/trino-ranger-demo

integrating trino with apache ranger using docker

Primary LanguageDockerfileMIT LicenseMIT

Apache Ranger integration with Trino

This github repository describes how to integrate Apache Ranger with Trino.

Considerations

  • This integration is only supported for Trino 433 version
  • Used latest Apache Ranger version (3.0.0-SNAPSHOT) which is not released yet
  • Used latest Apache Ranger Trino plugin which supports Trino 433 version

Acknowledgements

Running Trino and Apache Ranger Locally

We need to install Ranger Admin and Ranger Trino Plugin for this integration. We can build these components from source code but it take ~1 hour to build. So I have build this components and upload on Github. You can download and use it.

Build from source code (JDK 17+)

I have used dview-io:trino-ranger-plugin branch for Apache Ranger Trino plugin. This branch is not merged with master branch yet.

git clone https://github.com/apache/ranger ranger
cd ranger && git checkout dview-io:trino-ranger-plugin

Following build will take ~1 hour to build. After successful build, you can find ranger-3.0.0-SNAPSHOT-trino-plugin.tar.gz file in target directory.

mvn clean compile package install -Pranger-jdk17 -DskipTests

Plugin build will generate trino plugin tar file in target directory. You can find ranger-3.0.0-SNAPSHOT-trino-plugin.tar.gz file in target directory.

mvn clean compile package install -Pranger-trino-plugin -DskipTests

Download from Github Releases

Running Ranger & Trino with Docker Compose

docker compose up -d

Check Ranger Admin UI

You can access Ranger Admin UI at http://localhost:6080. Default username is admin and password is Password123. You can change the password in ranger/install.properties file.

Rager Admin UI

Setup Trino Service in Ranger

Make sure you put the service name as trino. Otherwise, Ranger Trino plugin will not work. You can find the service name in trino/install.properties file with key REPOSITORY_NAME.

Trino Service Input

If you test connection with Test Connection button, it will fail. Because, we have not configured Ranger Trino Plugin yet. Just click on Add button to add the service. After adding the service, click on the Trino Docker service we have created, you will see the following screen.

Trino Service Running

Testing Ranger Trino Plugin with Trino CLI

You can access Trino CLI with following command. Make sure you login with admin user.

docker exec -it playground trino --server trino:8080 --user admin

Trino CLI-admin-1 Trino CLI-admin-2

Let's connect Trino CLI with random user.

docker exec -it playground trino --server trino:8080 --user random

Trino CLI-random-1

Create Ranger Access Policy for Trino

Let's create a policy for random user. This policy will allow random user to access pg catalog and information_schema schema and only pg.public.x_db_version_h table and only id column for table pg.public.x_db_version_h.

First create an user random in Ranger Admin UI.

Ranger Admin - User Create

Create an Access Control policy for random user.

Ranger Trino Policy-1 Ranger Trino Policy-2

Test the Policy with random user by connecting with trino via Trino CLI.

docker exec -it playground trino --server trino:8080 --user random

Trino-CLI-random-2

Checking Access Audit Logs in Ranger Admin UI

For access audit logs, we need to setup elasticsearch with ranger. There have some compatibility issues with current elasticsearch version (8.x.y) and ranger and ranger-trino-plugin. We have used 7.17.16 version of elasticsearch as ranger uses elasticsearch version 7.10.2.

Ranger Access Audit Logs

Troubleshooting

  1. java.lang.NoSuchFieldError: LUCENE_8_x_y
  2. Java Decompiler
  3. Ranger Dev Mail List
  4. java.lang.NoClassDefFoundError: org/apache/log4j/LogManager

Made with ❤️ by nil1729