...
CDAP Ranger Loookup: Enables Ranger to lookup CDAP entities.
CDAP Ranger Binding: Enables CDAP to use privileges in Ranger for enforcement.
CDAP Ranger Service Definition: Defines CDAP as a service and it's resources in Ranger.
...
Installation
Before enabling CDAP Authorization please read the following documentation.
...
You can use the `ranger-servicedef-cdap.json <https://github.com/cdapio/cdap-security-extn/blob/develop/cdap-ranger/cdap-ranger-lookup/src/main/resources/ranger-servicedef-cdap.json >`__ to add CDAP as a service in Ranger
curl -u ranger-admin-user:ranger-admin-password -X POST -H "Accept: application/json" -H "Content-Type: application/json" -d @ranger-servicedef-cdap.json http://rangerhost:rangerport/service/plugins/definitions
Now go to the Ranger Admin UI and click on the + button for CDAP service.
Fill in the details of your CDAP instance.
...
4. Click on Test Connection button to test that Ranger can successfully establish connection with CDAP.
...
5. Now click on Add button, this will add the CDAP service in Ranger.
...
4. Give cdap
user permission on the above created directory and configuration files
chown -R cdap:cdap /usr/local/ranger-cdap-conf/
5. Move the CDAP Ranger Binding jar to correct directory (if needed) and give cdap permissions on it
mv /cdap-ranger-binding-0.1.0.jar /opt/cdap/master/ext/security/
chown cdap:cdap cdap-ranger-binding-0.1.0.jar
6. Edit the CDAP configuration in Ambari Admin UI and add the following in the custom cdap-site.xml section
...
To begin with, we need two Unix users with Kerberos principals and keytab files that will allow impersonating them:
...
Note that these key tabs must be readable for the cdap system account.
...