Syncing Azure Data Lake Storage User permission with Apache Ranger & Active Directory

0
votes

Architecture : Bigdata cluster deployed using Hortonworks Cloudbreak on Microsoft Azure with storage as Azure Data Lake Storage (ADLS). Users will be synced from clients Active Directory to Azure Active Directory.

Apache Ranger will be used to provide tag based & role based access to data entities sitting in ADLS, but when ADLS is accessed from outside of Hadoop environment such as from Azure Storage Explorer Ranger loses its control.

Question: So how do we ensure that Ranger & Azure Active Directory are in sync so that ranger policies can be imposed when users access ADLS from Azure Storage Explorer or Azure Portal?

Only Related Reference found on internet:

http://mail-archives.apache.org/mod_mbox/ranger-user/201803.mbox/%[email protected]%3E

1
azure-active-directoryazure-data-lakeapache-ranger
I'm currently looking into this, but could you clarify if this is what you want. You need to sync the permissions from Apache Ranger to Azure Active Directory? This is most likely not possible. It is likely if you wish to use apache ranger you'll need to utilize hdinsights from azure per : docs.microsoft.com/en-us/azure/hdinsight/domain-joined/… Is there a reason why you can't just use Azure AD as your main rbac/permission provider?Frank Hu MSFT

1 Answers

0
votes

There is currently no comprehensive solution for this as Apache Ranger (policy based, evaluated at runtime) and ADLS (per-file assigned ACLs) are quite different, so the permissions/policies cannot simply be mapped over and synced from Apache Ranger,

The only "Secure Solution" is to completely lock out direct access to the data and cause all data access to channel through the cluster. This is effectively the same model employed with local HDFS, when the only data access model is via the cluster.

Although using this "Secure Solution" would diminish the value proposition of utilizing ADLS.

If you're interested in this feature being implemented please, submit your feedback to azure feedback, and if there's enough community interest the product team will plan to put it on the road-map. https://feedback.azure.com/forums/34192--general-feedback