### Configure Audit Server with Custom Settings Source: https://github.com/apache/ranger/blob/master/audit-server/scripts/README.md Example of setting custom JVM heap size and log directory for the audit server before starting it. Environment variables are used for configuration. ```bash # Set custom heap size and log directory export AUDIT_SERVER_HEAP="-Xms1g -Xmx4g" export AUDIT_SERVER_LOG_DIR="/var/log/ranger/range-audit-server" ./audit-ingestor/scripts/start-audit-ingestor.sh ``` -------------------------------- ### Example Command for Single API Testing Source: https://github.com/apache/ranger/blob/master/ranger-tools/src/main/python/README.md An example demonstrating how to run the performance analyzer for a single API test, including all necessary parameters. ```bash > python3 performance_analyzer.py --ranger_url http://ranger_host:ranger_admin_port --calls 10 --api create_policy --username admin --password Admin123 --client_ip vpn_ip_client_in_logs --ssh_host ranger_host --ssh_user ssh_user --ssh_password ssh_password ``` -------------------------------- ### Build Ranger Examples Source: https://github.com/apache/ranger/blob/master/ranger-examples/README.txt Commands to build the Ranger examples, including the SampleApp and its plugin. These artifacts are required for setting up the application. ```bash mvn clean compile package assembly:assembly cd ranger-examples mvn clean compile package assembly:assembly ``` -------------------------------- ### Setup SampleApp Source: https://github.com/apache/ranger/blob/master/ranger-examples/README.txt Steps to set up the SampleApp in a local directory. This involves extracting the application and plugin archives and configuring security and audit properties. ```bash mkdir /tmp/sampleapp cd /tmp/sampleapp tar xvfz ranger-examples--sampleapp.tar.gz tar xvfz ranger-examples--sampleapp-plugin.tar.gz ``` -------------------------------- ### Build and Run Ranger Client Example Source: https://github.com/apache/ranger/blob/master/intg/src/main/java/README.md Commands to build the project, copy dependencies, and run the testRanger application. ```bash mvn clean package mvn install dependency:copy-dependencies java -cp "target/-3.0.0-SNAPSHOT.jar:target/dependency/*" testRanger ``` -------------------------------- ### Install Python Requirements Source: https://github.com/apache/ranger/blob/master/ranger-tools/src/main/python/README.md Use pip to install the necessary requirements for running the performance tests. Ensure you are in the 'python' directory. ```bash > pip install -r requirements.txt ``` -------------------------------- ### Install Apache Ranger Python Client Source: https://github.com/apache/ranger/blob/master/intg/src/main/python/README.md Install the Apache Ranger Python client using pip. Install 'requests_kerberos' if Kerberos authentication is required. ```bash > pip install apache-ranger > pip install requests_kerberos (If using kerberos for authentication) ``` -------------------------------- ### Build Ranger with Maven Source: https://github.com/apache/ranger/blob/master/README.md Clean and install Ranger project using Maven. Requires JDK 17 and proper JAVA_HOME/PATH setup. ```bash mvn clean install ``` ```bash mvn eclipse:eclipse ``` -------------------------------- ### Verify Java Installation Source: https://github.com/apache/ranger/blob/master/intg/src/main/java/README.md Use this command to verify that Java 8 is installed on your system. ```bash java -version java version "1.8.0_281" Java(TM) SE Runtime Environment (build 1.8.0_281-b09) Java HotSpot(TM) 64-Bit Server VM (build 25.281-b09, mixed mode) ``` -------------------------------- ### Install MkDocs Dependencies Source: https://github.com/apache/ranger/blob/master/mkdocs/README.md Install all necessary Python packages for the MkDocs site from the requirements file. ```bash pip install -r requirements.txt ``` -------------------------------- ### Verify Apache Ranger Python Client Installation Source: https://github.com/apache/ranger/blob/master/intg/src/main/python/README.md Verify the installation of the Apache Ranger client by listing installed packages with pip. ```bash > pip list Package Version ------------ --------- apache-ranger 0.0.12 ``` -------------------------------- ### Apache Ranger User Management Client Example Source: https://github.com/apache/ranger/blob/master/intg/src/main/python/README.md This Python script demonstrates the usage of the RangerUserMgmtClient for various user and group management operations. It requires the 'apache-ranger' Python package to be installed. Ensure Ranger is running and accessible at the specified URL. ```python # test_ranger_user_mgmt.py from apache_ranger.client.ranger_client import * from apache_ranger.utils import * from apache_ranger.model.ranger_user_mgmt import * from apache_ranger.client.ranger_user_mgmt_client import * from datetime import datetime ## ## Step 1: create a client to connect to Apache Ranger ## ranger_url = 'http://localhost:6080' ranger_auth = ('admin', 'rangerR0cks!') # For Kerberos authentication # # from requests_kerberos import HTTPKerberosAuth # # ranger_auth = HTTPKerberosAuth() # # For HTTP Basic authentication # # ranger_auth = ('admin', 'rangerR0cks!') ranger = RangerClient(ranger_url, ranger_auth) user_mgmt = RangerUserMgmtClient(ranger) ## ## Step 2: Let's call User Management APIs ## print('\nListing users') users = user_mgmt.find_users() print(f' {len(users.list)} users found') for user in users.list: print(f' id: {user.id}, name: {user.name}') print('\nListing groups') groups = user_mgmt.find_groups() print(f' {len(groups.list)} groups found') for group in groups.list: print(f' id: {group.id}, name: {group.name}') print('\nListing group-users') group_users = user_mgmt.find_group_users() print(f' {len(group_users.list)} group-users found') for group_user in group_users.list: print(f' id: {group_user.id}, groupId: {group_user.parentGroupId}, userId: {group_user.userId}') now = datetime.now() name_suffix = '-' + now.strftime('%Y%m%d-%H%M%S-%f') user_name = 'test-user' + name_suffix group_name = 'test-group' + name_suffix user = RangerUser({ "name": user_name, "firstName": user_name, "lastName": "user", "emailAddress": user_name + '@test.org', "password": "Welcome1", "userRoleList": [ "ROLE_USER" ], "otherAttributes": '{ "dept": "test" }' }) print(f'\nCreating user: name={user.name}') created_user = user_mgmt.create_user(user) print(f' created user: {created_user}') group = RangerGroup({ "name": group_name, "otherAttributes": '{ "dept": "test" }' }) print(f'\nCreating group: name={group.name}') created_group = user_mgmt.create_group(group) print(f' created group: {created_group}') group_user = RangerGroupUser({ "name": created_group.name, "parentGroupId": created_group.id, "userId": created_user.id }) print(f'\nAdding user {created_user.name} to group {created_group.name}') created_group_user = user_mgmt.create_group_user(group_user) print(f' created group-user: {created_group_user}') print('\nListing group-users') group_users = user_mgmt.find_group_users() print(f' {len(group_users.list)} group-users found') for group_user in group_users.list: print(f' id: {group_user.id}, groupId: {group_user.parentGroupId}, userId: {group_user.userId}') print(f'\nListing users for group {group.name}') users = user_mgmt.get_users_in_group(group.name) print(f' users: {users}') print(f'\nListing groups for user {user.name}') groups = user_mgmt.get_groups_for_user(user.name) print(f' groups: {groups}') print(f'\nDeleting group-user {created_group_user.id}') user_mgmt.delete_group_user_by_id(created_group_user.id) print(f'\nDeleting group {group.name}') user_mgmt.delete_group_by_id(created_group.id, True) print(f'\nDeleting user {user.name}') user_mgmt.delete_user_by_id(created_user.id, True) ``` -------------------------------- ### Build Ranger Documentation Source: https://github.com/apache/ranger/blob/master/docs/README.txt Run these commands in the root directory to build the project and generate API documentation. Ensure you run 'mvn install' first. ```bash mvn clean install ``` ```bash mvn enunciate:docs ``` -------------------------------- ### SampleApp Authorization Commands Source: https://github.com/apache/ranger/blob/master/ranger-examples/README.txt Example commands to trigger access authorization within the SampleApp. These commands simulate read, write, and execute requests for a given file path and user. ```bash command> read filePath user1 userGroup1 userGroup2 userGroup3 command> write filePath user1 userGroup1 userGroup2 userGroup3 command> execute filePath user1 userGroup1 userGroup2 userGroup3 ``` -------------------------------- ### Apache Ranger Java Client Usage Example Source: https://github.com/apache/ranger/blob/master/intg/src/main/java/README.md This example demonstrates how to create a RangerClient, create a new service, create a new policy, delete a policy, and delete a service. Ensure your Ranger admin is running and accessible at the specified URL. ```java // testRanger import java.util.*; import org.apache.ranger.*; import org.apache.ranger.plugin.model.*; public class testRanger { public static void main(String[] args) throws RangerServiceException { // create a client to connect to Apache Ranger admin String rangerUrl = "http://localhost:6080"; String username = "admin"; String password = "rangerR0cks!"; /* for kerberos authentication: authType = "kerberos" username = principal password = path of the keytab file */ // For SSL enabled ranger admin use SSL config file (see: ranger-examples/sample-client/conf/ssl-client.xml) RangerClient rangerClient = new RangerClient(rangerUrl, "simple", username, password, null); String serviceDefName = "hive"; String serviceName = "testHive"; String policyName = "testPolicy"; /* Create a new Service */ RangerService service = new RangerService(); service.setType(serviceDefName); service.setName(serviceName); Map config = new HashMap<>(); config.put("username", "hive"); config.put("password", "hive"); config.put("jdbc.driverClassName", "org.apache.hive.jdbc.HiveDriver"); config.put("jdbc.url", "jdbc:hive2://ranger-hadoop:10000"); config.put("hadoop.security.authorization", "true"); service.setConfigs(config); RangerService createdService = rangerClient.createService(service); System.out.println("New Service created with id: " + createdService.getId()); /* Create a new Policy */ Map resource = new HashMap<>(); resource.put("database", new RangerPolicy.RangerPolicyResource("test_db")); resource.put("table", new RangerPolicy.RangerPolicyResource("test_table")); resource.put("column", new RangerPolicy.RangerPolicyResource("*")); RangerPolicy policy = new RangerPolicy(); policy.setService(serviceName); policy.setName(policyName); policy.setResources(resource); RangerPolicy createdPolicy = rangerClient.createPolicy(policy); System.out.println("New Policy created with id: " + createdPolicy.getId()); /* Delete a policy */ rangerClient.deletePolicy(serviceName, policyName); System.out.println("Policy with name: " + policyName + " deleted successfully"); /* Delete a Service */ rangerClient.deleteService(serviceName); System.out.println("Service with name: " + serviceName + " deleted successfully"); } } ``` -------------------------------- ### Install sysstat on Debian/Ubuntu or RHEL/CentOS Source: https://github.com/apache/ranger/blob/master/ranger-tools/src/main/python/README.md Install the sysstat package on your server. This tool is used for collecting system metrics. ```bash > sudo apt-get install sysstat ``` ```bash or > sudo yum install sysstat ``` -------------------------------- ### Start Audit Server Ingestor Source: https://github.com/apache/ranger/blob/master/audit-server/scripts/README.md Use this script to start the audit ingestor service. Ensure the path is correct relative to the project root. ```bash # Start ./audit-ingestor/scripts/start-audit-ingestor.sh ``` -------------------------------- ### Activate Python Virtual Environment Source: https://github.com/apache/ranger/blob/master/mkdocs/README.md Activate the created virtual environment before installing dependencies. ```bash source .venv/bin/activate ``` -------------------------------- ### Docker Compose: Start All Audit Server Services Source: https://github.com/apache/ranger/blob/master/audit-server/scripts/README.md Starts the ingestor and both dispatchers using Docker Compose. Requires multiple compose files to be specified. ```bash docker compose -f docker-compose.ranger.yml \ -f docker-compose.ranger.hadoop.yml \ -f docker-compose.ranger.kafka.yml \ -f docker-compose.ranger-audit-server.yml up -d ``` -------------------------------- ### Docker Compose: Start Only Solr Dispatcher Source: https://github.com/apache/ranger/blob/master/audit-server/scripts/README.md Starts only the Solr dispatcher service using Docker Compose. Requires specific compose files for Ranger core, Kafka, and the Solr dispatcher. ```bash docker compose -f docker-compose.ranger.yml \ -f docker-compose.ranger.kafka.yml \ -f docker-compose.ranger-audit-dispatcher-solr.yml up -d ``` -------------------------------- ### Apache Ranger Python Client Example Source: https://github.com/apache/ranger/blob/master/intg/src/main/python/README.md This script demonstrates the full lifecycle of creating a Ranger service and policy, then deleting them. It requires the `apache-ranger-python-client` library and a running Ranger instance. ```python # test_ranger.py from apache_ranger.model.ranger_service import * from apache_ranger.client.ranger_client import * from apache_ranger.model.ranger_policy import * ## Step 1: create a client to connect to Apache Ranger admin ranger_url = 'http://localhost:6080' ranger_auth = ('admin', 'rangerR0cks!') # For Kerberos authentication # # from requests_kerberos import HTTPKerberosAuth # # ranger_auth = HTTPKerberosAuth() ranger = RangerClient(ranger_url, ranger_auth) # to disable SSL certificate validation (not recommended for production use!) # # ranger.session.verify = False ## Step 2: Let's create a service service = RangerService() service.name = 'test_hive' service.type = 'hive' service.configs = {'username':'hive', 'password':'hive', 'jdbc.driverClassName': 'org.apache.hive.jdbc.HiveDriver', 'jdbc.url': 'jdbc:hive2://ranger-hadoop:10000', 'hadoop.security.authorization': 'true'} print('Creating service: name=' + service.name) created_service = ranger.create_service(service) print(' created service: name=' + created_service.name + ', id=' + str(created_service.id)) ## Step 3: Let's create a policy policy = RangerPolicy() policy.service = service.name policy.name = 'test policy' policy.resources = { 'database': RangerPolicyResource({ 'values': ['test_db'] }), 'table': RangerPolicyResource({ 'values': ['test_tbl'] }), 'column': RangerPolicyResource({ 'values': ['*'] }) } allowItem1 = RangerPolicyItem() allowItem1.users = [ 'admin' ] allowItem1.accesses = [ RangerPolicyItemAccess({ 'type': 'create' }), RangerPolicyItemAccess({ 'type': 'alter' }) ] denyItem1 = RangerPolicyItem() denyItem1.users = [ 'admin' ] denyItem1.accesses = [ RangerPolicyItemAccess({ 'type': 'drop' }) ] policy.policyItems = [ allowItem1 ] policy.denyPolicyItems = [ denyItem1 ] print('Creating policy: name=' + policy.name) created_policy = ranger.create_policy(policy) print(' created policy: name=' + created_policy.name + ', id=' + str(created_policy.id)) ## Step 4: Delete policy and service created above print('Deleting policy: id=' + str(created_policy.id)) ranger.delete_policy_by_id(created_policy.id) print(' deleted policy: id=' + str(created_policy.id)) print('Deleting service: id=' + str(created_service.id)) ranger.delete_service_by_id(created_service.id) print(' deleted service: id=' + str(created_service.id)) ``` -------------------------------- ### Start All Ranger Audit Services Source: https://github.com/apache/ranger/blob/master/audit-server/scripts/README.md Starts the Audit Server, Solr Dispatcher, and HDFS Dispatcher in the correct order with specified delays. ```bash ./scripts/start-all-services.sh ``` -------------------------------- ### Bring up Ranger Core Services in Containers Source: https://github.com/apache/ranger/blob/master/dev-support/ranger-docker/README.md Use this command to start the main Ranger services (ranger, usersync, tagsync, pdp, kms) in Docker containers. Optionally, enable file-based sync for usersync by setting the ENABLE_FILE_SYNC_SOURCE environment variable. ```bash # To enable file based sync source for usersync do: # export ENABLE_FILE_SYNC_SOURCE=true # valid values for RANGER_DB_TYPE: mysql/postgres/oracle docker compose -f docker-compose.ranger.yml -f docker-compose.ranger-usersync.yml -f docker-compose.ranger-tagsync.yml -f docker-compose.ranger-pdp.yml -f docker-compose.ranger-kms.yml up -d # Ranger Admin can be accessed at http://localhost:6080 (admin/rangerR0cks!) ``` -------------------------------- ### Initialize RangerUserMgmtClient and Find Users Source: https://github.com/apache/ranger/blob/master/intg/src/main/python/README.md Initializes RangerUserMgmtClient using an existing RangerClient instance to manage users and groups. This example demonstrates fetching a list of users. ```python from apache_ranger.client.ranger_client import RangerClient from apache_ranger.client.ranger_user_mgmt_client import RangerUserMgmtClient ranger = RangerClient("http://localhost:6080", ("admin", "rangerR0cks!")) user_mgmt = RangerUserMgmtClient(ranger) users = user_mgmt.find_users() print(len(users.list)) ``` -------------------------------- ### Docker Compose: Start Only HDFS Dispatcher Source: https://github.com/apache/ranger/blob/master/audit-server/scripts/README.md Starts only the HDFS dispatcher service using Docker Compose. Requires specific compose files for Ranger core, Hadoop, Kafka, and the HDFS dispatcher. ```bash docker compose -f docker-compose.ranger.yml \ -f docker-compose.ranger.hadoop.yml \ -f docker-compose.ranger.kafka.yml \ -f docker-compose.ranger-audit-dispatcher-hdfs.yml up -d ``` -------------------------------- ### Rebuild Specific Images and Start Containers Source: https://github.com/apache/ranger/blob/master/dev-support/ranger-docker/README.md Use this command to rebuild specified service images and restart their containers without recreating dependencies. Replace ` ` with the actual service names. ```bash docker compose -f docker-compose.ranger.yml -f docker-compose.ranger-usersync.yml -f docker-compose.ranger-tagsync.yml -f docker-compose.ranger-kms.yml -f docker-compose.ranger-hadoop.yml -f docker-compose.ranger-hbase.yml -f docker-compose.ranger-kafka.yml -f docker-compose.ranger-hive.yml -f docker-compose.ranger-trino.yml -f docker-compose.ranger-knox.yml up -d --no-deps --force-recreate --build ``` -------------------------------- ### Run Ranger in Docker Source: https://github.com/apache/ranger/blob/master/README.md Build and run Ranger using Docker. Ensure Docker and Docker Compose are installed and running. ```bash ./ranger_in_docker up ``` -------------------------------- ### Python Ranger KMS Client Example Source: https://github.com/apache/ranger/blob/master/intg/src/main/python/README.md This snippet demonstrates how to use the RangerKMSClient to perform various key management operations, including creating, rolling over, encrypting, decrypting, and deleting keys. It covers status checks, metadata retrieval, and key version management. ```python # test_ranger_kms.py from apache_ranger.client.ranger_kms_client import RangerKMSClient from apache_ranger.client.ranger_client import HadoopSimpleAuth from apache_ranger.model.ranger_kms import RangerKey import time ## ## Step 1: create a client to connect to Apache Ranger KMS ## kms_url = 'http://localhost:9292' kms_auth = HadoopSimpleAuth('keyadmin') # For Kerberos authentication # # from requests_kerberos import HTTPKerberosAuth # # kms_auth = HTTPKerberosAuth() # # For HTTP Basic authentication # # kms_auth = ('keyadmin', 'rangerR0cks!') kms_client = RangerKMSClient(kms_url, kms_auth) ## ## Step 2: Let's call KMS APIs ## kms_status = kms_client.kms_status() print('kms_status():', kms_status) print() key_name = 'test_' + str(int(time.time() * 1000)) key = kms_client.create_key(RangerKey({'name':key_name})) print('create_key(' + key_name + '):', key) print() rollover_key = kms_client.rollover_key(key_name, key.material) print('rollover_key(' + key_name + '):', rollover_key) print() kms_client.invalidate_cache_for_key(key_name) print('invalidate_cache_for_key(' + key_name + ')') print() key_metadata = kms_client.get_key_metadata(key_name) print('get_key_metadata(' + key_name + '):', key_metadata) print() current_key = kms_client.get_current_key(key_name) print('get_current_key(' + key_name + '):', current_key) print() encrypted_keys = kms_client.generate_encrypted_key(key_name, 6) print('generate_encrypted_key(' + key_name + ', ' + str(6) + '):') for i in range(len(encrypted_keys)): encrypted_key = encrypted_keys[i] decrypted_key = kms_client.decrypt_encrypted_key(key_name, encrypted_key.versionName, encrypted_key.iv, encrypted_key.encryptedKeyVersion.material) reencrypted_key = kms_client.reencrypt_encrypted_key(key_name, encrypted_key.versionName, encrypted_key.iv, encrypted_key.encryptedKeyVersion.material) print(' encrypted_keys[' + str(i) + ']: ', encrypted_key) print(' decrypted_key[' + str(i) + ']: ', decrypted_key) print(' reencrypted_key[' + str(i) + ']:', reencrypted_key) print() reencrypted_keys = kms_client.batch_reencrypt_encrypted_keys(key_name, encrypted_keys) print('batch_reencrypt_encrypted_keys(' + key_name + ', ' + str(len(encrypted_keys)) + '):') for i in range(len(reencrypted_keys)): print(' batch_reencrypt_encrypted_key[' + str(i) + ']:', reencrypted_keys[i]) print() key_versions = kms_client.get_key_versions(key_name) print('get_key_versions(' + key_name + '):', len(key_versions)) for i in range(len(key_versions)): print(' key_versions[' + str(i) + ']:', key_versions[i]) print() for i in range(len(key_versions)): key_version = kms_client.get_key_version(key_versions[i].versionName) print('get_key_version(' + str(i) + '):', key_version) print() key_names = kms_client.get_key_names() print('get_key_names():', len(key_names)) for i in range(len(key_names)): print(' key_name[' + str(i) + ']:', key_names[i]) print() keys_metadata = kms_client.get_keys_metadata(key_names) print('get_keys_metadata(' + str(key_names) + '):', len(keys_metadata)) for i in range(len(keys_metadata)): print(' key_metadata[' + str(i) + ']:', keys_metadata[i]) print() key = kms_client.get_key(key_name) print('get_key(' + key_name + '):', key) print() kms_client.delete_key(key_name) print('delete_key(' + key_name + ')') ``` -------------------------------- ### Authorize access to a single resource (path) Source: https://github.com/apache/ranger/blob/master/authz-api/README.txt Example of an authorization request for accessing a specific path resource. Includes user details, resource information, and requested permissions. ```json { "requestId": "9198b532-a386-4464-9770-d61a8e8bc206", "user": { "name": "gary.adams", "groups": [ "fte", "mktg" ], "roles": [ "analyst" ] }, "access": { "resource": { "name": "path:/warehouse/hive/mktg/visitors", "attributes": { "OWNER": "nancy.boxer" } }, "action": "LIST", "permissions": [ "list" ] } } ``` -------------------------------- ### Example configFile for API Source Source: https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md This JSON configuration file is used to provide Base64-encoded secrets for retrieving a Bearer Token when accessing an external user store via API. It specifies the token URL, required headers, and parameters for the token request. ```json { "tokenUrl": "https://security.mycompany.com/token.oauth2", "headers": [ { "Content-Type": "application/x-www-form-urlencoded" } , { "Accept": "application/json" } ], "params": [ { "client_id": "my_user_name" }, { "client_secret": "***************" }, { "grant_type": "client_credentials" }, { "scope": "my_project" } ] } ``` -------------------------------- ### Execute SampleApp with Default Authorizer Source: https://github.com/apache/ranger/blob/master/ranger-examples/README.txt Instructions to run the SampleApp using the default authorizer (not Ranger). Users can then enter commands to test access authorization. ```bash cd /tmp/sampleapp ./run-sampleapp.sh ``` -------------------------------- ### Navigate and Build Site Source: https://github.com/apache/ranger/blob/master/docs/README.txt Change directory to the documentation source and build the site. The DOC_SRC_DIR variable should be set to 'ranger/docs'. ```bash export DOC_SRC_DIR=ranger/docs ``` ```bash cd ${DOC_SRC_DIR} ``` ```bash mvn site ``` ```bash sh fix-external-site-reference.sh ``` -------------------------------- ### Prepare Deployment Directory Source: https://github.com/apache/ranger/blob/master/docs/README.txt Create a temporary directory for deployment and check out the Apache Ranger site from SVN. ```bash DOC_DEPLOY_DIR=/tmp/doc_deploy_dir.$$ ``` ```bash mkdir -p ${DOC_DEPLOY_DIR} ``` ```bash svn co https://svn.apache.org/repos/asf/ranger/site/trunk ranger ``` -------------------------------- ### Install sshpass on macOS Source: https://github.com/apache/ranger/blob/master/ranger-tools/src/main/python/README.md Install sshpass on macOS using Homebrew. This utility is used for password-less SSH connections. ```bash > apt-get install sshpass or > brew install hudochenkov/sshpass/sshpass ``` -------------------------------- ### Serve MkDocs Site Locally (Strict Mode) Source: https://github.com/apache/ranger/blob/master/mkdocs/README.md Run the MkDocs development server to preview the site locally. Strict mode enforces more checks. ```bash mkdocs serve --strict ``` -------------------------------- ### Set JAVA_OPTS for Ranger Installation Source: https://github.com/apache/ranger/blob/master/README.md Configure JAVA_OPTS environment variable with necessary JVM arguments for Ranger component installation. ```bash JAVA_OPTS="--add-opens=java.base/java.nio=ALL-UNNAMED --add-exports=java.base/sun.net.dns=ALL-UNNAMED --add-exports=java.base/sun.net.util=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-exports=java.xml.crypto/com.sun.org.apache.xml.internal.security.utils=ALL-UNNAMED" ``` -------------------------------- ### Initialize Performance Analyzer Configuration Source: https://github.com/apache/ranger/blob/master/ranger-tools/src/main/python/README.md Run this script for first-time usage or to reset the configuration files to their default settings. ```bash > python3 setup_performance_analyzer.py ``` -------------------------------- ### Bring up Ozone Containers with Ranger Source: https://github.com/apache/ranger/blob/master/dev-support/ranger-docker/README.md This command sets up the Ozone plugin for Ranger and then deploys the Ozone service in Docker containers. ```bash ./scripts/ozone/ozone-plugin-docker-setup.sh docker compose -f docker-compose.ranger.yml -f docker-compose.ranger-ozone.yml up -d ``` -------------------------------- ### Start HDFS Audit Dispatcher Source: https://github.com/apache/ranger/blob/master/audit-server/scripts/README.md Starts the audit dispatcher configured for HDFS. The 'hdfs' argument specifies the dispatcher type. ```bash # Start ./audit-dispatcher/scripts/start-audit-dispatcher.sh hdfs ``` -------------------------------- ### Start Solr Audit Dispatcher Source: https://github.com/apache/ranger/blob/master/audit-server/scripts/README.md Starts the audit dispatcher configured for Solr. The 'solr' argument specifies the dispatcher type. ```bash # Start ./audit-dispatcher/scripts/start-audit-dispatcher.sh solr ``` -------------------------------- ### Example JSON Structure Source: https://github.com/apache/ranger/blob/master/plugin-nestedstructure/README.md This JSON structure serves as an example for defining access policies related to nested fields and arrays. ```json { "store": { "book": [ { "category": "reference", "author": "Nigel Rees", "title": "Sayings of the Century", "price": 8.95 }, { "category": "fiction", "author": "Evelyn Waugh", "title": "Sword of Honour", "price": 12.99 }, { "category": "fiction", "author": "Herman Melville", "title": "Moby Dick", "isbn": "0-553-21311-3", "price": 8.99 }, { "category": "fiction", "author": "J. R. R. Tolkien", "title": "The Lord of the Rings", "isbn": "0-395-19395-8", "price": 22.99 } ], "bicycle": { "color": "red", "price": 19.95 } }, "expensive": 10 } ``` -------------------------------- ### Build MkDocs Site for Production Source: https://github.com/apache/ranger/blob/master/mkdocs/README.md Generate the static files for the MkDocs website, ready for deployment. ```bash mkdocs build ``` -------------------------------- ### Synchronize Documentation Files Source: https://github.com/apache/ranger/blob/master/docs/README.txt Navigate to the target directory of the built documentation and use rsync to copy files to the deployment directory. The -n flag performs a dry run to review changes. ```bash cd ${DOC_SRC_DIR}/target ``` ```bash rsync -avcn * ${DOC_DEPLOY_DIR}/ranger ``` ```bash rsync -avc * ${DOC_DEPLOY_DIR}/ranger ``` -------------------------------- ### Initialize RangerClient and Find Services Source: https://github.com/apache/ranger/blob/master/intg/src/main/python/README.md Initializes the RangerClient with a base URL and basic authentication, then retrieves a list of services. Ensure the Ranger Admin host and port are correctly specified. ```python from apache_ranger.client.ranger_client import RangerClient ranger = RangerClient("http://localhost:6080", ("admin", "rangerR0cks!")) services = ranger.find_services() print(len(services.list)) ``` -------------------------------- ### Execute SampleApp with Ranger Authorizer Source: https://github.com/apache/ranger/blob/master/ranger-examples/README.txt Instructions to run the SampleApp with the Ranger authorizer enabled. This demonstrates Ranger's policy enforcement for access control. Audit logs are typically found in /tmp/ranger_audit.log. ```bash cd /tmp/sampleapp ./run-sampleapp.sh ranger-authz ``` -------------------------------- ### Docker Compose: Start Only Audit Ingestor Source: https://github.com/apache/ranger/blob/master/audit-server/scripts/README.md Starts only the audit ingestor service using Docker Compose. Requires specific compose files for Ranger core and Kafka. ```bash docker compose -f docker-compose.ranger.yml \ -f docker-compose.ranger.kafka.yml \ -f docker-compose.ranger-audit-ingestor.yml up -d ``` -------------------------------- ### Run RemoteAuthzClient with Kerberos Authentication Source: https://github.com/apache/ranger/blob/master/authz-remote/README.md Execute the sample client with a properties file configured for Kerberos-based authentication. Ensure 'request.json' contains the authorization request body. ```bash java -cp "lib/*" org.apache.ranger.examples.pdpclient.RemoteAuthzClient request.json ranger-authz-remote-authn-kerberos.properties ``` -------------------------------- ### Example Row Filter Policy Condition Source: https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md This example shows how a row filter policy can be constructed using user attributes retrieved from external sources. The condition uses the USER.partner attribute, which is mapped from an external source. ```text ${{USER.partner}}.includes(partner) ``` -------------------------------- ### Build Individual Audit Services with Maven Source: https://github.com/apache/ranger/blob/master/audit-server/scripts/README.md Navigate to the specific service directory and use Maven to clean and package the service. This is useful for building services independently. ```bash # Build specific service cd audit-ingestor mvn clean package cd ../audit-dispatcher mvn clean package ``` -------------------------------- ### Run RemoteAuthzClient with Header Authentication Source: https://github.com/apache/ranger/blob/master/authz-remote/README.md Execute the sample client with a properties file configured for header-based authentication. Ensure 'request.json' contains the authorization request body. ```bash java -cp "lib/*" org.apache.ranger.examples.pdpclient.RemoteAuthzClient request.json ranger-authz-remote-authn-header.properties ``` -------------------------------- ### Build Ranger Audit Server Project Source: https://github.com/apache/ranger/blob/master/audit-server/scripts/README.md Build the project using Maven, skipping tests. Ensure Java 8+ is installed and JAVA_HOME is set. ```bash cd /path/to/ranger-audit-server mvn clean package -DskipTests ``` -------------------------------- ### Run RemoteAuthzClient with JWT Authentication (Environment Variable) Source: https://github.com/apache/ranger/blob/master/authz-remote/README.md Execute the sample client using JWT authentication sourced from an environment variable. The JWT token should be set in the environment prior to execution. 'request.json' must contain the authorization request body. ```bash java -cp "lib/*" org.apache.ranger.examples.pdpclient.RemoteAuthzClient request.json ``` -------------------------------- ### Initialize Ranger PDP Client Source: https://github.com/apache/ranger/blob/master/intg/src/main/python/README.md Instantiate the RangerPDPClient, specifying the PDP URL. Authentication can be configured using Kerberos or trusted-header methods. ```python from apache_ranger.client.ranger_pdp_client import RangerPDPClient from apache_ranger.model.ranger_authz import RangerAccessContext, RangerAccessInfo from apache_ranger.model.ranger_authz import RangerAuthzRequest, RangerMultiAuthzRequest from apache_ranger.model.ranger_authz import RangerResourceInfo, RangerResourcePermissionsRequest, RangerUserInfo pdp_url = 'http://localhost:6500' # For Kerberos authentication # # from requests_kerberos import HTTPKerberosAuth # # pdp = RangerPDPClient(pdp_url, HTTPKerberosAuth()) # For trusted-header authN with PDP (example only): # pdp = RangerPDPClient(pdp_url, auth=None, headers={ 'X-Forwarded-User': 'hive' }) ``` -------------------------------- ### Run Trino Container Source: https://github.com/apache/ranger/blob/master/mkdocs/docs/getting-started/trino-with-ranger.md Pull the Trino Docker image and run it in a network named 'rangernw'. This command starts a Trino instance accessible on port 8080. ```shell docker pull trinodb/trino docker run -p 8080:8080 --name trino --network rangernw trinodb/trino ``` -------------------------------- ### Authorize access to a single resource (S3) Source: https://github.com/apache/ranger/blob/master/authz-api/README.txt Example of an authorization request for accessing a single S3 resource. The response indicates whether the access is ALLOWED or DENIED. ```json { "context": { "serviceName": "s3", "accessTime": 1755543894, "clientIpAddress": "172.16.45.59", "additionalInfo": { "clusterName": "cl1", "clusterType": "onprem" } } } result: { "requestId": "9198b532-a386-4464-9770-d61a8e8bc206", "decision": "ALLOWED", "permissions": { "list": { "access": { "result": "ALLOWED", "policy": { "id": 1, "version": 1 } } } } } ``` -------------------------------- ### API List for Performance Testing Source: https://github.com/apache/ranger/blob/master/ranger-tools/src/main/python/config/README.md Specifies the list of Ranger APIs to be tested for performance and scalability. Currently supports create, update, get, and delete policy operations. ```json "api_list": [ "create_policy", "update_policy_by_id", "get_policy_by_id", "delete_policy_by_id" ] ``` -------------------------------- ### Bring up Audit Server Ingestor and Dispatchers Source: https://github.com/apache/ranger/blob/master/dev-support/ranger-docker/README.md This command starts the Ranger audit server ingestor and dispatchers. Ensure Kafka, Solr, and HDFS containers are running prior to execution. ```bash docker compose -f docker-compose.ranger.yml -f docker-compose.ranger-hadoop.yml -f docker-compose.ranger-kafka.yml -f docker-compose.ranger-audit-server.yml up -d ``` -------------------------------- ### Horizontal Alignment Example Source: https://github.com/apache/ranger/blob/master/mkdocs/docs/project/java-code-style.md Demonstrates permitted horizontal alignment for variable declarations. While allowed, future edits may leave it unaligned, so consistent alignment is recommended but not strictly enforced. ```java private int x = 5; // this is fine private String color = blue; // this too private int x = 5; // permitted, but future edits private String color = "blue"; // may leave it unaligned ```