Saturday, December 3, 2022
HomeBig DataAllow federated governance utilizing Trino and Apache Ranger on Amazon EMR

Allow federated governance utilizing Trino and Apache Ranger on Amazon EMR

Managing knowledge by way of a central knowledge platform simplifies staffing and coaching challenges and reduces the prices. Nevertheless, it may well create scaling, possession, and accountability challenges, as a result of central groups could not perceive the precise wants of an information area, whether or not it’s due to knowledge varieties and storage, safety, knowledge catalog necessities, or particular applied sciences wanted for knowledge processing. One of many structure patterns that has emerged not too long ago to deal with this problem is the information mesh structure, which supplies possession and autonomy to particular person groups who personal the information. One of many main parts of implementing an information mesh structure lies in enabling federated governance, which incorporates centralized authorization and audits.

Apache Ranger is an open-source undertaking that gives authorization and audit capabilities for Hadoop and associated huge knowledge purposes like Apache Hive, Apache HBase, and Apache Kafka.

Trino, then again, is a extremely parallel and distributed question engine, and gives federated entry to knowledge through the use of connectors to a number of backend methods like Hive, Amazon Redshift, and Amazon OpenSearch Service. Trino acts as a single entry level to question all knowledge sources.

By combining Trino question federation options with the authorization and audit functionality of Apache Ranger, you may allow federated governance. This enables a number of purpose-built knowledge engines to operate as one, with a single centralized place to handle knowledge entry controls.

This publish shares particulars on architect this answer utilizing the brand new EMR Ranger Trino plugin on Amazon EMR 6.7.

Answer overview

Trino means that you can question knowledge in numerous sources, utilizing an in depth set of connectors. This function lets you have a single level of entry for all knowledge sources that may be queried by way of SQL.

The next diagram illustrates the high-level overview of the structure.

This structure relies on 4 main parts:

  • Home windows AD, which is liable for offering the identities of customers throughout the system. It’s primarily composed of a key distribution heart (KDC) that gives kerberos tickets to AD customers to work together with the EMR cluster, and a Light-weight Listing Entry Protocol (LDAP) server that defines the group of customers in logical constructions.
  • An Apache Ranger server, which runs on an Amazon Elastic Compute Cloud (Amazon EC2) occasion whose lifecycle is unbiased from the one of many EMR cluster. Apache Ranger consists of a Ranger admin server that shops and retrieves insurance policies in and from a MySQL database operating in Amazon Relational Database Service (Amazon RDS), a usersync server that connects to the Home windows AD LDAP server to synchronize identities to make them accessible for coverage settings, and an elective Apache Solr server to index and retailer audits.
  • An Amazon RDS for MySQL database occasion utilized by the Hive metastore to retailer metadata associated to the tables schemas, and the Apache Ranger server to retailer the entry management insurance policies.
  • An EMR cluster with the next configuration updates:
    • Apache Ranger safety configuration.
    • A neighborhood KDC that establishes a one-way belief with Home windows AD as a way to have the Kerberized EMR cluster acknowledge the consumer identities from the AD.
    • A Hue consumer interface with LDAP authentication enabled to run SQL queries on the Trino engine.
  • An Amazon CloudWatch log group to retailer all audit logs for the AWS managed Ranger plugins.
  • (Elective) Trino connectors for different execution engines like Amazon Redshift, Amazon OpenSearch Service, PostgresSQL, and others.


Earlier than getting began, it’s essential to have the next conditions. For extra info, consult with the Stipulations and Establishing your sources sections in Introducing Amazon EMR integration with Apache Ranger.

To arrange the brand new Apache Ranger Trino plugin, the next steps are required:

  1. Delete any present Presto service definitions within the Apache Ranger admin server:
    #Delete Presto Service Definition
    curl -f -u *<admin customers login>*:*_<_**_password_ **_for_** _ranger admin user_**_>_* -X DELETE -k 'https://*<RANGER SERVER ADDRESS>*:6182/service/public/v2/api/servicedef/title/presto'

  2. Obtain and add new Apache Ranger service definitions for Trino within the Apache Ranger admin server:
    curl -u *<admin customers login>*:*_<_**_password_ **_for_** _ranger admin user_**_>_* -X POST -d @ranger-servicedef-amazon-emr-trino.json 
    -H "Settle for: utility/json" 
    -H "Content material-Sort: utility/json" 
    -k 'https://*<RANGER SERVER ADDRESS>*:6182/service/public/v2/api/servicedef'

  3. Create a brand new Amazon EMR safety configuration for Apache Ranger set up to incorporate Trino coverage repository particulars. For extra info, see Create the EMR safety configuration.
  4. Optionally, if you wish to use the Hue UI to run Trino SQL, add the hue consumer to the Apache Ranger admin server. Run the next command on the Ranger admin server:
    # Observe: enter parameter Ranger host IP handle
     set -x
    cat > hueuser.json << EOF
      "title": "hue1",
      "firstName": "hue",
      "lastName": "",
      "loginId": "hue1",
      "emailAddress" : null,
      "description" : "hue consumer",
      "password" : "user1pass",
      "groupIdList": [],
      "groupNameList": [],
      "standing": 1,
      "isVisible": 1,
      "userRoleList": [ "ROLE_USER" ],
      "userSource": 0
    #add customers 
    curl -u admin:admin -v -i -s -X POST  -d @hueuser.json -H "Settle for: utility/json" -H "Content material-Sort: utility/json"  -k $RANGER_HTTP_URL/service/xusers/safe/customers

After you add the hue consumer, it’s used to impersonate SQL calls submitted by AD customers.

Warning: Impersonation function ought to all the time be used rigorously to keep away from giving any/all customers entry to excessive privileges.

This publish additionally demonstrates the capabilities of operating queries towards exterior databases, similar to Amazon Redshift and PostgresSQL utilizing Trino connectors, whereas controlling entry on the database, desk, row, and column degree utilizing the Apache Ranger insurance policies. This requires you to arrange the database engines you wish to join with. The next instance code demonstrates utilizing the Amazon Redshift connector. To arrange the connector, create the file underneath /and so on/trino/conf.dist/catalog on all Amazon EMR nodes and restart the Trino server.

  • Create the property file on all of the Amazon EMR nodes with the next code:
    # Create a brand new file
    /and so on/trino/conf.dist/catalog/

  • Replace the property file with the Amazon Redshift cluster particulars:

  • Restart the Trino server:
    # Restart Trino server 
    sudo systemctl cease trino-server.service
    sudo systemctl begin trino-server.service

  • In a manufacturing surroundings, you may automate this step utilizing the next inside your EMR Classification:
    "Classification": "trino-connector-redshift",
    "Properties": {
    "connector.title": "redshift",
    "connection-url": "jdbc:redshift://XXXXX:5439/dev",
    "connection-user": "XXXX",
    "connection-password": "XXXX"

Check your setup

On this part, we undergo an instance the place the information is distributed throughout Amazon Redshift for dimension tables and Hive for truth tables. We will use Trino to affix knowledge between these two engines.

On Amazon Redshift, let’s outline a brand new dimension desk known as Merchandise and cargo it with knowledge:

--- Setup merchandise desk in Redshift
 > create desk public.merchandise 
 (firm VARCHAR, hyperlink VARCHAR, value FLOAT, product_category VARCHAR, 
 release_date VARCHAR, sku VARCHAR);

--- Copy knowledge from S3

 > COPY public.merchandise
  FROM 's3://aws-bigdata-blog/artifacts/aws-blog-emr-ranger/knowledge/staging/merchandise/'

Then use the Hue UI to create the Hive exterior desk Orders:

(customer_id STRING, order_date STRING, value DOUBLE, sku STRING)
LOCATION 's3://aws-bigdata-blog/artifacts/aws-blog-emr-ranger/knowledge/staging/orders';

Now let’s use Trino to affix each datasets:

-- Be a part of the dimension desk in Redshift (merchandise) with the very fact desk in hive (orders), 
to get the sum of gross sales by product_category and sku
SELECT sum(orders.value) total_sales, merchandise.sku, merchandise.product_category
FROM hive.staging.orders be part of redshift.public.merchandise on orders.sku = merchandise.sku
group by merchandise.sku, merchandise.product_category restrict 10

The next screenshot reveals our outcomes.

Row filtering and column masking

Apache Ranger helps insurance policies to permit or deny entry based mostly on a number of attributes, together with consumer, group, and predefined roles, in addition to dynamic attributes like IP handle and time of entry. As well as, the mannequin helps authorization based mostly on the classification of the sources similar to like PII, FINANCE, and SENSITIVE.

One other function is the flexibility to permit customers to entry solely a subset of rows in a desk or prohibit customers to entry solely masked or redacted values of delicate knowledge. Examples of this embody the flexibility to limit customers to entry solely data of consumers situated in the identical nation the place the consumer works, or enable a consumer who’s physician to see solely data of sufferers which are related to that physician.

The next screenshots present how, through the use of Trino Ranger insurance policies, you may allow row filtering and column masking of information in Amazon Redshift tables.

The instance coverage masks the firstname column, and applies a filter situation on the town column to limit customers to view rows for a particular metropolis solely.

The next screenshot reveals our outcomes.

Dynamic row filtering utilizing consumer session context

The Trino Ranger plugin passes down Trino session knowledge like current_user() that you should utilize within the coverage definition. This may vastly simplify your row filter situations by eradicating the necessity for hardcoded values and utilizing a mapping lookup. For extra particulars on dynamic row filtering, consult with Row-level filtering and column-masking utilizing Apache Ranger insurance policies in Apache Hive.

Recognized challenge with Amazon EMR 6.7

Amazon EMR 6.7 has a recognized challenge when enabling Kerberos 1-way belief with Microsoft home windows AD. Please run this bootstrap script following these directions as a part of the cluster launch.


When utilizing this answer, bear in mind the next limitations, additional particulars could be discovered right here:

  • Non-Kerberos clusters will not be supported.
  • Audit logs will not be seen on the Apache Ranger UI, as a result of these are despatched to CloudWatch.
  • The AWS Glue Knowledge Catalog isn’t supported because the Apache Hive Metastore.
  • The combination between Amazon EMR and Apache Ranger limits the accessible purposes. For a full record, consult with Utility assist and limitations.


When you can’t log in to the EMR cluster’s node as an AD consumer, and also you get the error message Permission denied, please attempt once more.

This may occur if the SSSD service has stopped on the node you are attempting to entry. To repair this, hook up with the node utilizing the configured SSH key-pair or by making use of Session Supervisor  and run the next command.

sudo service sssd restart

When you’re unable to obtain insurance policies from Ranger admin server, and also you get the error message Error getting insurance policies with the HTTP standing code 400. This may be prompted as a result of both the certificates has expired or the Ranger coverage definition shouldn’t be arrange accurately.

To repair this, test the Ranger admin logs. If it reveals the next error, it’s seemingly that the certificates have expired.

[email protected]={1} msgDesc={Unauthorized entry - unable to get shopper certificates} messageList={[VXMessage={org.apache.ran
[email protected]={OPER_NOT_ALLOWED_FOR_ENTITY} rbKey={xa.error.oper_not_allowed_for_state} message={Operation not allowed for entity} objectId={n
ull} fieldName={null} }]} }

You have to to carry out the next steps to deal with the problem

  • Recreate the certs utilizing the script and add them to Secrets and techniques Supervisor.
  • Then replace the Ranger admin server configuration with new certificates, and restart Ranger admin service.
  • Create a brand new EMR safety configuration utilizing the brand new certificates, and re-launch EMR cluster utilizing new safety configurations.

The difficulty can be prompted attributable to a misconfigured Ranger coverage definition. The Ranger admin service coverage definition ought to belief the self-signed certificates chain. Be sure the next configuration attribute for the service definitions has the proper area title or sample to match the area title used in your EMR cluster nodes.

If the EMR cluster retains failing with the error message Terminated with errors: An inside error occurred, test the Amazon EMR major node undercover agent logs.

If it reveals the next message, the cluster is failing as a result of the desired CloudWatch log group doesn’t exist:

Exception in thread "primary" com.amazonaws.providers.logs.mannequin.ResourceNotFoundException: The required log group doesn't exist. (Service: AWSLogs; Standing Code: 400; Error Code: ResourceNotFoundException; Request ID: d9fa2ef1-17cb-4b8f-a07f-8a6aea245173; Proxy: null)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(

A question run by way of trino-cli would possibly fail with the error Unable to acquire password from consumer. For instance:

ERROR   remote-task-callback-42 io.trino.execution.StageStateMachine    Stage 20220422_023236_00005_zn4vb.1 failed java.lang.RuntimeException: Unable to acquire password from consumer

This challenge can happen attributable to incorrect realm names within the and so on/trino/conf.dist/catalog/ file. Test the area or realm title and different Kerberos associated configs within the and so on/trino/conf.dist/catalog/ file. Optionally, additionally test the /and so on/trino/conf.dist/ and /and so on/trino/conf.dist/ information in case any config adjustments has been made.

Clear up

Clear up the sources created both manually or by the AWS CloudFormation template supplied in GitHub repo to keep away from pointless price to your AWS account. You’ll be able to delete the CloudFormation stack by deciding on the stack on the AWS CloudFormation console and selecting Delete. This motion deletes all of the sources it provisioned. When you manually up to date a template-provisioned useful resource, you could encounter some points throughout cleanup; it is advisable clear these up independently.


A knowledge mesh strategy encourages the concept of information domains the place every area staff owns their knowledge and is liable for knowledge high quality and accuracy. This attracts parallels with a microservices structure. Constructing federated knowledge governance like we present on this publish is on the core of implementing an information mesh structure. Combining the highly effective question federation capabilities of Apache Trino with the centralized authorization and audit capabilities of Apache Ranger gives an end-to-end answer to function and govern an information mesh platform.

Along with the already accessible Ranger integrations capabilities for Apache SparkSQL, Amazon S3, and Apache Hive, ranging from 6.7 launch, Amazon EMR contains plugins for Ranger Trino integrations. For extra info, consult with EMR Trino Ranger plugin.

Concerning the authors

Varun Rao Bhamidimarri is a Sr Supervisor, AWS Analytics Specialist Options Architect staff. His focus helps prospects with adoption of cloud-enabled analytics options to satisfy their enterprise necessities. Outdoors of labor, he loves spending time along with his spouse and two youngsters, keep wholesome, mediate and not too long ago picked up gardening through the lockdown.

Partha Sarathi Sahoo is an Analytics Specialist TAM – at AWS based mostly in Sydney, Australia. He brings 15+ years of expertise experience and helps Enterprise prospects optimize Analytics workloads. He has extensively labored on each on-premise and cloud Bigdata workloads together with varied ETL platform in his earlier roles. He additionally actively works on conducting proactive operational critiques across the Analytics providers like Amazon EMR, Redshift, and OpenSearch.

Anis Harfouche is a Knowledge Architect at AWS Skilled Providers. He helps prospects attaining their enterprise outcomes by designing, constructing and deploying knowledge options based mostly on AWS providers.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments