Configure Ranger in DataWorks Security Center to enable permission applications and approvals for StarRocks, Hive, and Lindorm data sources. After the configuration is complete, users can request access permissions for a database/table in DataWorks. When a security administrator approves the request, Ranger automatically generates a corresponding policy.
Overview
Ranger allows security administrators to proactively manage user access permissions for StarRocks, Hive, and Lindorm database/table resources. After you configure Ranger and associate a service in DataWorks Security Center, users can submit permission requests in DataWorks. After a security administrator approves a request, Ranger generates a corresponding policy to enforce data access control.
The end-to-end Ranger permission management workflow is as follows:
-
Add a Ranger configuration: Configure the connection details for a Ranger instance in Security Center.
-
Add a service association: Add a StarRocks, Hive, or Lindorm service to the Ranger instance.
-
Configure an identity credential: Map a RAM user/role to an account that can access the data source. For more information, see Identity credentials.
-
Apply for permissions: Users submit permission requests on the page. After a security administrator approves the request, Ranger automatically generates a policy.
NoteThe corresponding data source type appears on the page only after you add a service association.
Usage notes
-
You must be a Tenant Administrator or tenant security administrator to access the Manage Ranger page and perform configurations.
-
The EMR/Lindorm cluster and the DataWorks resource group must be in the same VPC.
-
The EMR/Lindorm cluster must be attached to a DataWorks workspace, and its resource group must be initialized. For more information, see Legacy Data Studio: Bind an EMR compute resource.
-
DataWorks supports only serverless resource groups for this feature. For more information, see Use a serverless resource group.
Go to the Manage Ranger page
-
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose . On the page that appears, click Go to Security Center.
-
In the left-side navigation pane, click Manage Ranger to go to the Manage Ranger page.
Step 1: Add a Ranger configuration
On the Manage Ranger page, click New to add a Ranger configuration. The following table describes the parameters:
|
Parameter |
Description |
|
Cluster Type |
Select a cluster type. Valid values: EMR and Lindorm.
|
|
EMR cluster ID / Lindorm Instance ID |
Select the cluster or instance based on the cluster type you selected.
Note Your account must have the |
|
Resource Group |
Specify the resource group that DataWorks uses to access the Ranger service. Note Only serverless resource groups are supported. |
|
RangerAdmin address |
The URL of the Ranger admin service. DataWorks communicates with Ranger through this URL to configure policies. Note Use the VPC internal access URL of RangerAdmin. |
|
Ranger administrator account |
The administrator account for the Ranger admin service. |
|
Ranger administrator password |
The password for the Ranger administrator account. |
|
Availability Validation |
Click the connectivity test button to verify availability. The configuration can be saved only after the verification succeeds. |
After the configuration is complete, click Confirm to save the Ranger configuration.
Step 2: Add a service
After you add a Ranger configuration, you must configure a service. The corresponding data source type becomes available on the page only after you associate a Ranger service.
-
On the Manage Ranger page, find the target Ranger service and click Management Service in the Actions column to go to the Management Service page.
-
Click Add Association and configure the service based on the data source type.
Add a StarRocks service
This service type is used to manage database/table permissions for StarRocks instances through Ranger.
Parameter
Description
Ranger Service Type
Select
StarRocks.NoteIf external catalogs exist in the StarRocks instance, associate the internal catalog first, and then associate the external catalogs.
Ranger Service Name
Enter the service name configured in Ranger. You can customize the name.
The ID of the StarRocks instance.
Select the StarRocks instance that corresponds to the Ranger service name.
NoteYour account must have the
AliyunEMRReadOnlyAccesspermission to retrieve the list of EMR clusters.Catalog
Select a catalog in the StarRocks instance. After the catalog is added, users can request permissions for databases/tables in the catalog.
Add a Hive service
This service type is used to manage database/table permissions for Hive in an EMR cluster through Ranger.
Parameter
Description
Ranger Service Type
Select
Hive.Ranger Service Name
Enter the service name configured in Ranger. You can customize the name. The default value is
emr-hive.EMR cluster ID
Select the EMR cluster that corresponds to the Ranger service name.
NoteYour account must have the
AliyunEMRReadOnlyAccesspermission to retrieve the list of EMR clusters.Add a Lindorm service
This service type is used to manage table-level permissions for the Lindorm wide table engine through Ranger.
Parameter
Description
Ranger Service Type
Select
Lindorm.Ranger Service Name
Enter the service name configured in Ranger. You can customize the name.
Lindorm Instance
Select the Lindorm instance that corresponds to the Ranger service name.
NoteYour account must have the
AliyunLindormReadOnlyAccesspermission to retrieve the list of Lindorm instances. -
After the configuration is complete, click Confirm to save the service configuration.
Next step
After you complete the Ranger and service configurations, you must configure identity credentials for RAM users/roles to map cloud accounts to data source access accounts. For more information, see Identity credentials.