOCAL_BUFFER_FILE=%time:yyyyMMdd-HHmm.ss%.log
    XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS=60
    XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS=600
    XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT=10
     
    #Solr Audit Provider
    XAAUDIT.SOLR.IS_ENABLED=false
    XAAUDIT.SOLR.MAX_QUEUE_SIZE=1
    XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000
    XAAUDIT.SOLR.SOLR_URL=http://localhost:6083/solr/ranger_audits
     
    # End of V2 properties
     
    #
    # SSL Client Certificate Information
    #
    # Example:
    # SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks
    # SSL_KEYSTORE_PASSWORD=none
    # SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
    # SSL_TRUSTSTORE_PASSWORD=none
    #
    # You do not need use SSL between agent and security admin tool, please leave these sample value as it is.
    #
    SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks
    SSL_KEYSTORE_PASSWORD=myKeyFilePassword
    SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
    SSL_TRUSTSTORE_PASSWORD=changeit
     
    #
    # Custom component user
    # CUSTOM_COMPONENT_USER=<custom-user>
    # keep blank if component user is default
    CUSTOM_USER=trino
     
     
    #
    # Custom component group
    # CUSTOM_COMPONENT_GROUP=<custom-group>
    # keep blank if component group is default
    CUSTOM_GROUP=hadoop

2、初始化插件

[root@hd1.dtstack.com ranger-2.3.0-trno-plugin]# ./enable-trnio-plugin.sh

4、验证插件是否失效

通过查看 /opt/trino/etc/access-control.properties。
增加

access-control.name=ranger
ranger.principal=trino/hd1.dtstack.com@DTSTACK.COM
ranger.keytab=/etc/security/keytab/trino.keytab

软链 core-site.xml 到 trino 的 etc 目录下

ln -s /opt/hadoop/etc/hadoop/core-site.xml core-site.xml

5、Ranger web 界面配置 trino

拜访地址:http://hd2.dtstack.com:6080/

用户明码:admin/rangerAdmin123

username 对应值:trino
jdbc.driverClassName 对应值:io.trino.jdbc.TrinoDriver
jdbc.url 对应值:jdbc:trino://hd1.dtstack.com:18080/catalog
tag.download.auth.users:trino
policy.download.auth.users:trino

点解测试连贯

显示连贯胜利,配置正确,保留退出。

点击主页刚增加的 trino

至此,ranger 集成 trino 实现
Trino 用户策略受权。以 test 用户为例
首先须要增加对应的 catalog 权限

增加 tableschema 权限

增加用户表的权限

进行验证
trino-cli –server hd1.dtstack.com:18080 –catalog=hive –schema=test –user test

更多技术信息请查看云掣官网 https://yunche.pro/?t=yrgw

退出移动版