This github repository describes how to integrate Apache Ranger with Trino.
- This integration is only supported for Trino 433 version
- Used latest Apache Ranger version (3.0.0-SNAPSHOT) which is not released yet
- Used latest Apache Ranger Trino plugin which supports Trino 433 version
- An open #PR for Apache Ranger Trino plugin raised by @shreyas-dview
- @aakashnand - his Medium article about Apache Ranger integration with Trino. Medium Link
- Elasticsearch deployment with docker compose - Article Link.
We need to install Ranger Admin
and Ranger Trino Plugin
for this integration. We can build these components from source code but it take ~1 hour to build. So I have build this components and upload on Github. You can download and use it.
I have used dview-io:trino-ranger-plugin
branch for Apache Ranger Trino plugin. This branch is not merged with master
branch yet.
git clone https://github.com/apache/ranger ranger
cd ranger && git checkout dview-io:trino-ranger-plugin
Following build will take ~1 hour to build. After successful build, you can find
ranger-3.0.0-SNAPSHOT-trino-plugin.tar.gz
file intarget
directory.
mvn clean compile package install -Pranger-jdk17 -DskipTests
Plugin build will generate trino plugin tar file in
target
directory. You can findranger-3.0.0-SNAPSHOT-trino-plugin.tar.gz
file intarget
directory.
mvn clean compile package install -Pranger-trino-plugin -DskipTests
docker compose up -d
You can access Ranger Admin UI at http://localhost:6080. Default username is admin
and password is Password123
. You can change the password in ranger/install.properties
file.
Make sure you put the service name as trino
. Otherwise, Ranger Trino plugin will not work. You can find the service name
in trino/install.properties
file with key REPOSITORY_NAME
.
If you test connection with Test Connection
button, it will fail. Because, we have not configured Ranger Trino Plugin
yet. Just click on Add
button to add the service. After adding the service, click on the Trino Docker
service we have created, you will see the following screen.
You can access Trino CLI with following command. Make sure you login with admin
user.
docker exec -it playground trino --server trino:8080 --user admin
Let's connect Trino CLI with random
user.
docker exec -it playground trino --server trino:8080 --user random
Let's create a policy for random
user. This policy will allow random
user to access pg
catalog and information_schema
schema and only pg.public.x_db_version_h
table and only id
column for table pg.public.x_db_version_h
.
First create an user random
in Ranger Admin UI.
Create an Access Control policy for random
user.
Test the Policy with random
user by connecting with trino via Trino CLI.
docker exec -it playground trino --server trino:8080 --user random
For access audit logs, we need to setup elasticsearch
with ranger. There have some compatibility issues with current elasticsearch
version (8.x.y) and ranger
and ranger-trino-plugin
. We have used 7.17.16
version of elasticsearch as ranger
uses elasticsearch version 7.10.2
.
- java.lang.NoSuchFieldError: LUCENE_8_x_y
- Java Decompiler
- Ranger Dev Mail List
- java.lang.NoClassDefFoundError: org/apache/log4j/LogManager
Made with ❤️ by nil1729