Hello Gokul Kolady, Abhishek Rawat, Jason Fehr, Impala Public Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/24343
to look at the new patch set (#15).
Change subject: IMPALA-14977: Add optional Ranger Helm resources
......................................................................
IMPALA-14977: Add optional Ranger Helm resources
Add optional Ranger deployment and service templates behind a chart flag
so policy-admin components can be deployed when needed.
Add chart validation to require auth.ranger.adminUrl when Ranger auth is
enabled against an external Ranger service.
Add ASF license headers to newly added Ranger chart templates.
Testing:
- helm lint helm/impala
- helm template impala14977-check helm/impala --set ranger.enabled=true
- helm template impala14977-ranger-valid helm/impala --set
auth.ranger.enabled=true --set ranger.enabled=false --set
auth.ranger.adminUrl=http://ranger.example.org:6080
- helm template impala14977-ranger-invalid helm/impala --set
auth.ranger.enabled=true --set ranger.enabled=false (fails as expected)
- kubectl config current-context (k3d-impala-live)
- kubectl create namespace impala-14977-policy-live
- helm upgrade --install impala-14977-live helm/impala -n
impala-14977-policy-live --set ranger.enabled=true --set
auth.ranger.enabled=true --set
auth.ranger.adminUrl=http://impala-14977-live-impala-ranger:6080 --set
persistence.accessModes[0]=ReadWriteOnce
- kubectl rollout status
deployment/impala-14977-live-impala-{statestored,catalogd,impalad,hms,ranger}
-n impala-14977-policy-live
- kubectl get deployment impala-14977-live-impala-impalad -n
impala-14977-policy-live -o jsonpath='{.spec.template.spec.containers[0].args}'
(contains -authorization_provider=ranger and -server_name=server1)
- kubectl apply -n impala-14977-policy-live -f - <<'EOT' (ranger-db postgres
deployment/service)
- kubectl exec -n impala-14977-policy-live deploy/ranger-db -- psql -U postgres
-d ranger -c "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE
rolname='rangeradmin') THEN CREATE ROLE rangeradmin LOGIN PASSWORD
'rangerR0cks!'; END IF; END $$;"
- kubectl rollout restart deployment/impala-14977-live-impala-ranger -n
impala-14977-policy-live
- python3 Ranger API smoke: create Hive service server1 and Ranger user
anubhav; apply deny policy on database/table/column '*' for anubhav
- python3 Impyla smoke against svc/impala-14977-live-impala-impalad:21050:
create/insert/select on default.ranger_policy_test fail with
AuthorizationException under deny policy
- python3 Ranger API update: replace deny policy with allow policy for anubhav
on database/table/column '*'
- python3 Impyla smoke against svc/impala-14977-live-impala-impalad:21050:
create/insert/select on default.ranger_policy_test succeed under allow policy
Implemented and validated manually; Cursor-assisted.
Generated-by: Cursor (GPT-5.3)
Change-Id: I34efcce101038161dfd4007ec7a64c0870e4b0b9
---
A helm/impala/files/ranger-hive-audit.xml
A helm/impala/files/ranger-hive-security.xml
M helm/impala/templates/catalogd-deployment.yaml
M helm/impala/templates/configmap.yaml
M helm/impala/templates/impalad-deployment.yaml
A helm/impala/templates/ranger-deployment.yaml
A helm/impala/templates/ranger-service.yaml
A helm/impala/templates/ranger-validation.yaml
M helm/impala/values.yaml
9 files changed, 217 insertions(+), 0 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/43/24343/15
--
To view, visit http://gerrit.cloudera.org:8080/24343
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I34efcce101038161dfd4007ec7a64c0870e4b0b9
Gerrit-Change-Number: 24343
Gerrit-PatchSet: 15
Gerrit-Owner: Anubhav Jindal <[email protected]>
Gerrit-Reviewer: Abhishek Rawat <[email protected]>
Gerrit-Reviewer: Anubhav Jindal <[email protected]>
Gerrit-Reviewer: Gokul Kolady <[email protected]>
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>
Gerrit-Reviewer: Jason Fehr <[email protected]>
