aws-samples
diff --git a/‎README.md
Lines changed: 7 additions & 3 deletions b/‎README.md
Lines changed: 7 additions & 3 deletions
diff --git a/‎aws_emr_blog_v1/cloudformation/emr-template.template
Lines changed: 27 additions & 21 deletions b/‎aws_emr_blog_v1/cloudformation/emr-template.template
Lines changed: 27 additions & 21 deletions
diff --git a/‎aws_emr_blog_v1/cloudformation/nestedstack.template
Lines changed: 29 additions & 26 deletions b/‎aws_emr_blog_v1/cloudformation/nestedstack.template
Lines changed: 29 additions & 26 deletions
@@ -7,9 +7,9 @@ It uses agents to sync policies and users, and plugins that run within the same
 
 The repo contains code tied to [AWS Big Data Blog](https://aws.amazon.com/blogs/big-data/implementing-authorization-and-auditing-using-apache-ranger-on-amazon-emr/).
 
-> **Development Status** the code has gone through unit and functional test against a **few recent versions** of Amazon EMR. 
+> **NOTE:** the code has gone through unit and functional test against a **few recent versions** of Amazon EMR. 
 > It is likely that it may not work with **all** EMR versions.
-> Plugins marked as **beta** has not been tested in production.
+> Code/plugin marked as **beta** has not been suitable for production use.
 >> Please submit Pull Request or to create an [Issue](https://github.com/aws-samples/aws-emr-apache-ranger/issues/new)
 >
 ### Deployment options: 
@@ -21,9 +21,13 @@ The repo contains code tied to [AWS Big Data Blog](https://aws.amazon.com/blogs/
 ### Compatibility/Supported plugins: 
 | Module|  Tag | Cloudformation stack | Apache Ranger Version | EMR Version | Supported Plugins|
 | -------| --- | --- | --- | --- |-------------------------------------------------------- |
-| V1 | [1.0](https://github.com/aws-samples/aws-emr-apache-ranger/tree/1.0) | [![Foo](images/launch_stack.png)](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=EMRSecurityWithRangerBlogV1&templateURL=https://s3.amazonaws.com/aws-bigdata-blog/artifacts/aws-blog-emr-ranger/1.0/cloudformation/nestedstack.template) | Apache Ranger 1.0, 2.1 | emr-5.28.1, emr-5.29.0, emr-5.30.1| Hive 2.x, Hadoop 2.x, PrestoDB 0.227/0.232 (Presto plugin needs Ranger 2.0) | 
+| V1 | [1.0](https://github.com/aws-samples/aws-emr-apache-ranger/tree/v1.0) | [![Foo](images/launch_stack.png)](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=EMRSecurityWithRangerBlogV1&templateURL=https://s3.amazonaws.com/aws-bigdata-blog/artifacts/aws-blog-emr-ranger/1.0/cloudformation/nestedstack.template) | Apache Ranger 1.0, 2.1 | emr-5.28.1, emr-5.29.0, emr-5.30.1| Hive 2.x, Hadoop 2.x, PrestoDB 0.227/0.232 (Presto plugin needs Ranger 2.0) | 
 | V1 | (work in progress) | [![Foo](images/launch_stack.png)](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=EMRSecurityWithRangerBlogV1&templateURL=https://s3.amazonaws.com/aws-bigdata-blog/artifacts/aws-blog-emr-ranger/1.1/cloudformation/nestedstack.template) | Apache Ranger 2.2 | emr-6.1.0 | Hive 3.x, Hadoop 3.x, PrestoSQL 338 OR PrestoDB 0.232 | 
 
+> WARNING: The current V1 setup does not enable strong cluster level Auth (Kerberos) for EMR. Only LDAP enabled Hue UI. V2 will support Kerberos - refer to the [roadmap](https://github.com/aws-samples/aws-emr-apache-ranger/projects/1) for details.
+### PrestoSQL Ranger plugin (EMR 6.1 & Ranger 2.2)
+Shows how the plugin can be used to enable column level access controls, column masking and row filter. Demo uses the [Presto Redshift connector](https://prestosql.io/docs/current/connector/redshift.html). The same functionality should work with other [Presto connectors](https://prestosql.io/docs/current/connector.html).
+![](images/prestosql_ranger_plugin.gif)
 Please open Git Issues if you would like to see updates/other plugin integrations. 
 ### References:
 
 
@@ -59,27 +59,40 @@ Parameters:
       - emr-5.28.0
       - emr-5.28.1
       - emr-5.29.0
-      - emr-5.30.1
+      - emr-5.30.0
+      - emr-5.31.0
+      - emr-5.32.0
+      - emr-6.1.0
     Description: Release label for the EMR cluster
     Type: String
   rangerVersion:
     Default: '2.0'
     Description: Version of the Ranger Server.
     Type: String
     AllowedValues:
-      - '0.6'
-      - '0.7'
       - '1.0'
       - '2.0'
   s3artifactsRepo:
-    Default: s3://aws-bigdata-blog/artifacts/aws-blog-emr-ranger/1.0
+    Default: aws-bigdata-blog/artifacts/aws-blog-emr-ranger
     Description: Git Repo URL for this blog.
     Type: String
+  s3artifactsRepoVersion:
+      Default: 1.0
+      Description: Current version of the code
+      Type: String
+      AllowedValues:
+        - 1.0
+        - 1.1
   InstallPrestoRangerPlugin:
     Description: Install the Ranger Presto Plugin. NOTE - This needs Ranger 2.0 and has not been tested with all versions
     Default: false
     Type: String
     AllowedValues: [true, false]
+  PrestoEngine:
+    Description: Presto Engine. PrestoSQL is only available with EMR 6.x
+    Default: Presto
+    Type: String
+    AllowedValues: [Presto, PrestoSQL]
 #  InstallSparkRangerPlugin:
 #    Description: Install the Ranger Spark Plugin. NOTE - This needs Ranger 2.0 and has not been tested with all versions
 #    Default: false
@@ -106,7 +119,7 @@ Conditions:
     - emr-5.29.0
   emr-5.30: !Equals
     - !Ref 'emrReleaseLabel'
-    - emr-5.30.1
+    - emr-5.30.0
   emr-6.0: !Equals
     - !Ref 'emrReleaseLabel'
     - emr-6.0.0
@@ -124,18 +137,15 @@ Resources:
         - Name: Hive
         - Name: Hadoop
         - Name: Hue
-        - Name: Presto
+        - Name: !Ref PrestoEngine
         - Name: Spark
         - Name: Livy
       BootstrapActions:
         - Name: Download scripts
           ScriptBootstrapAction:
-            Path: !Join
-              - ''
-              - - !Ref 's3artifactsRepo'
-                - /scripts/download-scripts.sh
+            Path: !Join ['', ['s3://', !Ref s3artifactsRepo, '/', !Ref s3artifactsRepoVersion, '/scripts/download-scripts.sh']]
             Args:
-              - !Ref 's3artifactsRepo'
+              - !Join ['', ['s3://', !Ref s3artifactsRepo]]
       Configurations:
         - Classification: hue-ini
           Configurations:
@@ -281,7 +291,8 @@ Resources:
           - /mnt/tmp/aws-blog-emr-ranger/scripts/emr-steps/install-hive-hdfs-ranger-plugin.sh
           - !Ref 'RangerHostname'
           - !Ref 'rangerVersion'
-          - !Ref 's3artifactsRepo'
+          - !Join ['', ['s3://', !Ref s3artifactsRepo]]
+          - !Ref 'emrReleaseLabel'
         Jar: s3://elasticmapreduce/libs/script-runner/script-runner.jar
         MainClass: ''
       JobFlowId: !Ref 'EMRSampleCluster'
@@ -294,10 +305,7 @@ Resources:
         Args:
           - /mnt/tmp/aws-blog-emr-ranger/scripts/emr-steps/install-hive-hdfs-ranger-policies.sh
           - !Ref 'RangerHostname'
-          - !Join
-            - ''
-            - - !Ref 's3artifactsRepo'
-              - /inputdata
+          - !Join ['', ['s3://', !Ref s3artifactsRepo, '/', !Ref s3artifactsRepoVersion, '/inputdata']]
         Jar: s3://elasticmapreduce/libs/script-runner/script-runner.jar
         MainClass: ''
       JobFlowId: !Ref 'EMRSampleCluster'
@@ -311,8 +319,9 @@ Resources:
           - /mnt/tmp/aws-blog-emr-ranger/scripts/emr-steps/install-presto-ranger-plugin.sh
           - !Ref 'RangerHostname'
           - !Ref 'rangerVersion'
-          - !Ref 's3artifactsRepo'
+          - !Join ['', ['s3://', !Ref s3artifactsRepo]]
           - !Ref 'emrReleaseLabel'
+          - !Ref 'PrestoEngine'
         Jar: s3://elasticmapreduce/libs/script-runner/script-runner.jar
         MainClass: ''
       JobFlowId: !Ref 'EMRSampleCluster'
@@ -326,10 +335,7 @@ Resources:
         Args:
           - /mnt/tmp/aws-blog-emr-ranger/scripts/emr-steps/install-presto-ranger-policies.sh
           - !Ref 'RangerHostname'
-          - !Join
-            - ''
-            - - !Ref 's3artifactsRepo'
-              - /inputdata
+          - !Join ['', ['s3://', !Ref s3artifactsRepo, '/', !Ref s3artifactsRepoVersion, '/inputdata']]
         Jar: s3://elasticmapreduce/libs/script-runner/script-runner.jar
         MainClass: ''
       JobFlowId: !Ref 'EMRSampleCluster'
 
@@ -80,17 +80,14 @@ Parameters:
     Type: String
     NoEcho: true
   rangerVersion:
-    Description: 'RangerVersion. Expected values are : 0.6,0.7,1.0,2.0. NOTE: Use Ranger 0.6 if
-      EMR version is 5.0'
+    Description: 'RangerVersion. Expected values are : 1.0,2.0'
     AllowedValues:
-      - '0.6'
-      - '0.7'
       - '1.0'
       - '2.0'
     Type: String
     Default: '2.0'
   emrReleaseLabel:
-    Description: EMR Version. Pick Ranger 0.6 if EMR version is 5.0 or higher
+    Default: emr-5.29.0
     AllowedValues:
       - emr-5.0.0
       - emr-5.4.0
@@ -101,17 +98,28 @@ Parameters:
       - emr-5.28.0
       - emr-5.28.1
       - emr-5.29.0
-      - emr-5.30.1
+      - emr-5.30.0
+      - emr-5.31.0
+      - emr-5.32.0
+      - emr-6.1.0
+    Description: Release label for the EMR cluster
     Type: String
-    Default: emr-5.29.0
-  s3artifactsRepoHttp:
-    Default: https://s3.amazonaws.com/aws-bigdata-blog/artifacts/aws-blog-emr-ranger/1.0
-    Description: HTTP location of the repo.
+  PrestoEngine:
+    Description: Presto Engine. PrestoSQL is only available with EMR 6.x
+    Default: Presto
     Type: String
+    AllowedValues: [Presto, PrestoSQL]
   s3artifactsRepo:
-    Default: s3://aws-bigdata-blog/artifacts/aws-blog-emr-ranger/1.0
+    Default: aws-bigdata-blog/artifacts/aws-blog-emr-ranger
     Description: S3 location of the repo.
     Type: String
+  s3artifactsRepoVersion:
+    Default: 1.0
+    Description: Project version
+    Type: String
+    AllowedValues:
+      - 1.0
+      - 1.1
   InstallPrestoRangerPlugin:
     Description: Install the Ranger Presto Plugin. NOTE - This needs Ranger 2.0 and has not been tested with all versions
     Default: false
@@ -123,8 +131,8 @@ Metadata:
       - Label:
           default: Artifacts repo
         Parameters:
-          - s3artifactsRepoHttp
           - s3artifactsRepo
+          - s3artifactsRepoVersion
       - Label:
           default: Network Configuration
         Parameters:
@@ -161,10 +169,7 @@ Resources:
   SimpleAD:
     Type: AWS::CloudFormation::Stack
     Properties:
-      TemplateURL: !Join
-        - ''
-        - - !Ref 's3artifactsRepoHttp'
-          - /cloudformation/simple-ad-template.template
+      TemplateURL: !Join ['', ['https://s3.amazonaws.com/', !Ref 's3artifactsRepo', '/', !Ref 's3artifactsRepoVersion', '/cloudformation/', 'simple-ad-template.template']]
       Parameters:
         VPC: !Ref 'VPC'
         Subnet1SimpleAD: !Ref 'Subnet1SimpleAD'
@@ -176,10 +181,7 @@ Resources:
     DependsOn:
       - SimpleAD
     Properties:
-      TemplateURL: !Join
-        - ''
-        - - !Ref 's3artifactsRepoHttp'
-          - /cloudformation/ranger-server.template
+      TemplateURL: !Join ['', ['https://s3.amazonaws.com/', !Ref 's3artifactsRepo', '/', !Ref 's3artifactsRepoVersion', '/cloudformation/', 'ranger-server.template']]
       Parameters:
         VPC: !Ref 'VPC'
         VPCCidrBlock: !Ref 'VPCCidrBlock'
@@ -190,20 +192,19 @@ Resources:
         myDirectoryBaseDN: !Ref 'myDirectoryBaseDN'
         myDirectoryBindUser: !Ref 'myDirectoryBindUser'
         rangerVersion: !Ref 'rangerVersion'
-        s3artifactsRepoHttp: !Ref 's3artifactsRepoHttp'
+        s3artifactsRepo: !Ref s3artifactsRepo
+        s3artifactsRepoVersion: !Ref s3artifactsRepoVersion
         myDirectoryAdminPassword: !Ref 'myDirectoryAdminPassword'
         myDirectoryBindPassword: !Ref 'myDirectoryBindPassword'
         myDirectoryDefaultUserPassword: !Ref 'myDirectoryDefaultUserPassword'
+        emrReleaseLabel: !Ref 'emrReleaseLabel'
       TimeoutInMinutes: '60'
   EMRCluster:
     Type: AWS::CloudFormation::Stack
     DependsOn:
       - RangerServer
     Properties:
-      TemplateURL: !Join
-        - ''
-        - - !Ref 's3artifactsRepoHttp'
-          - /cloudformation/emr-template.template
+      TemplateURL: !Join ['', ['https://s3.amazonaws.com/', !Ref 's3artifactsRepo', '/', !Ref 's3artifactsRepoVersion', '/cloudformation/', 'emr-template.template']]
       Parameters:
         myDirectoryBindUser: !Ref 'myDirectoryBindUser'
         myDirectoryBindPassword: !Ref 'myDirectoryBindPassword'
@@ -219,8 +220,10 @@ Resources:
         VPC: !Ref 'VPC'
         KeyName: !Ref 'KeyName'
         Subnet: !Ref 'DefaultSubnet'
-        s3artifactsRepo: !Ref 's3artifactsRepo'
+        s3artifactsRepo: !Ref s3artifactsRepo
+        s3artifactsRepoVersion: !Ref s3artifactsRepoVersion
         InstallPrestoRangerPlugin: !Ref 'InstallPrestoRangerPlugin'
+        PrestoEngine: !Ref 'PrestoEngine'
       TimeoutInMinutes: '60'
 Outputs:
   RangerServerIP: