1

After spent whole day to setup and study Hortonworks' Ranger, I'm reluctantly able to use it now, but I'm still very confusing by it's structure. I'm listing the questions below:

  1. What's the relationship between Ranger and Knox, why Hortonworks provides two solutions for same position? If I want apply them for my Hadoop cluster, what's the best practice?

  2. Why I have to use UserSync? or in the other words, Ranger-Admin has ability to talk with LDAP/AD to get users, why it still needs UserSync? and how if UserSync gonna to talk with LDAP/AD also(or a different ldap server), what would happen? will it impacts to Ranger-Admin self's LDAP/AD connection?

  3. Similar question for plugin's audit connection, as Ranger-Admin has audit connection, why plugin need itself's connection to audit database? Why they don't just push audit information to Admin, and let Admin to make decision where to store the information? How if they(Admin and plugin) talk to different database, what gonna happen?

user3593261
  • 560
  • 4
  • 17
  • (While all questions seem related to architecture, asking them one by one might offer an opportunity to outline "impact" or "what's gonna happen" with what you have in mind, for others to address.) – B98 Mar 01 '17 at 22:38
  • 1
    I agree with @B98 it would be easy if you could ask them one at a time. I can answer #1 As listed on the Ranger website (http://ranger.apache.org/) it is used for centralized security administration and auditing think policy enforcement. While as Knox is a security gateway, you cannot enforce or administer policies through Knox, it is a reverse proxy that protects the internals of your cluster. Think of Knox as a gatekeeper to your Hadoop cluster (for REST and Web UIs, it can do some fancy stuff via DSL as well). Knox does support Kerberos and SSO among other things. – Sandeep More Mar 02 '17 at 02:17

1 Answers1

0

I think I can briefly answer Q1

What's the relationship between Ranger and Knox, why Hortonworks provides two solutions for same position? If I want apply them for my Hadoop cluster, what's the best practice?

They are for different purpose. Ranger gives you fine-grained ACLs control, Knox is a proxy server (gateway) that gives a centralized web service security layer. That says, using Ranger, you have a central place (UI) to manage ACLs for hadoop stack services, e.g who can access a table on hive; using knox, you can put all your hadoop services under a private network using un-secure http protocol, and knox server running on gateway node (outside can access) that has https enabled, it gives user a central http/https entry to access web services that supports user login (some of hadoop stack services, e.g hadoop, doesn't support this yet).

Weiwei Yang
  • 18,261
  • 3
  • 15
  • 10