-->
Home
How To

Trino + Apache Ranger on Kubernetes

This project provides a Helm-based deployment of Trino integrated with Apache Ranger for centralized authorization, running on Kubernetes.

🔧 Features

  • Trino coordinator deployed as a StatefulSet
  • Apache Ranger integration for access control and auditing
  • Solr-based audit logging
  • MySQL-backed Ranger policy store
  • Optional TPCH connector
  • All configuration via Helm values

📌 Prerequisites

Before deploying, ensure you’ve built a custom Docker image of Apache Ranger with the required backend services like MySQL and Solr included.
Follow this detailed guide:
➡️ Building Apache Ranger from Source and Creating Custom Docker Image

📦 Repository Structure

.
├── ranger
│   ├── Chart.yaml
│   ├── files
│   │   ├── managed-schema.xml
│   │   └── solrconfig.xml
│   ├── templates
│   │   ├── mysql-configmap.yaml
│   │   ├── mysql-deployement.yaml
│   │   ├── mysql-service.yaml
│   │   ├── ranger-admin-deployment.yaml
│   │   ├── ranger-admin-service.yaml
│   │   ├── solr-configmap.yaml
│   │   ├── solr-deployment.yaml
│   │   └── solr-service.yaml
│   └── values.yaml
├── ranger-docker
│   ├── Dockerfile
│   ├── install.properties
│   └── ranger-entrypoint.sh
└── trino
    ├── Chart.yaml
    ├── templates
    │   ├── catalog-configmap.yaml
    │   ├── configmap.yaml
    │   ├── service.yaml
    │   └── StatefulSets.yaml
    └── values.yaml

🚀 Quick Start

1. Clone the repo

git clone https://github.com/karthigaiselvanm/trino-ranger-k8s.git
cd trino-ranger-k8s

2. Install dependencies

Make sure you have the following:

  • Kubernetes cluster (e.g., Minikube, kind, or EKS)
  • Helm 3.x
  • kubectl configured for your cluster

3. Deploy Ranger components

helm install ranger ./ranger --namespace ranger --create-namespace

This sets up:

  • Ranger Admin (ranger-admin)
  • Ranger DB (ranger-mysql)
  • Ranger Audit Logs (ranger-solr)
kubectl get pods -n ranger

Once all the three pods are in RUNNING status, you can verify the Ranger Admin Server pod logs as below

You can also login to Apache Ranger Admin UI at http://<ranger-admin-ip>:6080. For example, I have port forwarded hence it is http://localhost:6080.

ranger-admin-ui

4. Deploy Trino with Helm

helm install trino ./trino --namespace ranger
trino-helm-install

A new pod trino-coordinator-0 will spin up.

trino-pod trino-pod-log

🔑 Ranger Access Control

Trino is configured to use Ranger only for access control. The following files are included in the deployment:

  • access-control.properties
  • ranger-trino-security.xml
  • ranger-trino-audit.xml

Use the Ranger Admin UI to define Trino policies.

📁 Example Policy Types:

  • queryid → ExecuteQuery
  • catalog, schema, table → select, update, etc.
  • trinouser → impersonate

🔍 Audit Logging

Audit logs are sent to Ranger Solr.

<property>
  <name>xasecure.audit.solr.solr_url</name>
  <value>http://ranger-solr:8983/solr/ranger_audits</value>
</property>

🧪 TPCH Connector (Optional)

To enable the TPCH connector, update your values.yaml:

catalogs:
  tpch.properties: |
    connector.name=tpch

Use the Ranger Admin UI to define Trino policies. Until you create a service for Trino, the integration is not complete.

ranger-service trino-service trino-coord-logs

You can test the integration using DB tools like DBeaver. Example:

dbeaver-connect admin-access

Audit events:

audit-events

Unauthorized access:

trino-user-block trinouser-audit-block

Add access policies for trinouser:

trino-access-policies
trino-access
trino-allow-audit

📘 License

Apache 2.0 License

✍️ Github Repo

For helm charts and Dockerfile Github Repo

🙌 Acknowledgements

Post a Comment