Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Create the EMR security
configuration
Creating an Amazon EMR Security Configuration for Apache
Ranger
Before you launch an Amazon EMR cluster integrated with Apache Ranger, create a
security configuration.
- Console
-
To create a security configuration that specifies the Amazon
Ranger integration option
-
In the Amazon EMR console, select Security
configurations, then
Create.
-
Type a Name for the security
configuration. You use this name to specify the security
configuration when you create a cluster.
-
Under Amazon Ranger Integration, select
Enable fine-grained access control managed by
Apache Ranger.
-
Select your IAM role for Apache Ranger to
apply. For more information, see IAM roles for native integration with Apache
Ranger.
-
Select your IAM role for other Amazon
services to apply.
-
Configure the plugins to connect to the Ranger Admin server by
entering the Secrets Manager ARN for the Admin server and the
address.
-
Select the applications to configure Ranger plugins. Enter
the Secrets Manager ARN that contains the private TLS certificate
for the plugin.
If you do not configure Apache Spark or Apache Hive, and they
are selected as an application for your cluster, the request
fails.
-
Set up other security configuration options as appropriate and
choose Create. You must enable Kerberos
authentication using the cluster-dedicated or external
KDC.
You cannot currently use the console to create a security
configuration that specifies the Amazon Ranger integration option in
the Amazon GovCloud (US) Region. Security configuration can be done using
the CLI.
- CLI
-
To create a security configuration for Apache Ranger
integration
-
Replace <ACCOUNT
ID>
with your Amazon account
ID.
-
Replace <REGION>
with the Region that the resource is in.
-
Specify a value for TicketLifetimeInHours
to
determine the period for which a Kerberos ticket issued by the
KDC is valid.
-
Specify the address of the Ranger Admin server for
AdminServerURL
.
{
"AuthenticationConfiguration": {
"KerberosConfiguration": {
"Provider": "ClusterDedicatedKdc",
"ClusterDedicatedKdcConfiguration": {
"TicketLifetimeInHours": 24
}
}
},
"AuthorizationConfiguration":{
"RangerConfiguration":{
"AdminServerURL":"https://_<RANGER ADMIN SERVER IP>
_:6182",
"RoleForRangerPluginsARN":"arn:aws:iam::_<ACCOUNT ID>
_:role/_<RANGER PLUGIN DATA ACCESS ROLE NAME>
_",
"RoleForOtherAWSServicesARN":"arn:aws:iam::_<ACCOUNT ID>
_:role/_<USER ACCESS ROLE NAME>
_",
"AdminServerSecretARN":"arn:aws:secretsmanager:_<REGION>
_:_<ACCOUNT ID>
_:secret:_<SECRET NAME THAT PROVIDES ADMIN SERVERS PUBLIC TLS CERTIFICATE WITHOUT VERSION>
_",
"RangerPluginConfigurations":[
{
"App":"Spark",
"ClientSecretARN":"arn:aws:secretsmanager:_<REGION>
_:_<ACCOUNT ID>
_:secret:_<SECRET NAME THAT PROVIDES SPARK PLUGIN PRIVATE TLS CERTIFICATE WITHOUT VERSION>
_",
"PolicyRepositoryName":"<SPARK SERVICE NAME eg. amazon-emr-spark>
"
},
{
"App":"Hive",
"ClientSecretARN":"arn:aws:secretsmanager:_<REGION>
_:_<ACCOUNT ID>
_:secret:_<SECRET NAME THAT PROVIDES Hive PLUGIN PRIVATE TLS CERTIFICATE WITHOUT VERSION>
_",
"PolicyRepositoryName":"<HIVE SERVICE NAME eg. Hivedev>
"
},
{
"App":"EMRFS-S3",
"ClientSecretARN":"arn:aws:secretsmanager:_<REGION>
_:_<ACCOUNT ID>
_:secret:_<SECRET NAME THAT PROVIDES EMRFS S3 PLUGIN PRIVATE TLS CERTIFICATE WITHOUT VERSION>
_",
"PolicyRepositoryName":"<EMRFS S3 SERVICE NAME eg amazon-emr-emrfs>
"
},
{
"App":"Trino",
"ClientSecretARN":"arn:aws:secretsmanager:_<REGION>
_:_<ACCOUNT ID>
_:secret:_<SECRET NAME THAT PROVIDES TRINO PLUGIN PRIVATE TLS CERTIFICATE WITHOUT VERSION>
_",
"PolicyRepositoryName":"<TRINO SERVICE NAME eg amazon-emr-trino>
"
}
],
"AuditConfiguration":{
"Destinations":{
"AmazonCloudWatchLogs":{
"CloudWatchLogGroup":"arn:aws:logs:<REGION>
:_<ACCOUNT ID>
_:log-group:_<LOG GROUP NAME FOR AUDIT EVENTS>
_"
}
}
}
}
}
}
The PolicyRespositoryNames are the service names that are specified in
your Apache Ranger Admin.
Create an Amazon EMR security configuration with the following command.
Replace security-configuration with a name of your choice. Select this
configuration by name when you create your cluster.
aws emr create-security-configuration \
--security-configuration file://./security-configuration.json \
--name security-configuration
Configure Additional Security Features
To securely integrate Amazon EMR with Apache Ranger, configure the following EMR
security features:
For more information, see Security in Amazon EMR.