Ranger 0.6 supports authorization of access based on tags associated with the resources, in addition to resource-based access authorization. Tag-based policy model offers many advantages over resource-based authorization model. One of the important advantages of this model is that it supports separation of resource-classification from access-authorization. This, in turn, allows security administrators to conceptualize and author access policies across multiple components (such as HDFS, Hive) in terms of type/class of data (which is a higher-level abstraction) as against in terms of component-specific resources as required by resource-based model.
Ranger tag policy model provides structures and abstractions to express and enforce tag-based policies. However, the tags (which embody a class of data contained by resources) are provisioned by an external system that maintains meta-data about the resources. This necessitates a tool to keep the external tag-source and Ranger Admin in synchronization.
Ranger suite includes a module, called Tag-Sync – short for Tag Synchronization Module - that enables synchronization of tagging information (such as entity-tag association as well value of tag-attributes if any) between a tag-source (usually, Atlas in the Apache-DGI ecosystem) and Ranger Admin.
Tag-sync module does not concern itself with how the entities are associated with tags and how the tag-attributes are initialized with values. It only ensures that any notifications regarding change to any entity-tag association and to tag-attribute values, are received and Ranger Admin is updated accordingly.
Tag-Sync module is implemented within Ranger as a stand-alone, daemon process named ranger-tagsync.
Tag-Sync is part of Apache-Ranger project distribution.
To install Tag-Sync:
This will unpack and create a directory and needed sub-directories and files in “ranger-tagsync” directory under Apache installation root directory. This is ranger-tagsync-install-directory.
% cd ranger-tagsync-install-directory
% export JAVA_HOME=location-of-java-home-on-the-machine
Contents of this file are described in Configuration section in this document.
The run-time directory structure copies scripts into appropriate directories, creates files required for Atlas integration, creates configuration files which are used by ranger-tagsync process to configure itself, and sets up symbolic links wherever necessary.
Tag-Sync configuration consists of providing property values for controlling following aspects of the module.
The property values are provided by the Tag-Sync installer, in a simple file, named “install.properties”, in “name=value” format.
“install.properties” file contains the following properties.
PROPERTY_NAME in ranger-tagsync-site.xml
URL of the destination of tags
Please customize the value to suit your deployment. (Default value: ‘http://localhost:6080’
File containing SSL Configuration
Please customize the value to point to SSL configuration specific to your deployment. The value will be ignored in the scheme in TAGADMIN_ENPOINT URL is ‘http’. (Default value: ‘’)
Source of the tags
True if source of tags is ‘atlas’. This is used if Atlas events are the source of tags. (Default value: ‘True’)
URL of the Kafka endpoint to which Atlas sends its notifications.
atlas.kafka.bootstrap.servers (in atlas-application.properties)
Please customize the value to suit your deployment. (Default value: ‘localhost:6667‘)
URL of the zookeeper endpoint needed for Atlas.
atlas.kafka.zookeeper.connect (in atlas-application.properties)
Please customize the value to suit your deployment. (Default value: ‘localhost:2181‘)
String representing Kafka Consumer Group id used by Tag-Sync.
atlas.kafka.entities.group.id (in atlas-application.properties)
Please customize the value to suit your deployment. (Default value: ‘ranger_entities_consumer‘)
atlas.kafka.sasl.kerberos.service.name (in atlas-application.properties)
atlas.kafka.sasl.kerberos.security.protocol (in atlas-application.properties)
atlas.jaas.kafkaClient.option.principal (in atlas-application.properties)
atlas.jaas.kafkaClient.option.keyTab (in atlas-application.properties)
Source of tags
True if source of tags is ‘atlasrest’ – This is used if tags are downloaded from Atlas.
(Default value: ‘False’)
URL of the Atlas Endpoint. If TAG_SOURCE_ATLASREST_ENABLED is true, then this needs to be set.
Please customize the value to suit your deployment. (Default value: ‘http://localhost:21000’)
Number of milliseconds between successive downloads of tags from Atlas when TAG_SOURCE_ATLASREST_ENABLED is true.
Please customize the value to suit your deployment. (Default value: ‘90000’)
True if source of tags is ‘file’. A sample file format is available at /etc/ranger/tagsync/conf/etc/ranger/data/tags.json. (Default value: ‘False’)
File name containing tags if TAG_SOURCE_FILE_ENABLED is true.
Please customize the value to suit your deployment. (Default value: ‘/etc/ranger/data/tags.json’)
Number of milliseconds between checks for changes to TAGSYNC_SOURCE_FILE_FILENAME if TAG_SOURCE_FILE_ENABLED is true.
Please customize the value to suit your deployment. (Default value: ‘60000’)
Mapping between Atlas cluster-name, component-type and Ranger service-name
The property name is generated dynamically based on value of this property
This mapping is provided as a string value in the following format.
Please customize the value to suit your deployment. (Default value: ‘’)
Used to extend ranger-tagsync to support tags for components other than Hive.
For future use. Currently, the value is empty. (Default value: ‘’)
File to store encrypted password for Ranger Admin user ‘rangertagsync’ that is used for communicating with Ranger
Please customize to suit your deployment. (Default value: ‘/etc/ranger/tagsync/conf/rangertagsync.jceks’)
ranger-tagsync process is run as this Unix user.
There is no need to change this value (default is ‘ranger’).
ranger-tagsync process is run with this Unix group-id.
Directory where logs are stored.
Please customize the value to suit your deployment. (default is ‘log’)
Please customize the value to suit your deployment
Please customize the value to suit your deployment.
Hadoop configuration directory.
Please customize the value to suit your deployment. (Default value: ‘/etc/hadoop/conf
Updating password for Ranger Admin user ‘rangertagsync’ and/or for Atlas user
If, after installation, it is desired to change password of ‘rangertagsync’ user, then
Similarly, to change username and password for Atlas user (used if tag-source is 'atlasrest')
A run-time directory structure is created after configuring property values in install.properties, and then executing setup.sh script.
Properties required for Atlas interface
Shell command to set JAVA_HOME environment variable
Log4j configuration properties
Ranger-tagsync process configuration properties
Encrypted password for Ranger Admin user ‘rangertagsync’
Shell script to start/stop/query ranger-tagsync service
Shell script to start/stop ranger-tagsync process
Directory where logs (ranger-tagsync.log*) generated by ranger-tagsync are stored.
File containing process-id of the ranger-tagsync process, if it is running
ranger-tagsync service may be started after Tag-Sync module is installed and configured.
To check if ranger-tagsync is running, log in as a super-user and execute
% service ranger-tagsync status
To start ranger-tagsync process, log in as a super-user and execute
% service ranger-tagsync start
To stop ranger-tagsync process, log in as a super-user and execute
% service ranger-tagsync stop
At present, Tag-Sync module is not integrated with Ambari. It needs to be installed, configured and executed separately from rest of the modules in the Ranger suite using the command described in this document.
For integrating Tag-Sync with Ambari, a Ambari-interface file containing the properties in ranger-tagsync-site.xml and ranger-tagsync-default.xml (which is in the .jar file for ranger-tagsync) files (for configuring ranger-tagsync process) and properties in application.properties (for configuring Atlas interface) needs to set up.
Powered by a free Atlassian Confluence Open Source Project License granted to Apache Software Foundation. Evaluate Confluence today.