diff --git a/datahub-ranger-plugin/README.md b/datahub-ranger-plugin/README.md index 217b780957..a857a4955f 100644 --- a/datahub-ranger-plugin/README.md +++ b/datahub-ranger-plugin/README.md @@ -29,33 +29,33 @@ For kubernetes example command, please replace the <ranger-pod-name> and & 1. Download the **datahub-ranger-plugin** from [Maven](https://mvnrepository.com/artifact/io.acryl/datahub-ranger-plugin) 2. Create a "datahub" directory inside the "ranger-plugins" directory where Apache Ranger is deployed. For example, to do this in a Privacera container -*Docker command:* -```bash -docker exec privacera_ranger_1 mkdir ews/webapp/WEB-INF/classes/ranger-plugins/datahub -``` -*Kubernetes command:* -```bash -kubectl exec <ranger-pod-name> mkdir ews/webapp/WEB-INF/classes/ranger-plugins/datahub -n <namespace> -``` + *Docker command:* + ```bash + docker exec privacera_ranger_1 mkdir ews/webapp/WEB-INF/classes/ranger-plugins/datahub + ``` + *Kubernetes command:* + ```bash + kubectl exec mkdir ews/webapp/WEB-INF/classes/ranger-plugins/datahub -n + ``` 3. Copy the downloaded **datahub-ranger-plugin** jar into the newly created "datahub" directory. For example, to do this in a Privacera container -*Docker command:* -```bash -docker cp datahub-ranger-plugin-<version>.jar privacera_ranger_1:/opt/ranger/ranger-2.1.0-admin/ews/webapp/WEB-INF/classes/ranger-plugins/datahub/ -``` -*Kubernetes command:* -```bash -kubectl cp datahub-ranger-plugin-<version>.jar <ranger-pod-name>:/opt/ranger/ranger-2.1.0-admin/ews/webapp/WEB-INF/classes/ranger-plugins/datahub/ -n <namespace> -``` -5. Download the [service definition file](../datahub-ranger-plugin/conf/servicedef.json). This service definition is the ranger service definition JSON file for datahub-ranger-plugin-<version>.jar -6. Register the downloaded service definition file with Apache Ranger Service. To do this executes the below curl command
+ *Docker command:* + ```bash + docker cp datahub-ranger-plugin-.jar privacera_ranger_1:/opt/ranger/ranger-2.1.0-admin/ews/webapp/WEB-INF/classes/ranger-plugins/datahub/ + ``` + *Kubernetes command:* + ```bash + kubectl cp datahub-ranger-plugin-.jar :/opt/ranger/ranger-2.1.0-admin/ews/webapp/WEB-INF/classes/ranger-plugins/datahub/ -n + ``` +4. Download the [service definition file](../datahub-ranger-plugin/conf/servicedef.json). This service definition is the ranger service definition JSON file for datahub-ranger-plugin-<version>.jar +5. Register the downloaded service definition file with Apache Ranger Service. To do this executes the below curl command
Replace variables with corresponding values in curl command -- <ranger-admin-username> -- <ranger-admin-password> -- <ranger-host> -```bash -curl -u <ranger-admin-username>:<ranger-admin-password> -X POST -H "Accept: application/json" -H "Content-Type: application/json" --data @servicedef.json http://<ranger-host>:6080/service/public/v2/api/servicedef -``` + - <ranger-admin-username> + - <ranger-admin-password> + - <ranger-host> + ```bash + curl -u : -X POST -H "Accept: application/json" -H "Content-Type: application/json" --data @servicedef.json http://:6080/service/public/v2/api/servicedef + ``` ### Defining a Ranger Policy @@ -91,50 +91,6 @@ Perform the following steps to configure DataHub to send incoming requests to Ap 1. Download Apache Ranger security xml [ranger-datahub-security.xml](../datahub-ranger-plugin/conf/ranger-datahub-security.xml) 2. In **ranger-datahub-security.xml** edit the value of property *ranger.plugin.datahub.policy.rest.url*. Sample snippet is shown below -```xml - - ranger.plugin.datahub.policy.rest.url - http://199.209.9.70:6080 - - URL to Ranger Admin - - -``` -As per your deployment follow either Docker or Kubernetes section below -### Docker - Configure DataHub to use a Ranger **Authorizer**. On the host where `datahub-gms` is deployed, follow these steps: - 1. Create directory **~/.datahub/plugins/auth/resources/**: Executes below command - ```bash - mkdir -p ~/.datahub/plugins/auth/resources/ - ``` - 2. Copy **ranger-datahub-security.xml** file to ~/.datahub/plugins/auth/resources/ - 3. [Optional] Disable the DataHub default policy authorizer by setting the following environment variable on the `datahub-gms` container: - ```bash - export AUTH_POLICIES_ENABLED=false - ``` - 4. Enable the Apache Ranger authorizer by setting the following environment variable on the `datahub-gms` container: - ```bash - export RANGER_AUTHORIZER_ENABLED=true - ``` - 5. Set the Apache Ranger admin username by setting the following environment variable on the `datahub-gms` container: - ```bash - export RANGER_USERNAME=<username> - ``` - 6. Set the Apache Ranger admin password by setting the following environment variable on the `datahub-gms` container: - ```bash - export RANGER_PASSWORD=<password> - ``` - 7. Redeploy DataHub (`datahub-gms`) with the new environment variables -### Kubernetes - Configure DataHub to use a Ranger **Authorizer**. On the host where `kubectl` is installed, follow these steps: - - For kubernetes example command, please replace the <namespace> as per your environment. - - - 1. Download kubernetes configMap for DataHub Apache Ranger authorizer [auth-plugin-configuration-configMap.kubernetes.yaml](../datahub-ranger-plugin/conf/auth-plugin-configuration-configMap.kubernetes.yaml) - - 2. In **auth-plugin-configuration-configMap.kubernetes.yaml** edit the value of property *ranger.plugin.datahub.policy.rest.url*. Sample snippet is shown below - ```xml ranger.plugin.datahub.policy.rest.url @@ -145,16 +101,59 @@ As per your deployment follow either Docker or Kubernetes section below ``` +As per your deployment follow either Docker or Kubernetes section below +### Docker + Configure DataHub to use a Ranger **Authorizer**. On the host where `datahub-gms` is deployed, follow these steps: + 1. Create directory **~/.datahub/plugins/auth/resources/**: Executes below command + ```bash + mkdir -p ~/.datahub/plugins/auth/resources/ + ``` + 2. Copy **ranger-datahub-security.xml** file to ~/.datahub/plugins/auth/resources/ + 3. [Optional] Disable the DataHub default policy authorizer by setting the following environment variable on the `datahub-gms` container: + ```bash + export AUTH_POLICIES_ENABLED=false + ``` + 4. Enable the Apache Ranger authorizer by setting the following environment variable on the `datahub-gms` container: + ```bash + export RANGER_AUTHORIZER_ENABLED=true + ``` + 5. Set the Apache Ranger admin username by setting the following environment variable on the `datahub-gms` container: + ```bash + export RANGER_USERNAME= + ``` + 6. Set the Apache Ranger admin password by setting the following environment variable on the `datahub-gms` container: + ```bash + export RANGER_PASSWORD= + ``` + 7. Redeploy DataHub (`datahub-gms`) with the new environment variables +### Kubernetes + Configure DataHub to use a Ranger **Authorizer**. On the host where `kubectl` is installed, follow these steps: + + For kubernetes example command, please replace the <namespace> as per your environment. + + + 1. Download kubernetes configMap for DataHub Apache Ranger authorizer [auth-plugin-configuration-configMap.kubernetes.yaml](../datahub-ranger-plugin/conf/auth-plugin-configuration-configMap.kubernetes.yaml) + + 2. In **auth-plugin-configuration-configMap.kubernetes.yaml** edit the value of property *ranger.plugin.datahub.policy.rest.url*. Sample snippet is shown below + ```xml + + ranger.plugin.datahub.policy.rest.url + http://199.222.9.70:6080 + + URL to Ranger Admin + + + ``` + 3. Create a kubernetes configMap resource: Execute below command to create an *auth-plugin-configuration* configMap resource ```bash - kubectl apply -f auth-plugin-configuration-configMap.kubernetes.yaml -n <namespace> + kubectl apply -f auth-plugin-configuration-configMap.kubernetes.yaml -n ``` 4. Edit **datahub-datahub-gms** deployment to set environment variables & volume-mount points: Execute below command to open deployment editor
- ``` - kubectl edit deployment datahub-datahub-gms - ``` - + ``` + kubectl edit deployment datahub-datahub-gms + ``` 1. Add below environment variables in under *spec.template.spec.containers[0].env*: Replace <username> by Apache Ranger admin username and <password> by Apache Ranger admin user password. ```yaml - name: AUTH_POLICIES_ENABLED @@ -162,27 +161,28 @@ As per your deployment follow either Docker or Kubernetes section below - name: RANGER_AUTHORIZER_ENABLED value: "true" - name: RANGER_USERNAME - value: "<username>" + value: "" - name: RANGER_PASSWORD - value: "<password>" + value: "" ``` - 2. Add *volumes* under spec.template.spec: Copy & paste below yaml snippet under *spec.template.spec* - ```yaml - volumes: - - configMap: - name: auth-plugin-configuration - name: auth-resource-volume - ``` - 3. Add *volumeMounts* under spec.template.spec.containers[0]: Copy & paste below yaml snippet under spec.template.spec.containers[0] - ```yaml - volumeMounts: - - mountPath: /etc/datahub/plugins/auth/resources - name: auth-resource-volume - readOnly: true - ``` - 6. Save and quit the editor - 7. Check status of **datahub-datahub-gms** deployment rollout: Execute below command + 2. Add *volumes* under spec.template.spec: Copy & paste below yaml snippet under *spec.template.spec* + ```yaml + volumes: + - configMap: + name: auth-plugin-configuration + name: auth-resource-volume + ``` + 3. Add *volumeMounts* under spec.template.spec.containers[0]: Copy & paste below yaml snippet under spec.template.spec.containers[0] + ```yaml + volumeMounts: + - mountPath: /etc/datahub/plugins/auth/resources + name: auth-resource-volume + readOnly: true + + ``` + 5. Save and quit the editor + 6. Check status of **datahub-datahub-gms** deployment rollout: Execute below command ```bash kubectl rollout status deployment/datahub-datahub-gms ``` @@ -217,7 +217,7 @@ then follow the below sections to undo the configuration steps you have performe - <ranger-host> ```bash - curl -u <ranger-admin-username>:<ranger-admin-password> -X DELETE -H "Accept: application/json" -H "Content-Type: application/json" http://<ranger-host>:6080/service/public/v2/api/servicedef/name/datahub + curl -u : -X DELETE -H "Accept: application/json" -H "Content-Type: application/json" http://:6080/service/public/v2/api/servicedef/name/datahub ``` 3. Delete **datahub** plugin directory: Execute below command to delete the **datahub** plugin directory from Apache Ranger @@ -227,25 +227,25 @@ then follow the below sections to undo the configuration steps you have performe ``` *Kubernetes command:* ```bash - kubectl exec <ranger-pod-name> -n <namespace> -- sh -c 'rm -rf ews/webapp/WEB-INF/classes/ranger-plugins/datahub' + kubectl exec -n -- sh -c 'rm -rf ews/webapp/WEB-INF/classes/ranger-plugins/datahub' ``` ## Revert Configuration of your DataHub Deployment ### Docker 1. Unset environment variables: Execute below command to unset the environment variables - ```bash - unset AUTH_POLICIES_ENABLED - unset RANGER_AUTHORIZER_ENABLED - unset RANGER_USERNAME - unset RANGER_PASSWORD - ``` + ```bash + unset AUTH_POLICIES_ENABLED + unset RANGER_AUTHORIZER_ENABLED + unset RANGER_USERNAME + unset RANGER_PASSWORD + ``` 2. Redeploy DataHub (`datahub-gms`) ### Kubernetes For kubernetes example command, please replace the <namespace> as per your environment. 1. Open deployment editor: Execute below command ```bash - kubectl edit deployment datahub-datahub-gms -n <namespace> + kubectl edit deployment datahub-datahub-gms -n ``` 2. Remove below environments variables 1. AUTH_POLICIES_ENABLED @@ -257,7 +257,7 @@ then follow the below sections to undo the configuration steps you have performe 2. volumeMounts 4. Save and quit the editor and use below command to check status of **datahub-datahub-gms** deployment rollout ```bash - kubectl rollout status deployment/datahub-datahub-gms -n <namespace> + kubectl rollout status deployment/datahub-datahub-gms -n ``` On successful rollout you should see a message *deployment "datahub-datahub-gms" successfully rolled out*