Use Ranger for Trino on Kubernetes
Prerequisites
-
An ADPS cluster (2.0.0 or later) is installed and running.
-
An ADH cluster (4.2.0 or later) is installed and running.
-
Trino is installed according to the instruction.
Step 1. Create a service in Ranger
This guide describes how to create a service via Ranger REST API. Alternatively, you can create a service in the Ranger web UI.
-
Define a service in a JSON file:
ranger-trino-k8s.json{ "isEnabled": true, "type": "trino", "name": "trino_k8s", (1) "displayName": "trino_k8s", "description": "Service for Kubernetes Trino", "configs": { "username": "trino", (2) "password": "bigdata", (3) "ranger.plugin.audit.filters": "[{'accessResult':'DENIED','isAudited':true},{'isAudited':false,'resources':{'queryid':{'values':['*']}},'accessTypes':['execute']},{'isAudited':false,'resources':{'trinouser':{'values':['{USER}']}},'accessTypes':['impersonate']}]", "jdbc.driverClassName": "io.trino.jdbc.TrinoDriver", "jdbc.url": "jdbc:trino//10.92.42.219" (4) } }1 A name of the Trino service in Ranger. Must be unique. 2 A username for the service. 3 A password for the service. 4 A JDBC string for connecting to Trino exposed by Ingress or load balancer. -
Push the defined service to Ranger:
$ curl -u admin:<admin_pwd> -H "Content-Type: application/json" -X POST -d @ranger-trino-k8s.json http://<ranger-admin>:6080/service/public/v2/api/service
Step 2. Update Kubernetes secrets
-
Prepare a secret with Trino configuration. Your Trino configuration secret should already contain the core-site.xml key. For Ranger integration, add the following keys:
-
ranger-trino-security.xml — Ranger plugin security configuration.
ranger-trino-security.xml<?xml version="1.0" encoding="UTF-8"?> <configuration> <property> <name>ranger.plugin.trino.enable.implicit.userstore.enricher</name> <value>True</value> </property> <property> <name>ranger.plugin.trino.service.name</name> <value>trino_k8s</value> (1) </property> <property> <name>ranger.plugin.trino.policy.rest.url</name> <value>http://tsn-adps2-1.ru-central1.internal:6080</value> (2) </property> <property> <name>ranger.plugin.trino.policy.source.impl</name> <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value> </property> <property> <name>ranger.plugin.trino.super.users</name> <value>rangerlookup</value> </property> <property> <name>ranger.plugin.trino.ugi.initialize</name> <value>True</value> </property> <property> <name>ranger.plugin.trino.username</name> <value>trino</value> (3) </property> <property> <name>ranger.plugin.trino.password</name> <value>bigdata</value> (4) </property> <property> <name>ranger.plugin.trino.use.rangerGroups</name> <value>True</value> </property> <property> <name>ranger.plugin.trino.use.only.rangerGroups</name> <value>True</value> </property> </configuration>1 A name of the Trino service in Ranger. 2 URL to Ranger Admin. 3 A username for the service. 4 A password for the service. If Kerberos is enabled, add the following properties:
<property> <name>ranger.plugin.trino.ugi.keytab.file</name> <value>/opt/trino-server/kerberos/keytab</value> </property> <property> <name>ranger.plugin.trino.ugi.keytab.principal</name> <value>trino/trino-cloud.ru-central1.internal@RU-CENTRAL1.INTERNAL</value> </property> <property> <name>ranger.plugin.trino.ugi.login.type</name> <value>keytab</value> </property>If SSL is enabled, add the following property:
<property> <name>ranger.plugin.trino.policy.rest.ssl.config.file</name> <value>/opt/trino-server/etc/catalog/ranger-trino-policymgr-ssl.xml</value> </property> -
ranger-trino-audit.xml — Ranger audit configuration.
ranger-trino-audit.xml<?xml version="1.0" encoding="UTF-8"?> <configuration> <property> <name>xasecure.audit.destination.solr</name> <value>true</value> </property> <property> <name>xasecure.audit.destination.solr.batch.filespool.dir</name> <value>/srv/ranger/trino_plugin/audit_solr_spool</value> </property> <property> <name>xasecure.audit.destination.solr.zookeepers</name> <value>tsn-adps2-1.ru-central1.internal:2181/Arenadata.Hadoop-3.solr.server</value> (1) </property> <property> <name>xasecure.audit.is.enabled</name> <value>True</value> </property> </configuration>1 A string for ZooKeeper connection in the <host-1>:<port-1>…<host-N>:<port-N>/Arenadata.Hadoop-<cluster_id>.solr.serverformat.If Kerberos is enabled, add the following properties:
<property> <name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name> <value>True</value> </property> <property> <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> <value>required</value> </property> <property> <name>xasecure.audit.jaas.Client.loginModuleName</name> <value>com.sun.security.auth.module.Krb5LoginModule</value> </property> <property> <name>xasecure.audit.jaas.Client.option.keyTab</name> <value>/opt/trino-server/kerberos/keytab</value> </property> <property> <name>xasecure.audit.jaas.Client.option.principal</name> <value>trino/trino-cloud.ru-central1.internal@RU-CENTRAL1.INTERNAL</value> </property> <property> <name>xasecure.audit.jaas.Client.option.serviceName</name> <value>solr</value> </property> <property> <name>xasecure.audit.jaas.Client.option.storeKey</name> <value>False</value> </property> <property> <name>xasecure.audit.jaas.Client.option.useKeyTab</name> <value>True</value> </property> <property> <name>xasecure.audit.jaas.Client.option.useTicketCache</name> <value>True</value> </property> -
ranger-trino-policymgr-ssl.xml — Ranger policymgr-ssl configuration (if SSL is enabled).
ranger-trino-policymgr-ssl.xml<?xml version="1.0"?> <configuration> <property> <name>xasecure.policymgr.clientssl.truststore</name> <value>/etc/ssl/truststore.jks</value> (1) </property> <property> <name>xasecure.policymgr.clientssl.truststore.credential.file</name> <value>jceks://file/opt/trino-server/etc/catalog/ranger-trino.jceks</value> (2) </property> </configuration>1 The path to a truststore. 2 The path to a file with credentials for truststore.
-
-
Update the secret for Trino configuration:
$ kubectl delete secret <trino-config> -n <trino-cluster-ns> $ kubectl create secret generic <trino-config> -n <trino-cluster-ns> --from-file=<trino-conf-folder>where:
-
<trino-config>— name of the secret for Trino configuration. -
<trino-cluster-ns>— namespace used by the Trino cluster. -
<trino-conf-folder>— folder with files from which a secret is generated. If you pass file contents as string values inside values.yaml, specify the path to that file.
-
Step 3. Update the Trino cluster
-
Update the configuration file for the Trino cluster:
trino-cluster-values.yamlimage: registry: "<image_registry>" repository: "<image_repository>" tag: "<image_tag>" pullPolicy: Always useRanger: true configsSecretName: <trino-config> worker: replicas: 2 resources: requests: cpu: 500m memory: 1Gi limits: cpu: "2" memory: 4Gi coordinator: replicas: 1 resources: requests: cpu: 500m memory: 1Gi limits: cpu: "2" memory: 4GiThe crucial parameters should already be defined for a Trino cluster to work. However, you should set
useRangertotrue. -
Update the Trino cluster installation:
$ helm upgrade --install trino-cluster oci://"$PRIVATE_REGISTRY"/adc-enterprise/charts/trino-cluster --version <version> -f trino-cluster-values.yaml --namespace <trino-cluster-ns> --create-namespace -
Delete old pods so that the Trino operator creates new ones from an updated config:
$ kubectl delete pods -n <trino-cluster-ns> -l app.kubernetes.io/instance=trino-cluster -
Check that all the pods are in the
Runningstate:$ kubectl get pods -n <trino-cluster-ns>The expected output is:
NAME READY STATUS RESTARTS AGE trino-cluster-coordinator-0 1/1 Running 0 47m trino-cluster-worker-0 1/1 Running 0 47m trino-cluster-worker-1 1/1 Running 0 47m