Jason Fehr has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/24343 )
Change subject: IMPALA-14977: Add optional Ranger Helm resources ...................................................................... IMPALA-14977: Add optional Ranger Helm resources Add optional Ranger deployment and service templates behind a chart flag so policy-admin components can be deployed when needed. Add chart validation to require auth.ranger.adminUrl when Ranger auth is enabled against an external Ranger service. Add ASF license headers to newly added Ranger chart templates. Testing: - helm lint helm/impala - helm template impala14977-check helm/impala --set ranger.enabled=true - helm template impala14977-ranger-valid helm/impala --set auth.ranger.enabled=true --set ranger.enabled=false --set auth.ranger.adminUrl=http://ranger.example.org:6080 - helm template impala14977-ranger-invalid helm/impala --set auth.ranger.enabled=true --set ranger.enabled=false (fails as expected) - kubectl config current-context (k3d-impala-live) - kubectl create namespace impala-14977-policy-live - helm upgrade --install impala-14977-live helm/impala -n impala-14977-policy-live --set ranger.enabled=true --set auth.ranger.enabled=true --set auth.ranger.adminUrl=http://impala-14977-live-impala-ranger:6080 --set persistence.accessModes[0]=ReadWriteOnce - kubectl rollout status deployment/impala-14977-live-impala-{statestored,catalogd,impalad,hms,ranger} -n impala-14977-policy-live - kubectl get deployment impala-14977-live-impala-impalad -n impala-14977-policy-live -o jsonpath='{.spec.template.spec.containers[0].args}' (contains -authorization_provider=ranger and -server_name=server1) - kubectl apply -n impala-14977-policy-live -f - <<'EOT' (ranger-db postgres deployment/service) - kubectl exec -n impala-14977-policy-live deploy/ranger-db -- psql -U postgres -d ranger -c "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname='rangeradmin') THEN CREATE ROLE rangeradmin LOGIN PASSWORD 'rangerR0cks!'; END IF; END $$;" - kubectl rollout restart deployment/impala-14977-live-impala-ranger -n impala-14977-policy-live - python3 Ranger API smoke: create Hive service server1 and Ranger user anubhav; apply deny policy on database/table/column '*' for anubhav - python3 Impyla smoke against svc/impala-14977-live-impala-impalad:21050: create/insert/select on default.ranger_policy_test fail with AuthorizationException under deny policy - python3 Ranger API update: replace deny policy with allow policy for anubhav on database/table/column '*' - python3 Impyla smoke against svc/impala-14977-live-impala-impalad:21050: create/insert/select on default.ranger_policy_test succeed under allow policy Change-Id: I34efcce101038161dfd4007ec7a64c0870e4b0b9 Assisted-by: GPT-5.3 (Cursor) Reviewed-on: http://gerrit.cloudera.org:8080/24343 Reviewed-by: Jason Fehr <[email protected]> Tested-by: Jason Fehr <[email protected]> --- A helm/impala/files/ranger-hive-audit.xml A helm/impala/files/ranger-hive-security.xml M helm/impala/templates/catalogd-deployment.yaml M helm/impala/templates/configmap.yaml M helm/impala/templates/impalad-deployment.yaml A helm/impala/templates/ranger-deployment.yaml A helm/impala/templates/ranger-service.yaml A helm/impala/templates/ranger-validation.yaml M helm/impala/values.yaml 9 files changed, 217 insertions(+), 0 deletions(-) Approvals: Jason Fehr: Looks good to me, approved; Verified -- To view, visit http://gerrit.cloudera.org:8080/24343 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I34efcce101038161dfd4007ec7a64c0870e4b0b9 Gerrit-Change-Number: 24343 Gerrit-PatchSet: 21 Gerrit-Owner: Anubhav Jindal <[email protected]> Gerrit-Reviewer: Abhishek Rawat <[email protected]> Gerrit-Reviewer: Anubhav Jindal <[email protected]> Gerrit-Reviewer: Gokul Kolady <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Jason Fehr <[email protected]>
