ranger与solr&ldap&doris集成部署

原创于 2026-06-16 08:06:37 发布 · 239 阅读

5 ·

本内容遵循CC 4.0 BY-SA版权协议

GEO检测

标签

#solr #lucene

MPP
xxxxxxxx.142
xxxxxxxx.143
xxxxxxxx.144

前置环境安装
依赖环境######################################################################################################
#java -version
openjdk version “1.8.0_392”

python -V

Python 3.9.18

#which java
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.392.b08-3.el9.x86_64/jre/bin/java
设置环境变量
#vi /etc/profile
export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.392.b08-3.el9.x86_64/jre
export PATH= $JAVA_HOME/bin:$ PATH
export CLASSPATH=.: $JAVA_HOME/lib/dt.jar:$ JAVA_HOME/lib/tools.jar
刷新
#source /etc/profile

#mysql -hxxxxmmxxxx.142 -P16603 -uroot -pxxxxmmxxxx==
CREATE DATABASE ranger DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;

创建用户并设置密码
SET GLOBAL validate_password.policy = LOW;
CREATE USER ‘ranger’@‘%’ IDENTIFIED BY ‘xxxxmmxxxx’;
授予所有权限
GRANT ALL PRIVILEGES ON ranger.* TO ‘ranger’@‘%’;

update mysql.user set Grant_priv=‘Y’,Super_priv=‘Y’ where user=‘ranger’;
SELECT host,user,authentication_string,Grant_priv,Super_priv,authentication_string FROM mysql.user;
3. 刷新权限（可选，通常 GRANT 会自动刷新）
FLUSH PRIVILEGES;

mysql -hxxxxmmxxxx.142 -P16603 -uranger -pxxxxmmxxxx

LdapHA安装
######################################################################################################

cat /etc/redhat-release

Rocky Linux release 9.3 (Blue Onyx)

Ldap（主从）安装，两个主机都要root下操作
#######################Ldap主从配置#####################

安装

#yum localinstall -y openldap*
#rpm -qa | grep ldap
sssd-ldap-2.9.1-4.el9_3.x86_64
openldap-2.6.8-4.el9.0.1.x86_64
openldap-devel-2.6.8-4.el9.0.1.x86_64
openldap-servers-2.6.8-4.el9.0.1.x86_64
openldap-clients-2.6.8-4.el9.0.1.x86_64

启动（设置自启动）

systemctl start slapd
systemctl enable slapd
systemctl status slapd

#设置密码
slappasswd -h {md5} -s “xxxxmmxxxx”
{MD5}ZywcmQg9WAs07FG8qRFKMQ==

#vi set_rootpw.ldif
#################################################
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {MD5}ZywcmQg9WAs07FG8qRFKMQ==
#################################################
#ldapadd -Y EXTERNAL -H ldapi:/// -f set_rootpw.ldif

问题：additional info: modify/add: olcRootPW: no equality matching rule 解决办法：
修改modify.ldif中对应选项的"add"为"replace"即可

#添加基础配置
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

#添加domain配置
#ldapsearch -Y EXTERNAL -H ldapi:/// -b “cn=config” “olcDatabase=*” dn
dn: olcDatabase={2}mdb,cn=config ← 这才是正确的 DN

vi set_domain.ldif
###################################
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth”
read by dn.base=“cn=admin,dc=gtk,dc=com” read by * none

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=gtk,dc=com

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=gtk,dc=com

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {MD5}ZywcmQg9WAs07FG8qRFKMQ==

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn=“cn=admin,dc=gtk,dc=com” write by anonymous auth by self write by * none
olcAccess: {1}to dn.base=“” by * read
olcAccess: {2}to * by dn=“cn=admin,dc=gtk,dc=com” write by * read
##########################################################
ldapmodify -Y EXTERNAL -H ldapi:/// -f set_domain.ldif

vi create_basedomain.ldif
##########################################################
dn: dc=gtk,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server com
dc: gtk

dn: cn=admin,dc=gtk,dc=com
objectClass: organizationalRole
cn: admin
description: Directory admin

dn: ou=People,dc=gtk,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=gtk,dc=com
objectClass: organizationalUnit
ou: Group
##########################################################
ldapadd -x -D cn=admin,dc=gtk,dc=com -wxxxxmmxxxx -f create_basedomain.ldif

#主从配置
master配置
##########################################################
vi sync_provider_addMode.ldif
###################################

create new

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
####################################
ldapadd -Y EXTERNAL -H ldapi:/// -f sync_provider_addMode.ldif

vi sync_provider.ldif
#############################

create new

dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
###############################
ldapadd -Y EXTERNAL -H ldapi:/// -f sync_provider.ldif

slave配置
##########################################################
vi sync_consumer.ldif
##############################
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://xxxxxxxx.142:389/
bindmethod=simple
binddn=“cn=admin,dc=gtk,dc=com”
credentials=xxxxmmxxxx
searchbase=“dc=gtk,dc=com”
scope=sub
schemachecking=on
type=refreshAndPersist
retry=“30 5 300 3”
interval=00:00:05:00
################################
ldapadd -Y EXTERNAL -H ldapi:/// -f sync_consumer.ldif

其它memberof配置，两个节点都执行
#############################

vi memberof_conf.ldif
#############################
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
objectClass: top
olcModulePath: /usr/lib64/openldap
olcModuleLoad: memberof.la
############################
ldapadd -Y EXTERNAL -H ldapi:/// -f memberof_conf.ldif

vi memberOfOverlay.ldif
#########################
dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: {0}memberof
########################
ldapadd -Y EXTERNAL -H ldapi:/// -f memberOfOverlay.ldif

测试，master节点执行
#############################
#创建 demo 用户

#设置密码
slappasswd -h {md5} -s “demo”
{MD5}/gHOKn+6yPr67XyYKgTiKQ==
查询当前最大 uidNumber，然后递增：
ldapsearch -x -b “dc=example,dc=com” “uidNumber=*” uidNumber | grep “^uidNumber:” | sort -n | tail -1

vi create_user_demo.ldif
#################################3
dn: uid=demo,ou=People,dc=gtk,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: demo
sn: demo
userPassword: {MD5}/gHOKn+6yPr67XyYKgTiKQ==
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/demo

dn: cn=demo,ou=Group,dc=gtk,dc=com
objectClass: posixGroup
cn: demo
gidNumber: 10001
memberUid: uid=demo,ou=People,dc=gtk,dc=com
########################################
ldapadd -x -D cn=admin,dc=gtk,dc=com -wxxxxmmxxxx -f create_user_demo.ldif

验证创建用户，两个主机验证同步

########################################
ldapsearch -x -b ‘ou=People,dc=gtk,dc=com’
ldapsearch -x
ldapsearch -H ldap://xxxxxxxx.142:389 -x -D “cn=admin,dc=gtk,dc=com” -w ‘xxxxmmxxxx’ -b “dc=gtk,dc=com” -s base

#ldap客户端部署，所有的主机执行
########################################
yum localinstall -y /home/openldap*
-rw-r–r-- 1 root root 262004 Jun 12 14:55 openldap-2.6.8-4.el9.0.1.x86_64.rpm
-rw-r–r-- 1 root root 178205 Jun 12 14:53 openldap-clients-2.6.8-4.el9.0.1.x86_64.rpm

同步命令，所有主机
########################################
authconfig --enableldap --enableldapauth --ldapserver=xxxxxxxx.142:389 --ldapbasedn=‘dc=gtk,dc=com’ --enablemkhomedir --update

非server主机，验证
########################################
ldapsearch -x -b ‘ou=People,dc=@@@,dc=com’
ldapwhoami -x -D “uid=ocdp,ou=People,dc=@@@,dc=com” -w ‘密码’
ldapsearch -x -b ‘ou=People,dc=@@@,dc=com’
ldapsearch -x

#sssd部署
########################################
yum install sssd -y
yum install authselect-compat-1.2.6-2.el9.x86_64 -y

authconfig --update --enablesssd

cat > /etc/sssd/sssd.conf << EOF

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
[pam]

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://xxxxxxxx.142:389,ldap://xxxxxxxx.143:389
ldap_search_base = dc=gtk,dc=com

ldap禁用匿名绑定必填

ldap_default_bind_dn = cn=admin,dc=gtk,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = xxxxmmxxxx
EOF

chmod 600 /etc/sssd/sssd.conf
rm -rf /etc/sssd/conf.d/

systemctl restart sssd
systemctl enable --now sssd
systemctl status sssd

清理缓存：sss_cache -E
验证用户：id demo

SOLR安装
######################################################################################################
https://mirrors.aliyun.com/apache/solr/solr/10.0.0/?spm=a2c6h.25603864.0.0.51965cd5suq9ws
https://mirrors.aliyun.com/apache/ranger/2.8.0/?spm=a2c6h.25603864.0.0.6043362faGlrpv

tar -zxvf ranger-2.8.0-admin.tar.gz -C /data01
tar -zxvf solr-8.11.1.tgz -C /data01

编辑/data01/ranger-2.8.0-admin/contrib/solr_for_audit_setup/install.properties
#配置JAVA路径
JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.392.b08-3.el9.x86_64/jre
#审计日志保存的最大天数，默认为90天
MAX_AUDIT_RETENTION_DAYS=90
#联网下载，默认为false
SOLR_INSTALL=false
#solr线上下载路径（如果SOLR_INSTALL=true，则需要配置SOLR_DOWNLOAD_URL）
#SOLR_DOWNLOAD_URL=http://archive.apache.org/dist/lucene/solr/8.3.0/solr-8.3.0.tgz
solr安装目录
SOLR_INSTALL_FOLDER=/data01/solr-8.11.1
solr对接ranger的服务
SOLR_RANGER_HOME=/data01/solr-8.11.1/ranger_audit_server
solr连接ranger的端口
SOLR_RANGER_PORT=6083
solr部署模式
SOLR_DEPLOYMENT=standalone
solr数据存储目录
SOLR_RANGER_DATA_FOLDER=/data01/solr-8.11.1/ranger_audit_server/data
SOLR_LOG_FOLDER=/data01/solr-8.11.1/ranger_audits
solr单机部署，故为空
SOLR_ZK=

将 Solr 安装目录的所有权赋予该用户

chown -R solr:solr /data01/solr-8.11.1

初始化solr安装脚本
cd /data01/ranger-2.8.0-admin/contrib/solr_for_audit_setup/
./setup.sh
启动单机版solr
cd /data01/solr-8.11.1/ranger_audit_server/scripts/
./start_solr.sh
登陆网页查看：http://xxxxxxxx.142:6083/

mysql -hxxxxxxx.142 -P16603 -uroot -pxxxxmmxxxx==
CREATE DATABASE ranger DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;

创建用户并设置密码
SET GLOBAL validate_password.policy = LOW;
CREATE USER ‘ranger’@‘%’ IDENTIFIED BY ‘xxxxmmxxxx’;
ALTER USER ‘ranger’@‘%’ IDENTIFIED WITH mysql_native_password BY ‘xxxxmmxxxx’;
FLUSH PRIVILEGES;

安装Ranger
######################################################################################################

1. 创建组 groupadd ranger

2. 创建用户 useradd -m -s /bin/bash -g ranger ranger

3. 设置密码 echo “ranger:xxxxmmxxxx” | sudo chpasswd

编辑/data01/ranger-2.8.0-admin/install.properties
setup_mode=SeparateDBA
#mysql驱动
SQL_CONNECTOR_JAR=/opt/doris/jdbc_drivers/mysql-connector-java-8.0.25.jar
#mysql的主机名和root用户的用户名密码
db_root_user=root
db_root_password=xxxxmmxxxx==
db_host=xxxxxxxx.142
db_port=16603
#ranger需要的数据库名和用户信息，需要和之前创建的信息要一一对应
db_name=ranger
db_user=ranger
db_password=xxxxmmxxxx
db_url=jdbc:mysql://xxxxxxxx.142:16603/ranger?useSSL=false&allowPublicKeyRetrieval=true
db_root_url=jdbc:mysql://xxxxxxxx.142:16603/ranger?useSSL=false&allowPublicKeyRetrieval=true
db_driver=com.mysql.cj.jdbc.Driver
#其他ranger admin需要的用户密码（最少8个字符）
rangerAdmin_password=xxxxmmxxxx
rangerTagsync_password=xxxxmmxxxx
rangerUsersync_password=xxxxmmxxxx
keyadmin_password=xxxxmmxxxx
#ranger存储审计日志的路径和url，默认为solr
audit_store=solr
audit_solr_urls=http://xxxxxxxx.142:6083/solr/ranger_audits
#策略管理器的url,rangeradmin安装在哪台机器，主机名就为对应的主机名
policymgr_external_url=http://xxxxxxxx.142:6080
#启动ranger admin进程的linux用户信息
unix_user=ranger
unix_user_pwd=xxxxmmxxxx
unix_group=ranger

初始化ranger-admin脚本

/data01/ranger-2.8.0-admin/setup.sh

/data01/ranger-2.8.0-admin/set_globals.sh

修改时区
vi /data01/ranger-2.8.0-admin/ews/ranger-admin-services.sh
-Duser.timezone=Asia/Shanghai

启动ranger-admin
ranger-admin start

登陆网页查看：http://xxxxxxxx.142:6080 admin : xxxxmmxxxx

######################################################################################################
https://mirrors.aliyun.com/apache/ranger/2.8.0/?spm=a2c6h.25603864.0.0.6043362faGlrpv
tar -zxvf ranger-2.8.0-usersync.tar.gz -C /data01

编辑/data01/ranger-2.8.0-usersync/install.properties
#rangeradmin的url
POLICY_MGR_URL =http://xxxxxxxx.142:6080
#同步间隔时间，单位(分钟)
SYNC_INTERVAL = 1
#运行此进程的linux用户
unix_user=ranger
unix_group=ranger
#rangerUserSync的用户密码，参考rangeradmin中install.properties的配置
rangerUsersync_password=xxxxmmxxxx

初始化ranger-usersync脚本
/data01/ranger-2.8.0-usersync/setup.sh

启动ranger-usersync
ranger-usersync start

登录ranger admin的web-UI界面，查看用户信息

Ranger与Ldap集成
######################################################################################################
ldapsearch -H ldap://xxxxxxxx.142:389 -x -D “cn=admin,dc=gtk,dc=com” -w ‘xxxxmmxxxx’ -b “dc=gtk,dc=com” -s base

修改设置/data01/ranger-2.8.0-usersync/install.properties
SYNC_SOURCE = ldap
SYNC_LDAP_URL = ldap://xxxxxxxx.142:389
SYNC_LDAP_BIND_DN = cn=admin,dc=gtk,dc=com
SYNC_LDAP_SEARCH_BASE = dc=gtk,dc=com
SYNC_LDAP_USER_SEARCH_BASE = ou=People,dc=gtk,dc=com
SYNC_LDAP_USER_OBJECT_CLASS = posixAccount
SYNC_GROUP_SEARCH_ENABLED=true
SYNC_GROUP_USER_MAP_SYNC_ENABLED=true
SYNC_GROUP_SEARCH_BASE=ou=Group,dc=gtk,dc=com
SYNC_GROUP_OBJECT_CLASS=posixGroup
SYNC_GROUP_MEMBER_ATTRIBUTE_NAME=memberUid

执行/data01/ranger-2.8.0-usersync/setup.sh
ranger-usersync restart

Ranger与Doris集成
######################################################################################################
Ranger安装Doris插件

1、下载 ranger-doris-plugin-3.0.0-SNAPSHOT.jar mysql-connector-java-8.0.25.jar ranger-servicedef-doris.json
2、将下载好的文件放到 Ranger 服务的 ranger-plugins/doris 目录下
mkdir /data01/ranger-2.8.0-admin/ews/webapp/WEB-INF/classes/ranger-plugins/doris
chmod -R 777 /data01/ranger-2.8.0-admin/ews/webapp/WEB-INF/classes/ranger-plugins/doris
3、重启 Ranger 服务。

4、下载 ranger-servicedef-doris.json
执行以下命令上传定义文件到 Ranger 服务：
curl -u admin:xxxxmmxxxx -X POST
-H “Accept: application/json”
-H “Content-Type: application/json”
http://xxxxxxxx.142:6080/service/plugins/definitions
-d@ranger-servicedef-doris.json

5、Ranger页面配置接入Doris源：
xxxxxxxx.121 root xxxxmmxxxx jdbc:mysql://xxxxxxxx.121:9030
xxxxxxxx.142/143/144 xxxxxxxx.96 root xxxxmmxxxx== jdbc:mysql://xxxxxxxx.96:9030

/opt/sdb/fe/conf/fe.conf
Doris与Ldap集成
######################################################################################################
在 /opt/doris/fe/conf/fe.conf 中设置认证方式：
authentication_type=ldap
在 /opt/doris/fe/conf/ldap.conf 中配置 LDAP 服务的连接信息：
ldap_authentication_enabled = true
ldap_host = xxxxxxxx.142
ldap_port = 389
ldap_admin_name = cn=admin,dc=gtk,dc=com
ldap_user_basedn = ou=people,dc=gtk,dc=com
ldap_user_filter = (&(uid={login}))
ldap_group_basedn = ou=group,dc=gtk,dc=com

启动 fe 后，使用 root 或 admin 账号登录 Doris，设置 LDAP 管理员密码：
set ldap_admin_password = password(‘xxxxmmxxxx’);

LDAP 认证要求客户端以明文方式发送密码，因此需要启用明文验证插件。
MySQL Client启用明文验证插件，设置环境变量（永久生效）
echo “export LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1” >> ~/.bash_profile && source ~/.bash_profile

登录时添加参数（单次生效）mysql -hxxxxxxx.121 -P9030 -uroot -pxxxxmmxxxx --enable-cleartext-plugin

mysql -hxxxxxxx.121 -P9030 -udemo -pdemo --enable-cleartext-plugin

JDBC Client需要Doris开启SSL
fe.conf 中添加 enable_ssl=true
jdbcUrl = “jdbc:mysql://xxxxxxxx.121:9030/?useSSL=true&sslMode=REQUIRED”

######################################################################################################
更改Doris配置使用Ranger权限管理

1、在 fe/conf/fe.conf 文件中配置鉴权方式为 ranger :
access_controller_type=ranger-doris
2、在所有 FE 的 conf 目录创建 ranger-doris-security.xml 文件，内容如下：

<?xml version="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xsl" href="configuration.xsl"?> ranger.plugin.doris.policy.cache.dir /data01/ranger/cache/ ranger.plugin.doris.policy.pollIntervalMs 30000 ranger.plugin.doris.policy.rest.client.connection.timeoutMs 60000 ranger.plugin.doris.policy.rest.client.read.timeoutMs 60000 ranger.plugin.doris.policy.rest.url http://xxxxxxxx.142:6080 ranger.plugin.doris.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient ranger.plugin.doris.service.name WFMPP

其中需要将 ranger.plugin.doris.policy.cache.dir 和 ranger.plugin.doris.policy.rest.url 改为实际值。

3、重启集群

######################################################################################################
权限示例
在 Ldap中中创建 user1，在 Doris 与 Ranger 中均有user1.