diff --git a/content/zh-cn/blog/configguide-01/2021-09-24-config-01.md b/content/zh-cn/blog/configguide-01/2021-09-24-config-01.md
new file mode 100644
index 0000000000000000000000000000000000000000..f51144b7ef215421f70152a6188ed9eb3fa31be8
--- /dev/null
+++ b/content/zh-cn/blog/configguide-01/2021-09-24-config-01.md
@@ -0,0 +1,363 @@
++++
+
+title = "openLooKeng AA安全配置指导(一)----对接Kerberos"
+date = "2021-09-24"
+tags = ["openLooKeng", "Kerberos", "AA", " SSL", "webUI", "MIT"]
+archives = "2021-09"
+author = "senny456"
+description = "指导如何配置openLooKeng AA开启https和Kerberos,以及开启Kerberos认证后,如何访问openLooKeng webUI"
+
++++
+
+**环境信息**
+
+| Role | IP | Hostname | Hostname+domain name |
+| ------------------ | ---- | -------- | -------------------- |
+| coordinator&worker | ip1 | host1 | host1.example.com |
+| coordinator&worker | ip2 | host2 | host2.example.com |
+| worker | ip3 | host3 | host3.example.com |
+| Kerberos | ip4 | host4 | host4.example.com |
+
+### 1 开启openLooKeng节点ssl通信
+
+### 1.1 生成openLooKeng的keystore
+
+```
+keytool -genkeypair -alias openLooKeng -keyalg RSA -keystore keystore.jks -keysize 2048
+```
+
+创建所有coordinator和worker节点公用的keystore
+
+修改coordinator、worker节点的hostname为主机+域名格式,如:host1.example.com,host2.example.com,host3.example.com
+
+**创建keystore,“first and last name”选项必须填为*.域名,如\*.example.com**
+
+假设keystore密码为123456
+
+
+
+拷贝生成的keystore.jks到集群所有节点上
+
+### 1.2 所有节点编辑/etc/hosts文件,在hostname后面增加example.com部分(因为上面创建的keystore是*.example.com),如下
+
+```
+ip1 host1 host1.example.com
+ip2 host2 host2.example.com
+ip3 host3 host3.example.com
+```
+
+### 1.3 配置openLooKeng的config.properties
+
+所有节点配置:
+
+```
+node.internal-address=hostname.example.com //hostname为各节点主机名
+http-server.http.enabled=false
+http-server.https.enabled=true
+http-server.https.port=9090 //设置https端口号
+http-server.https.keystore.path=/opt/hetu/keystore.jks //keystore存放路径
+http-server.https.keystore.key=123456 //生成keystore时输入的密码
+internal-communication.https.required=true
+internal-communication.https.keystore.path=/opt/hetu/keystore.jks //keystore存放路径
+internal-communication.https.keystore.key=123456 //生成keystore时输入的密码
+```
+
+**注:**文件路径和密码根据实际修改
+
+### 1.4 验证
+
+重启openLooKeng服务,使用hetu-cli连接:
+
+```
+java -jar hetu-cli-1.4.0-SNAPSHOT-executable.jar --server https://host1.example.com:9090 --keystore-path /opt/hetu/keystore.jks --keystore-password 123456
+```
+
+### 2 开启openLooKeng的Kerberos认证
+
+### 2.1 安装Kerberos Server
+
+#### 2.1.1 安装
+
+```
+yum install -y krb5-server krb5-lib krb5-workstation
+```
+
+#### 2.1.2 修改配置文件
+
+**配置/etc/krb5.conf**
+
+```
+# Configuration snippets may be placed in this directory as well
+
+includedir /etc/krb5.conf.d/
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
+ default_realm = EXAMPLE.COM
+ default_ccache_name = /tmp/krb5cc_%{uid}
+
+[realms]
+ EXAMPLE.COM = {
+ kdc = host4 //kerberos服务器主机名
+ admin_server = host4
+ }
+
+[domain_realm]
+ .example.com = EXAMPLE.COM
+ example.com = EXAMPLE.COM
+```
+
+**注:**
+
+1. 修改default_realm 与[realms]中命名相同;
+2. kdc、admin_server配置为本地的hostname;
+3. 配置default_ccache_name。
+
+拷贝krb5.conf文件到openLooKeng集群所有节点上,config.properties认证配置会用到。
+
+**配置** **/var/kerberos/krb5kdc/kdc.conf**
+
+```
+[kdcdefaults]
+ kdc_ports = 88
+ kdc_tcp_ports = 88
+
+[realms]
+ EXAMPLE.COM = {
+ \#master_key_type = aes256-cts
+ acl_file = /var/kerberos/krb5kdc/kadm5.acl
+ dict_file = /usr/share/dict/words
+ admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+ supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
+ }
+```
+
+**注:**kdc.conf中realm名与krb5.conf相同
+
+#### 2.1.3 创建数据库
+
+```
+/usr/sbin/kdb5_util create -r EXAMPLE.COM -s
+```
+
+其中需要设置管理员密码,创建完成会在/var/kerberos/krb5kdc/下面生成principal文件,若重建数据库则需先删除/var/kerberos/krb5kdc下面principal相关文件
+
+#### 2.1.4 创建管理员账号
+
+编辑/var/kerberos/krb5kdc/kadm5.acl,增加
+
+```
+*/admin@EXAMPLE.COM *
+```
+
+**注:**代表全部权限
+
+#### 2.1.5 重启kerberos服务
+
+```
+systemctl restart krb5kdc
+systemctl restart kadmin
+```
+
+### **2.2** **Kerberos client安装(client和server共部署时,不需要安装)**
+
+#### 2.2.1 安装
+
+```
+yum install krb5-workstation krb5-libs krb5-auth-dialog
+```
+
+#### 2.2.2 配置
+
+复制kerberos的server的/etc/krb5.conf到client的/etc/krb5.conf
+
+#### 2.2.3 验证客户端可以访问KDC
+
+```
+kinit admin/admin
+kadmin -p 'admin/admin' -w '123456' -s 'ip4' -q 'list_principals'
+```
+
+**注:**-w为访问密码,-s为kerberos KDC IP
+
+### 2.3 openLooKeng对接Kerberos
+
+#### 2.3.1 生成openLooKeng的keytab
+
+在装有Kerberos客户端的机器上执行下面语句(**生成服务名为HTTP,webUI访问会用到**)
+
+创建principal:
+
+```
+kadmin -p admin/admin -q "addprinc -randkey HTTP@EXAMPLE.COM"
+kadmin -p admin/admin -q "addprinc -randkey HTTP/host1@EXAMPLE.COM"
+kadmin -p admin/admin -q "addprinc -randkey HTTP/host2@EXAMPLE.COM"
+kadmin -p admin/admin -q "addprinc -randkey HTTP/host3@EXAMPLE.COM"
+```
+
+生成keytab:
+
+```
+kadmin -p admin/admin -q "ktadd -k /opt/openlookeng/lks/lk.keytab HTTP@EXAMPLE.COM"
+kadmin -p admin/admin -q "ktadd -k /opt/openlookeng/lks/lk.keytab HTTP/host1@EXAMPLE.COM"
+kadmin -p admin/admin -q "ktadd -k /opt/openlookeng/lks/lk.keytab HTTP/host2@EXAMPLE.COM"
+kadmin -p admin/admin -q "ktadd -k /opt/openlookeng/lks/lk.keytab HTTP/host3@EXAMPLE.COM"
+```
+
+**注:**openLooKeng主机名必须为小写,如host1。所有节点主机名的principal都要创建
+
+拷贝lk.keytab文件到openLooKeng集群所有节点上,config.properties认证配置会用到。
+
+#### 2.3.2 配置openLooKeng的config.properties
+
+所有节点增加:
+
+```
+http-server.authentication.type=KERBEROS
+http.server.authentication.krb5.service-name= HTTP
+http.server.authentication.krb5.keytab=/opt/openlookeng/lks/lk.keytab
+http.authentication.krb5.config=/opt/openlookeng/lks/krb5.conf
+internal-communication.kerberos.enabled=true
+```
+
+#### 2.3.4 配置openLooKeng的jvm.config
+
+所有节点增加:
+
+```
+-Dsun.security.krb5.debug=true
+-Dlog.enable-console=true
+-Djava.security.krb5.conf=/opt/openlookeng/lks/krb5.conf
+```
+
+#### 2.3.5 验证:
+
+重启openLooKeng服务,使用hetu-cli连接:
+
+```
+java -Dsun.security.krb5.debug=true -jar hetu-cli-1.4.0-SNAPSHOT-executable.jar \
+--server https://host1.example.com:9090 \
+--keystore-path /opt/hetu/keystore.jks \
+--keystore-password 123456 \
+--krb5-config-path /opt/openlookeng/lks/krb5.conf \
+--krb5-principal HTTP \
+--krb5-keytab-path /opt/openlookeng/lks/lk.keytab \
+--krb5-remote-service-name HTTP \
+--debug
+```
+
+**注:**路径、密码、principal根据实际情况修改
+
+### 3 openLooKeng(开启kerberos)浏览器访问webUI
+
+openLooKeng开启kerberos认证,采用的是ticket的认证的方式,因此不管在浏览器输什么用户名、密码都无法认证通过。
+
+**解决方法:**
+
+**配置浏览器使用ticker认证方式,不用传统的用户名、密码认证方式。**
+
+**当前对于ticket认证方式支持比较好的是firefox浏览器,以下以firefox浏览器配置为例说明如何配置ticket认证,访问开启kerberos认证的openLooKeng服务。**
+
+### 3.1 安装windows Kerberos客户端
+
+Kerberos windows客户端叫KFW,下载地址:http://web.mit.edu/kerberos/dist/index.html,默认安装即可。默认情况会安装到C:\Program Files\MIT\Kerberos 路径,同时在C:\ProgramData\MIT\Kerberos5 路径下生成kerberos的配置文件krb5.ini。
+
+### 3.2 配置kerberos客户端
+
+配置环境变量:
+
+KRB5_CONFIG ------kerberos配置文件
+
+KRB5CCNAME ------kerberos认证缓存文件路径
+
+
+
+**注:**重启系统,使配置生效
+
+### 3.3 配置浏览器
+
+在浏览器输入about:config,搜索network.negotiate,配置如下:
+
+- network.negotiate-auth.delegation-uris、network.negotiate-auth.trusted-uris为coordinator的hostname+域名,比如host1.example.com
+
+- network.negotiate-auth.gsslib 为KFW安装路径下gssapid的路径(根据浏览器是32位、64位选择对应文件)
+
+ 比如:C:\Program Files\MIT\Kerberos\bin\gssapi64.dll
+
+- network.negotiate-auth.using-native-gsslib 修改为false
+
+- network.negotiate-auth.allow-non-fqdn修改为true
+
+搜索network.auth.use-sspi ,设置为false
+
+### 3.4 配置KFW
+
+可以从KDC服务器上拷贝/etc/krb5.conf中的内容,然后写入krb5.ini文件中。
+
+**注:**需要删除或者注释掉 default_ccache_name的设置
+
+```
+[logging]
+default = FILE:/var/log/krb5libs.log
+kdc = FILE:/var/log/krb5kdc.log
+admin_server = FILE:/var/log/kadmind.log
+[libdefaults]
+dns_lookup_realm = false
+dns_lookup_kdc = false
+ticket_lifetime = 24h
+\#renew_lifetime = 7d
+forwardable = true
+default_realm = EXAMPLE.COM
+
+[realms]
+EXAMPLE.COM = {
+kdc = host4
+admin_server = host4
+}
+
+[domain_realm]
+.example.com = EXAMPLE.COM
+example.com = EXAMPLE.COM
+```
+
+### 3.5 完成认证
+
+配置完成后,使用创建的用户认证(kerberos客户端或命令行)
+
+使用Kerberos客户端:
+
+
+
+使用命令行:
+
+
+
+如果是机机用户,使用keytab认证,需要拷贝keytab文件到windows机器上,再使用命令认证
+
+
+
+**注:**
+
+1. 在C:\Windows\System32\drivers\etc\hosts中需增加KDC、coordinator节点hostname到IP的映射关系;
+2. 使用KFW的kinit,不能使用java的kinit
+
+### 3.6 登录openLooKeng WEB UI
+
+https://host1.example.com:9090
+
+
+
+
+
+**注:**
+
+1. 配置openLooKeng的config.properties中http.server.authentication.krb5.service-name 必须为HTTP;
\ No newline at end of file
diff --git a/content/zh-cn/blog/configguide-01/2021-09-24-config-01.png b/content/zh-cn/blog/configguide-01/2021-09-24-config-01.png
new file mode 100644
index 0000000000000000000000000000000000000000..12558a736117fecfdd5bd1ad879f08932e391799
Binary files /dev/null and b/content/zh-cn/blog/configguide-01/2021-09-24-config-01.png differ
diff --git a/content/zh-cn/blog/configguide-01/2021-09-24-config-03.png b/content/zh-cn/blog/configguide-01/2021-09-24-config-03.png
new file mode 100644
index 0000000000000000000000000000000000000000..5027b4b0c47bfe2bc23e7fff10cdaf1ac0d26e1f
Binary files /dev/null and b/content/zh-cn/blog/configguide-01/2021-09-24-config-03.png differ
diff --git a/content/zh-cn/blog/configguide-01/2021-09-24-config-04.png b/content/zh-cn/blog/configguide-01/2021-09-24-config-04.png
new file mode 100644
index 0000000000000000000000000000000000000000..2ab8626fddbf36f7705b8649f4c3c1a0345be1e3
Binary files /dev/null and b/content/zh-cn/blog/configguide-01/2021-09-24-config-04.png differ
diff --git a/content/zh-cn/blog/configguide-01/2021-09-24-config-05.png b/content/zh-cn/blog/configguide-01/2021-09-24-config-05.png
new file mode 100644
index 0000000000000000000000000000000000000000..cfce616635eb0cbeb6b3c942dc35a4cd7a47e458
Binary files /dev/null and b/content/zh-cn/blog/configguide-01/2021-09-24-config-05.png differ
diff --git a/content/zh-cn/blog/configguide-01/2021-09-24-config-06.png b/content/zh-cn/blog/configguide-01/2021-09-24-config-06.png
new file mode 100644
index 0000000000000000000000000000000000000000..b7f5bbf55c5894ee330b65160b8e0c0618d9ff5e
Binary files /dev/null and b/content/zh-cn/blog/configguide-01/2021-09-24-config-06.png differ
diff --git a/content/zh-cn/blog/configguide-01/2021-09-24-config-07.png b/content/zh-cn/blog/configguide-01/2021-09-24-config-07.png
new file mode 100644
index 0000000000000000000000000000000000000000..18ca08758e2c139627134425d209594296705f82
Binary files /dev/null and b/content/zh-cn/blog/configguide-01/2021-09-24-config-07.png differ
diff --git a/content/zh-cn/blog/configguide-01/2021-09-24-config-08.png b/content/zh-cn/blog/configguide-01/2021-09-24-config-08.png
new file mode 100644
index 0000000000000000000000000000000000000000..0cec21454d080c3f4c0059a2405a27dd8a273b00
Binary files /dev/null and b/content/zh-cn/blog/configguide-01/2021-09-24-config-08.png differ
diff --git a/content/zh-cn/blog/configguide-01/2021-09-24-config-09.png b/content/zh-cn/blog/configguide-01/2021-09-24-config-09.png
new file mode 100644
index 0000000000000000000000000000000000000000..a6d8876f176868cb240bdfd4dd3670690fb54f2c
Binary files /dev/null and b/content/zh-cn/blog/configguide-01/2021-09-24-config-09.png differ
diff --git a/content/zh-cn/blog/configguide-01/2021-09-24-config-10.png b/content/zh-cn/blog/configguide-01/2021-09-24-config-10.png
new file mode 100644
index 0000000000000000000000000000000000000000..e5be0667cfaacadddb89a1c759b96eb6f2eaf070
Binary files /dev/null and b/content/zh-cn/blog/configguide-01/2021-09-24-config-10.png differ
diff --git a/content/zh-cn/blog/configguide-01/2021-09-24-config-13.png b/content/zh-cn/blog/configguide-01/2021-09-24-config-13.png
new file mode 100644
index 0000000000000000000000000000000000000000..548759a79a384e1a2a139419f061549206e7cc61
Binary files /dev/null and b/content/zh-cn/blog/configguide-01/2021-09-24-config-13.png differ
diff --git a/content/zh-cn/blog/configguide-02/2021-09-24-config-02.md b/content/zh-cn/blog/configguide-02/2021-09-24-config-02.md
new file mode 100644
index 0000000000000000000000000000000000000000..6c263e1ffe2cef69027348a3f4768ca299d547fb
--- /dev/null
+++ b/content/zh-cn/blog/configguide-02/2021-09-24-config-02.md
@@ -0,0 +1,176 @@
++++
+
+title = "openLooKeng AA安全配置指导(二)----对接nginx"
+date = "2021-09-24"
+tags = ["openLooKeng", "Kerberos", "nginx"]
+archives = "2021-09"
+author = "senny456"
+description = "指导如何配置openLooKeng AA开启Kerberos后,对接nginx代理执行sql"
+
++++
+
+**环境信息**
+
+| Role | IP | Hostname | Hostname+domain name |
+| ------------------ | ---- | -------- | -------------------- |
+| coordinator&worker | ip1 | host1 | host1.example.com |
+| coordinator&worker | ip2 | host2 | host2.example.com |
+| worker | ip3 | host3 | host3.example.com |
+| Kerberos/nginx | ip4 | host4 | host4.example.com |
+
+openLooKeng AA开启Kerberos,参见[openLooKeng AA安全配置指导(一)----对接Kerberos](https://openlookeng.io/zh-cn/blog/2021/09/24/2021-09-24-config-01.html )
+
+### 1 openLooKeng(开启kerberos)对接Nginx
+
+### 1.1 Nginx安装
+
+1. 开源nginx的版本选型
+
+ 下载地址: http://openresty.org/cn/download.html
+
+ 选用openresty-1.15.8.2版本,需从nginx官网下载
+
+2. 开源nginx的依赖模块组件
+
+ nginx_upstream_check_module
+
+ 下载地址:https://github.com/yaoweibin/nginx_upstream_check_module
+
+ ngx_http_consistent_hash
+
+ 下载地址:https://github.com/replay/ngx_http_consistent_hash
+
+3. 安装步骤:
+
+ - 依赖安装:
+
+ ```
+ yum -y install gcc zlib zlib-devel pcre-devel openssl openssl-devel
+ ```
+
+ - 安装openresty
+
+ ```
+ ./configure --prefix=/usr/local/openresty/ --with-http_stub_status_module --with-luajit --without-http_redis2_module --with-http_iconv_module --with-http_ssl_module --with-stream --add-module=/opt/nginx_upstream_check_module --add-module=/opt/ngx_http_consistent_hash
+ ```
+
+ gmake
+
+ gmake install
+
+ - 添加环境变量
+
+ ```
+ vi /etc/profile
+ 添加: PATH=/usr/local/openresty/nginx/sbin:$PATH
+ source /etc/profile
+ ```
+
+4. 启动、停止、重启的命令
+
+ 启动: nginx -c /usr/local/openresty/nginx/conf/nginx.conf
+
+ 重启: nginx -s reload
+
+ 停止: nginx -s stop
+
+### 1.2 Nginx.conf 配置
+
+ [nginx.conf](nginx.conf)
+
+注意修改以下内容
+
+
+
+host1.example.com:9090为openlookeng coordinator节点的域名和端口号
+
+client.cer 是从openLooKeng的keystore中提取的证书
+
+lk.key是从openLooKeng的keystore中提取的私钥
+
+**注意:证书和私钥,nginx用户需要用权限读取**
+
+
+
+### 1.3 证书和私钥提取方式(参考)
+
+提取私钥
+
+1. 先转为pfs格式(使用openLooKeng中生成的keystore.jks)
+
+ ```
+ keytool -v -importkeystore -srckeystore keystore.jks -srcstoretype jks -srcstorepass 123456 -destkeystore lk.pfx -deststoretype pkcs12 -deststorepass 123456 -destkeypass 123456
+ ```
+
+2. 显示到界面
+
+ ```
+ openssl pkcs12 -in lk.pfx -nocerts -nodes
+ openssl pkcs12 -in lk.pfx -nocerts -nodes -out lk.key (保存到key)
+ ```
+
+3. 导出证书
+
+ ```
+ keytool -export -alias openLooKeng -keystore keystore.jks -rfc -file client.cer
+ ```
+
+### 1.4 添加nginx的keytab
+
+创建principal:
+
+```
+kadmin -p admin/admin -q "addprinc -randkey HTTP/host4@EXAMPLE.COM"
+```
+
+添加keytab:
+
+```
+kadmin -p admin/admin -q "ktadd -k /opt/openlookeng/lks/lk.keytab HTTP/host4@EXAMPLE.COM"
+```
+
+**拷贝并替换openLooKeng集群所有节点上的keytab文件**
+
+### 1.5 配置openLooKeng的config.properties
+
+coordinator节点上增加如下配置:
+
+```
+failure-detector.http-client.authentication.krb5.service-principal-pattern=${SERVICE}@host4
+query-info.http-client.authentication.krb5.service-principal-pattern=${SERVICE}@host4
+workerInfo.http-client.authentication.krb5.service-principal-pattern=${SERVICE}@host4
+memoryManager.http-client.authentication.krb5.service-principal-pattern=${SERVICE}@host4
+scheduler.http-client.authentication.krb5.service-principal-pattern=${SERVICE}@host4
+node-manager.http-client.authentication.krb5.service-principal-pattern=${SERVICE}@host4
+exchange.http-client.authentication.krb5.service-principal-pattern=${SERVICE}@host4
+event.http-client.authentication.krb5.service-principal-pattern=${SERVICE}@host4
+discovery.http-client.authentication.krb5.service-principal-pattern=${SERVICE}@host4
+http.server.authentication.krb5.principal-hostname=host4
+```
+
+worker节点上增加如下配置:
+
+```
+node-manager.http-client.authentication.krb5.service-principal-pattern=${SERVICE}@host4
+exchange.http-client.authentication.krb5.service-principal-pattern=${SERVICE}@host4
+event.http-client.authentication.krb5.service-principal-pattern=${SERVICE}@host4
+discovery.http-client.authentication.krb5.service-principal-pattern=${SERVICE}@host4
+http.server.authentication.krb5.principal-hostname=host4
+```
+
+**其中:host4为nginx节点的主机名**
+
+### 1.6 验证
+
+```
+java -jar hetu-cli-1.4.0-SNAPSHOT-executable.jar \
+--server https://host4.example.com:443 \
+--keystore-path /opt/hetu/keystore.jks \
+--keystore-password 123456 \
+--krb5-config-path /opt/openlookeng/lks/krb5.conf \
+--krb5-principal HTTP \
+--krb5-keytab-path /opt/openlookeng/lks/lk.keytab \
+--krb5-remote-service-name HTTP \
+--debug
+```
+
diff --git a/content/zh-cn/blog/configguide-02/2021-09-24-config-11.png b/content/zh-cn/blog/configguide-02/2021-09-24-config-11.png
new file mode 100644
index 0000000000000000000000000000000000000000..22b9f7ac6abca03657cf6266d853e9857c7e5b63
Binary files /dev/null and b/content/zh-cn/blog/configguide-02/2021-09-24-config-11.png differ
diff --git a/content/zh-cn/blog/configguide-02/2021-09-24-config-12.png b/content/zh-cn/blog/configguide-02/2021-09-24-config-12.png
new file mode 100644
index 0000000000000000000000000000000000000000..24da7572eb041f1b13d59fc992634fbe04894d29
Binary files /dev/null and b/content/zh-cn/blog/configguide-02/2021-09-24-config-12.png differ
diff --git a/content/zh-cn/blog/configguide-02/nginx.conf b/content/zh-cn/blog/configguide-02/nginx.conf
new file mode 100644
index 0000000000000000000000000000000000000000..071f87d681b02a1bfcba1fe0374a9364368a6de2
--- /dev/null
+++ b/content/zh-cn/blog/configguide-02/nginx.conf
@@ -0,0 +1,104 @@
+user nginx; # 指定nginx的运行用户为nginx
+worker_processes 8;
+worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000;
+
+error_log logs/error.log info;
+
+#pid logs/nginx.pid;
+
+worker_rlimit_nofile 65535; ## nginx进程可以打开的最大文件句柄数的上限
+events {
+ use epoll;
+ worker_connections 65240;
+}
+
+http {
+ include mime.types;
+ default_type application/octet-stream;
+ underscores_in_headers on;
+ server_tokens off;
+ ssi off;
+
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log logs/access.log main;
+
+ autoindex off;
+ port_in_redirect off;
+
+ keepalive_timeout 125;
+ client_header_timeout 125;
+ client_body_timeout 125;
+
+ fastcgi_buffer_size 1024k;
+ fastcgi_buffers 8 1024k;
+ fastcgi_busy_buffers_size 1024k;
+
+ proxy_buffer_size 1024k;
+ proxy_buffers 32 128k;
+ proxy_busy_buffers_size 1024k;
+
+ proxy_temp_file_write_size 2048k;
+
+ client_header_buffer_size 128k;
+ large_client_header_buffers 32 64k;
+
+
+ upstream gotoaa {
+ ip_hash;
+ server host1.example.com:9090 weight=1; ##更改为coordinator的IP和端口
+ server host2.example.com:9090 weight=1; ##更改为coordinator的IP和端口, 多个可新增
+ check interval=3000 rise=2 fall=5 timeout=1000 type=http;
+
+ }
+
+
+ server {
+ listen 443 ssl default_server;
+ server_name host4.example.com;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+ ## 证书和秘钥从被代理的openLooKeng集群中的keystore文件中提取
+ ssl_certificate /usr/local/openresty/nginx/ssls/148/client.cer; # 证书,路径必须是nginx用户可读取的路径
+ ssl_certificate_key /usr/local/openresty/nginx/ssls/148/lk.key; #秘钥,路径必须是nginx用户可读取的路径
+ ssl_session_timeout 5m; # 超时时间5分钟,避免攻击者建立大量无效链接或慢速攻击
+ ssl_session_cache shared:SSL:10m; #使用10M共享内存,ssl会话缓存,可以使客户端在一定时间内复用这个ssl会话,减少资源占用;
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256";
+ ##ssl_ciphers ALL:!aNULL;
+ ssl_prefer_server_ciphers on; # 协商时优先使用服务器指定的加密算法
+
+ client_header_buffer_size 64k;
+ large_client_header_buffers 8 64k;
+ client_body_buffer_size 64k;
+ client_max_body_size 1m;
+
+ add_header X-XSS-Protection "1; mode=block"; #提供xss防护功能
+ add_header X-Frame-Options DENY; # 提供点击劫持防护功能
+ add_header X-Content-Type-Options nosniff; # 提供禁用浏览器的类型猜测功能
+ add_header Strict-Transport-Security " max-age=31536000; includeSubDomains "; #启用HSTS功能,强制走HTTPS
+ add_header Content-Security-Policy "default-src 'self'"; #提供对加载资源的安全控制功能
+ add_header Cache-control "no-cache, no-store, must-revalidate"; #以下三个是页面缓存控制响应头,涉及敏感数据的页面必须设置
+ add_header Pragma no-cache;
+ add_header Expires 0;
+
+ location / {
+ proxy_hide_header X-Powered-By;
+ proxy_pass https://gotoaa;
+ proxy_set_header Host $host:$server_port;
+ proxy_set_header X-Real-IP $remote_addr;
+ }
+
+
+
+
+ #error_page 404 /404.html;
+ error_page 500 502 503 504 /50x.html;
+ # location = /50x.html {
+ # root html;
+ # }
+ }
+
+}
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-03.md b/content/zh-cn/blog/configguide-03/2021-09-24-config-03.md
new file mode 100644
index 0000000000000000000000000000000000000000..ed193b8fdfd01ef731de352af0b8b0829cf3994d
--- /dev/null
+++ b/content/zh-cn/blog/configguide-03/2021-09-24-config-03.md
@@ -0,0 +1,400 @@
++++
+
+title = "openLooKeng AA安全配置指导(三)----对接OpenLDAP"
+date = "2021-09-24"
+tags = ["openLooKeng", "SSL", "OpenLDAP"]
+archives = "2021-09"
+author = "senny456"
+description = "指导在开启openLooKeng SSL后,如果对接OpenLDAP做用户认证"
+
++++
+
+**环境信息**
+
+| Role | IP | Hostname | Hostname+domain name |
+| ------------------ | ---- | -------- | -------------------- |
+| coordinator&worker | ip1 | host1 | host1.example.com |
+| coordinator&worker | ip2 | host2 | host2.example.com |
+| worker | ip3 | host3 | host3.example.com |
+| Kerberos/OpenLDAP | ip4 | host4 | host4.example.com |
+
+假设openLooKeng集群已配置好kerberos认证(当前对接OpenLDAP必须开启kerberos认证,参见连接:[openLooKeng AA安全配置指导(一)----对接Kerberos](https://openlookeng.io/zh-cn/blog/2021/09/24/2021-09-24-config-01.html ))
+
+### 1 OpenLDAP安装
+
+### 1.1 安装OpenLDAP
+
+```
+yum -y install openldap openldap-servers openldap-clients openldap-devel compat-openldap
+```
+
+### 1.2 初始化OpenLDAP配置
+
+```
+cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
+
+cp /usr/share/openldap-servers/slapd.ldif /root/.
+```
+
+### 1.3 修改配置文件slapd.ldif
+
+```
+###############################slapd.ldif 内容如下#####################3######
+
+#
+# See slapd-config(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcArgsFile: /var/run/openldap/slapd.args
+olcPidFile: /var/run/openldap/slapd.pid
+# TLS settings TLS #
+olcTLSCACertificatePath: /etc/openldap/certs
+olcTLSCertificateFile: /etc/openldap/certs/ldap.crt
+olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
+olcTLSVerifyClient: never
+# Schema settings
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+#include: file:///etc/openldap/schema/core.ldif注意顺序.(高能预警:有坑)注意上面必须得有个空行,否则报错,随时空行就对了.
+include: file:///etc/openldap/schema/corba.ldif
+include: file:///etc/openldap/schema/core.ldif
+include: file:///etc/openldap/schema/cosine.ldif
+include: file:///etc/openldap/schema/duaconf.ldif
+include: file:///etc/openldap/schema/dyngroup.ldif
+include: file:///etc/openldap/schema/inetorgperson.ldif
+include: file:///etc/openldap/schema/java.ldif
+include: file:///etc/openldap/schema/misc.ldif
+include: file:///etc/openldap/schema/nis.ldif
+include: file:///etc/openldap/schema/openldap.ldif
+include: file:///etc/openldap/schema/ppolicy.ldif
+include: file:///etc/openldap/schema/collective.ldif
+#
+# Frontend settings
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcFrontendConfig
+olcDatabase: frontend
+#
+# Configuration database
+dn: olcDatabase=config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" manage by * none
+#
+# Server status monitoring
+# 自定义域 cn=Manager,dc=example,dc=com (example位置,随便填,但是下面统一)
+#
+dn: olcDatabase=monitor,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: monitor
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
+
+#
+# Backend database definitions
+dn: olcDatabase=hdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcHdbConfig
+olcDatabase: hdb
+olcSuffix: dc=example,dc=com
+olcRootDN: cn=Manager,dc=example,dc=com
+olcRootPW: 123456
+olcDbDirectory: /var/lib/ldap
+olcDbIndex: objectClass eq,pres
+olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
+olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
+olcDbIndex: uid,memberUid eq,pres,sub
+olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
+########################################end###################################
+```
+
+\#附:生成密码(可以不管这里。上面的 olcRootPW 密文可以由这个生成并替换)
+ \#slappasswd -s 123456
+ \##{SSHA}R09wEQwdZ2PzL/9fbRGhfEzW6FR17Ioi
+
+并修改对应的字段
+
+
+
+### 1.4 重新生成配置文件信息
+
+rm -rf /etc/openldap/slapd.d/* ##删除之前配置
+
+slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif ## 生成新配置
+
+slaptest -u -F /etc/openldap/slapd.d ##测试配置
+
+
+
+授权:chown -R ldap. /etc/openldap/slapd.d/
+
+ chown -R ldap. /var/lib/ldap/
+
+重启服务:/etc/init.d/slapd restart(或者systemctl restart slapd)
+
+### 1.5 导入管理员账号信息
+
+生成root.ldif
+
+```
+dn: dc=example,dc=com
+dc: example
+objectClass: top
+objectClass: domain
+
+dn: cn=Manager,dc=example,dc=com
+objectClass: organizationalRole
+cn: Manager
+```
+
+```
+ldapadd -D "cn=Manager,dc=example,dc=com" -W -x -f root.ldif
+```
+
+\## 导入密码是:slapd.ldif中配置的123456
+
+```
+ldapsearch -h test -b "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -W
+```
+
+\##查看是否导入成功(test是hostname,可用ip代替)
+
+### 1.6 界面端
+
+1. 使用同一局域网windows下的LdapAdmin
+
+ 1)点击start中的connect,并选择new connection。
+
+ 
+
+ 2)点击fetch DNs获取基础DN
+
+ 
+
+ 3)去掉匿名连接的√,输入用户名密码,此处密码为前面配置的123456
+
+ 
+
+ 点击Test connection测试是否连接成功
+
+ 
+
+
+
+2. 创建用户:
+
+ 1)在根目录右键new中选择orgnaizational unit…
+
+ 
+
+ 2)Name中填People并在People下创建用户
+
+ 
+
+ 
+
+ 
+
+ 3)设置用户密码
+
+ 
+
+ 
+
+### 2 openlookeng对接OpenLDAP
+
+### 2.1 修改openssl配置文件
+
+1. 复制openssl配置文件到 /tmp 下:
+
+ ```
+ cp /etc/pki/tls/openssl.cnf /tmp/openssl.cnf
+ ```
+
+2. 编辑/tmp/openssl.cnf
+
+ 此文件的格式是类似 ini 的配置文件格式,找到 **[ req ]** 段落,加上下面的配置:
+
+ ```
+ req_extensions = v3_req
+ ```
+
+ 
+
+ 这段配置表示在生成 CSR 文件时读取名叫 v3_req 的段落的配置信息,因此我们再在此配置文件中加入一段名为 v3_req 的配置:
+
+ ```
+ [ v3_req ]
+ # Extensions to add to a certificate request
+ basicConstraints = CA:FALSE
+ keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+ subjectAltName = @alt_names
+ ```
+
+ 
+
+ 这段配置中最重要的是在最后导入名为 alt_names 的配置段,因此我们还需要添加一个名为 [ alt_names ] 的配置段:
+
+ [ alt_names ]
+
+ IP = ip4
+
+ 注:ip为OpenLDAP服务器ip
+
+### 2.2 生成openldap证书
+
+```
+cd /etc/openldap/certs/
+openssl genrsa -out ldap.key 1024
+openssl req -new -key ldap.key -out ldap.csr -config /tmp/openssl.cnf
+```
+
+查看证书请求文件的内容:
+
+```
+openssl req -text -noout -in ldap.csr
+```
+
+生成签名
+
+```
+openssl x509 -req -days 3650 -in ldap.csr -signkey ldap.key -out ldap.crt -extensions v3_req -extfile /tmp/openssl.cnf
+```
+
+### 2.3 配置ldap开启ssl
+
+#### 2.3.1 编辑/root/slapd.ldif
+
+```
+olcTLSCACertificatePath: /etc/openldap/certs
+olcTLSCertificateFile: /etc/openldap/certs/ldap.crt
+olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
+olcTLSVerifyClient: never
+```
+
+**注:配置的证书路径应与[2.2](#_生成openldap证书)步骤中生成的一致**
+
+#### 2.3.2 编辑/etc/openldap/ldap.conf
+
+```
+TLS_REQCERT allow
+TLS_CERT /etc/openldap/certs/ldap.crt
+TLS_KEY /etc/openldap/certs/ldap.key
+URI ldaps://ip4 //需修改为OpenLDAP服务器ip
+BASE dc=example,dc=com
+```
+
+#### 2.3.3 重新生成配置并重启服务
+
+service slapd stop(或者systemctl stop slapd)
+
+rm -rf /etc/openldap/slapd.d/* ##删除之前配置
+
+slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif ## 生成新配置
+
+slaptest -u -F /etc/openldap/slapd.d ##测试配置
+
+授权:chown -R ldap. /etc/openldap/slapd.d/
+
+ chown -R ldap. /var/lib/ldap/
+
+#### 2.3.4 配置同时启动ldap和ldaps
+
+编辑/etc/sysconfig/ldap (没有就手动创建)
+
+SLAPD_LDAP=yes
+
+SLAPD_LDAPI=no
+
+SLAPD_LDAPS=yes
+
+#### 2.3.5 启动并查看是否已经成功
+
+service slapd restart(或者systemctl start slapd)
+
+netstat -tnlp |grep 389
+
+netstat -tnlp |grep 636
+
+**注:若636未启动**
+
+**vi /etc/sysconfig/slapd**
+
+**SLAPD_URLS="ldapi:/// ldap:/// ldaps:///" //配置slapd启用监听ldaps**
+
+### 2.4 导入证书
+
+在openldap和openLooKeng服务器上使用keytool导入证书 (密码:changeit)
+
+(拷贝openldap的ldap.crt证书到openLooKeng服务器)
+
+```
+keytool -import -trustcacerts -file ldap.crt -alias ldapserver -keystore /opt/jdk1.8.0_191/jre/lib/security/cacerts
+```
+
+### 2.5 配置openlookeng
+
+**新增配置**
+
+1. 配置config.properties,增加
+
+ ```
+ http-server.authentication.type=PASSWORD,KERBEROS
+ ```
+
+2. 配置jvm.config,增加
+
+ ```
+ -Djavax.net.ssl.trustStore=/opt/jdk1.8.0_191/jre/lib/security/cacerts
+ -Djavax.net.ssl.trustStorePassword=changeit
+ ```
+
+3. 增加password-authenticator.properties配置文件
+
+ ```
+ password-authenticator.name=ldap
+ ldap.url=ldaps://ip4:636
+ ldap.user-bind-pattern=cn=${USER},ou=People,dc=example,dc=com
+ ldap.cache-ttl=1s
+ ```
+
+ **注:**
+
+ **ldap.url:ldap服务器的ip和端口**
+
+ **ldap.user-bind-pattern=cn:根据为ldap上用户配置**
+
+### 2.6 重启openlookeng服务
+
+```
+./bin/launcher restart
+```
+
+### 2.7 验证
+
+**webUI:**
+
+登录https://ip1:9090/ui/login.html
+
+IP:openLooKeng coordinator节点的IP或者域名
+
+
+
+**CLI:**
+
+```
+java -jar hetu-cli-1.4.0-SNAPSHOT-executable.jar \
+--server https://ip1.example.com:9090 \
+--keystore-path /opt/hetu/keystore.jks \
+--keystore-password 123456 \
+--user lk \
+--password
+```
+
+
+
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-14.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-14.png
new file mode 100644
index 0000000000000000000000000000000000000000..22dd4af1182d13c8cd0f52c26d5f44a483752130
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-14.png differ
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-15.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-15.png
new file mode 100644
index 0000000000000000000000000000000000000000..baed68cdcba1bbe8b908431aede2aa504a52c839
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-15.png differ
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-16.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-16.png
new file mode 100644
index 0000000000000000000000000000000000000000..e184d45ed620c1e9a0ce840f767e43395f37f43b
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-16.png differ
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-17.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-17.png
new file mode 100644
index 0000000000000000000000000000000000000000..51b6c8862f6cd54acf5a825e77de3a051a9e0c68
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-17.png differ
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-18.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-18.png
new file mode 100644
index 0000000000000000000000000000000000000000..bd9cbba8a834bc02b8fc6c4fd37676a932265c0d
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-18.png differ
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-19.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-19.png
new file mode 100644
index 0000000000000000000000000000000000000000..52b3fc7094b1007aa02430a38ca6ec221e839cad
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-19.png differ
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-20.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-20.png
new file mode 100644
index 0000000000000000000000000000000000000000..06684b312b8db4803858282d1440820222bda859
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-20.png differ
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-21.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-21.png
new file mode 100644
index 0000000000000000000000000000000000000000..9b80bf70f35b9f1de5c02849eefd30a97a18d6fb
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-21.png differ
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-22.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-22.png
new file mode 100644
index 0000000000000000000000000000000000000000..9057e1a58e3fe7125a98933c8f18f921bf968e33
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-22.png differ
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-23.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-23.png
new file mode 100644
index 0000000000000000000000000000000000000000..ef098e4e7320480d59259ce511adc0f34d28f5d3
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-23.png differ
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-24.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-24.png
new file mode 100644
index 0000000000000000000000000000000000000000..04733640e7654b1045e94cfe806bd78c41610dd0
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-24.png differ
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-25.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-25.png
new file mode 100644
index 0000000000000000000000000000000000000000..240d62900b8a92cc67353773ec4872c9eea4fb05
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-25.png differ
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-27.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-27.png
new file mode 100644
index 0000000000000000000000000000000000000000..b670d546613d430bf1e856558da5f12fb62d9143
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-27.png differ
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-28.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-28.png
new file mode 100644
index 0000000000000000000000000000000000000000..7fdb346a08d62cb3ab9a646051bd40de6665b7ef
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-28.png differ
diff --git a/content/zh-cn/blog/configguide-03/2021-09-24-config-29.png b/content/zh-cn/blog/configguide-03/2021-09-24-config-29.png
new file mode 100644
index 0000000000000000000000000000000000000000..9194e9b768dbdb0da978b6a2cd9152763f1d9654
Binary files /dev/null and b/content/zh-cn/blog/configguide-03/2021-09-24-config-29.png differ
diff --git a/content/zh-cn/blog/configguide-04/2021-09-24-config-04.md b/content/zh-cn/blog/configguide-04/2021-09-24-config-04.md
new file mode 100644
index 0000000000000000000000000000000000000000..909b9b7688c8aef332db3cf912242d78c1af9e13
--- /dev/null
+++ b/content/zh-cn/blog/configguide-04/2021-09-24-config-04.md
@@ -0,0 +1,234 @@
++++
+
+title = "openLooKeng AA安全配置指导(四)----对接ranger"
+date = "2021-09-24"
+tags = ["openLooKeng", "ranger", "OpenLDAP"]
+archives = "2021-09"
+author = "senny456"
+description = "指导配置openLooKeng对接ranger做权限控制"
+
++++
+
+### 1 Ranger编译和部署
+
+代码路径:https://github.com/apache/ranger/tree/release-ranger-2.1.0, release-ranger-2.1.0分支。
+
+在Ranger的2.1.0版本上开发openLookeng插件,所以需要编译和部署ranger-2.1.0。
+
+### 1.1 代码编译
+
+```
+git clone https://github.com/apache/ranger.git --branch release-ranger-2.1.0
+\# 进入代码根目录
+cd ranger
+mvn clean compile package install -DskipTests
+ls target/
+\# target 目录下为所有压缩包
+```
+
+### 1.2 安装MySQL
+
+安装可参考网上教程:https://www.cnblogs.com/lzhdonald/p/12511998.html
+
+本地安装完成后,连接数据库:mysql -u root -p,新增openlookeng用户并赋予权限
+
+```
+create database ranger;
+CREATE USER 'openlookeng'@'%' IDENTIFIED BY 'openlookeng123';
+GRANT ALL ON ranger.* TO 'openlookeng'@'%';
+FLUSH PRIVILEGES;
+```
+
+### 1.3 安装Ranger Admin
+
+安装可参考官方教程:https://cwiki.apache.org/confluence/display/RANGER/Ranger+Installation+Guide
+
+```
+# 进入Ranger代码编译生成的target目录下
+tar -zxf ranger-2.1.0-admin.tar.gz
+cd ranger-2.1.0-admin/
+vi install.properties
+```
+
+install.properties修改如下部分
+
+```
+#mysql 数据库信息
+db_root_user=root
+db_root_password=xxxx
+db_host=xxx.xxx.xxx.xxx
+
+# DB UserId used for the Ranger schema
+# 提前在mysql中创建数据库和用户
+db_name=ranger
+db_user=openlookeng
+db_password=XXXXXX
+
+# 禁用审计功能
+#audit_store=solr
+```
+
+将mysql的驱动包放置到/usr/share/java/mysql-connector-java.jar。
+
+```
+CREATE USER 'openlookeng'@'%' IDENTIFIED BY 'Huawei@123';
+GRANT ALL ON ranger.* TO 'openlookeng'@'%';
+FLUSH PRIVILEGES;
+```
+
+执行./setup.sh
+
+
+
+启动Ranger Admin服务: service ranger-admin start
+
+
+
+### 1.4 检查是否成功
+
+访问Ranger控制台:http://ranger-IP:6080,默认账号密码:admin/admin,出现登录界面且登录成功,说明Ranger Admin安装成功
+
+
+
+### 2 安装Ranger openLooKeng Plugin
+
+代码路径:https://gitee.com/chen-peikun/openlookeng-ranger-plugin, master分支。
+
+按照下面操作指导进行编译和部署即可(基于Ranger的2.1.0版本)。
+
+### 2.1 代码编译
+
+```
+git clone https://gitee.com/chen-peikun/openlookeng-ranger-plugin.git
+# 进入代码根目录
+cd openlookeng-ranger-plugin
+mvn clean compile package install
+ls target/
+# target 目录下为所有压缩包
+```
+
+### 2.2 在Ranger Admin中安装Ranger openLooKeng的服务端插件
+
+```
+# 代码openlookeng-ranger-plugin根目录
+# 进入Ranger代码编译生成的target目录下
+cd target
+tar -zxf ranger-2.1.0-admin-openlookeng-plugin.tar.gz
+cd ranger-2.1.0-admin-openlookeng-plugin/
+
+# 将openlookeng目录拷贝到Ranger Admin的ranger-plugins目录下
+# 示例:Ranger Admin路径为/home/ranger-2.1.0-admin
+cp -r openlookeng /home/ranger-2.1.0-admin/ews/webapp/WEB-INF/classes/ranger-plugins/
+
+# 使用curl命令,将service-defs目录下的ranger-servicedef-openlookeng.json服务定义文件注册到Ranger Admin服务中
+# "password"是Ranger Admin的admin账户密码
+# "ranger-admin-host:port"使用对应的Ranger Admin配置的host和port
+curl -u admin:password -X POST -H "Accept: application/json" -H "Content-Type: application/json" -d @service-defs/ranger-servicedef-openlookeng.json http://ranger-admin-host:port/service/plugins/definitions
+
+# 【重启Ranger Admin服务】
+service ranger-admin restart
+```
+
+### 2.3 在Ranger控制台新增openlookengdev服务
+
+访问Ranger控制台:http://ranger-IP:6080,默认账号密码:admin/admin,新增openLooKeng服务:
+
+
+
+Username填写:**lk**, openLooKeng控制台(http://openLooKeng-IP:8080)默认使用**lk用户**进行数据查询和展示,使用**lk用户**创建服务,ranger默认会给创建服务用户全部权限。
+
+Passworld:对接openLDAP需填写;未对接openLDAP不用填写。
+
+jdbc.url填写:
+
+ 非安全openLooKeng集群:jdbc:lk://openLooKeng-IP:http-port/catalog
+
+ 安全openLooKeng集群:jdbc:lk://openLooKeng-IP:https-port/hive?SSL=true
+
+ 如果配置nginx:jdbc:lk://nginx-IP:https-port/hive?SSL=true
+
+
+
+测试连接成功,可以使用。
+
+### 2.4 在openLooKeng中安装Ranger openLooKeng的客户端插件
+
+```
+# 代码openlookeng-ranger-plugin根目录
+# 进入Ranger代码编译生成的target目录下
+cd target
+tar -zxf ranger-2.1.0-openlookeng-plugin.tar.gz
+cd ranger-2.1.0-openlookeng-plugin/
+vi install.properties
+```
+
+install.properties修改如下部分
+
+```
+# Location of Policy Manager URL
+# Example: POLICY_MGR_URL=http://policymanager.xasecure.net:6080
+POLICY_MGR_URL=ttp:///ranger-IP:6080
+
+# This is the repository name created within policy manager
+# Example: REPOSITORY_NAME=openlookengdev
+# Ranger 控制台创建的Service名
+REPOSITORY_NAME=openlookengdev
+
+#Presto component installed directory
+#COMPONENT_INSTALL_DIR_NAME=../openlookeng
+COMPONENT_INSTALL_DIR_NAME=/root/hetu-server-1.0.0-SNAPSHOT
+
+#为了简单,此处不开启审计功能
+XAAUDIT.SOLR.ENABLE=false
+
+#虽然文档中没有提及,不设置的话,enable-presto-plugin.sh脚本执行出错
+XAAUDIT.SUMMARY.ENABLE=false
+```
+
+以root用户执行脚本: ./enable-presto-plugin.sh
+
+**如果是AA环境,coordinator节点上都需要执行上面脚本**
+
+检查openLooKeng配置文件目录是否生成access-control.properties
+
+
+
+检查openLooKeng的plugin目录下是否生成ranger目录,其中jar包连接到ranger-2.1.0-openlookeng-plugin/lib
+
+
+
+重启openLookeng**
+
+进入openLookeng安装目录下的bin子目录,新建lk用户并授权,使用lk用户执行:./launcher restart
+
+### 2.5 添加权限控制,验证是否成功
+
+访问Ranger控制台:http://ranger-ip:6080,点击openlookengdev服务,进行权限控制:
+
+
+
+添加资源权限控制:
+
+
+
+show schemas/tables/columns等显示元数据信息操作,对应的catalog/schema/table/column需要授权select权限,还必须给对应Catalog/Schame(information_schema)/Table(schemata,tables,columns)/Column(*)授予select权限)
+
+**示例如下:**
+
+【配置前】test账号没有配置权限
+
+
+
+1)在Ranger上授权test访问Catalog(hive2)的use权限,**注意:管理表权限必须先设置catalog的use权限**
+
+
+
+2)在Ranger上授权test访问Catalog(hive2)/Schame(default)/Table(user)/Column(id,info_age)数据的权限
+
+【配置权限】给cc_call_center_sk,cc_call_center_id两个列访问权限
+
+
+
+【配置后】
+
+
\ No newline at end of file
diff --git a/content/zh-cn/blog/configguide-04/2021-09-24-config-30.png b/content/zh-cn/blog/configguide-04/2021-09-24-config-30.png
new file mode 100644
index 0000000000000000000000000000000000000000..0f635453dc81402a260554777c3ecc73d9ee94de
Binary files /dev/null and b/content/zh-cn/blog/configguide-04/2021-09-24-config-30.png differ
diff --git a/content/zh-cn/blog/configguide-04/2021-09-24-config-31.png b/content/zh-cn/blog/configguide-04/2021-09-24-config-31.png
new file mode 100644
index 0000000000000000000000000000000000000000..35c3519c5499ebef080ef748b8a0bad414723fb5
Binary files /dev/null and b/content/zh-cn/blog/configguide-04/2021-09-24-config-31.png differ
diff --git a/content/zh-cn/blog/configguide-04/2021-09-24-config-32.png b/content/zh-cn/blog/configguide-04/2021-09-24-config-32.png
new file mode 100644
index 0000000000000000000000000000000000000000..31472bf578dbc077b4c997336da3e06cd2cec00a
Binary files /dev/null and b/content/zh-cn/blog/configguide-04/2021-09-24-config-32.png differ
diff --git a/content/zh-cn/blog/configguide-04/2021-09-24-config-33.png b/content/zh-cn/blog/configguide-04/2021-09-24-config-33.png
new file mode 100644
index 0000000000000000000000000000000000000000..81ce0dba0b9950baafd5914ff2fd2964b779344a
Binary files /dev/null and b/content/zh-cn/blog/configguide-04/2021-09-24-config-33.png differ
diff --git a/content/zh-cn/blog/configguide-04/2021-09-24-config-35.png b/content/zh-cn/blog/configguide-04/2021-09-24-config-35.png
new file mode 100644
index 0000000000000000000000000000000000000000..1b14a7331f45960ea164aee2e47d7fb825dafead
Binary files /dev/null and b/content/zh-cn/blog/configguide-04/2021-09-24-config-35.png differ
diff --git a/content/zh-cn/blog/configguide-04/2021-09-24-config-36.png b/content/zh-cn/blog/configguide-04/2021-09-24-config-36.png
new file mode 100644
index 0000000000000000000000000000000000000000..415c20cb44ed0bba19805a331d80d464ba6f2362
Binary files /dev/null and b/content/zh-cn/blog/configguide-04/2021-09-24-config-36.png differ
diff --git a/content/zh-cn/blog/configguide-04/2021-09-24-config-37.png b/content/zh-cn/blog/configguide-04/2021-09-24-config-37.png
new file mode 100644
index 0000000000000000000000000000000000000000..b2c3354d324530156b048f5fea37308edc8b6f09
Binary files /dev/null and b/content/zh-cn/blog/configguide-04/2021-09-24-config-37.png differ
diff --git a/content/zh-cn/blog/configguide-04/2021-09-24-config-38.png b/content/zh-cn/blog/configguide-04/2021-09-24-config-38.png
new file mode 100644
index 0000000000000000000000000000000000000000..9cd9787a3e700f663afd43fa7b591e550ae28967
Binary files /dev/null and b/content/zh-cn/blog/configguide-04/2021-09-24-config-38.png differ
diff --git a/content/zh-cn/blog/configguide-04/2021-09-24-config-39.png b/content/zh-cn/blog/configguide-04/2021-09-24-config-39.png
new file mode 100644
index 0000000000000000000000000000000000000000..96fbc5059c5985ef6923b9eff954086224637acb
Binary files /dev/null and b/content/zh-cn/blog/configguide-04/2021-09-24-config-39.png differ
diff --git a/content/zh-cn/blog/configguide-04/2021-09-24-config-40.png b/content/zh-cn/blog/configguide-04/2021-09-24-config-40.png
new file mode 100644
index 0000000000000000000000000000000000000000..9af0b091a4e883ac07f7681992abeb849923dac8
Binary files /dev/null and b/content/zh-cn/blog/configguide-04/2021-09-24-config-40.png differ
diff --git a/content/zh-cn/blog/configguide-04/2021-09-24-config-41.png b/content/zh-cn/blog/configguide-04/2021-09-24-config-41.png
new file mode 100644
index 0000000000000000000000000000000000000000..e3ff4964060c1f12590e2888860a5a8dc24c70cf
Binary files /dev/null and b/content/zh-cn/blog/configguide-04/2021-09-24-config-41.png differ
diff --git a/content/zh-cn/blog/configguide-04/2021-09-24-config-42.png b/content/zh-cn/blog/configguide-04/2021-09-24-config-42.png
new file mode 100644
index 0000000000000000000000000000000000000000..8998d8ca691a0f2392bffb06a3f7bba3144309da
Binary files /dev/null and b/content/zh-cn/blog/configguide-04/2021-09-24-config-42.png differ
diff --git a/content/zh-cn/blog/configguide-04/2021-09-24-config-43.png b/content/zh-cn/blog/configguide-04/2021-09-24-config-43.png
new file mode 100644
index 0000000000000000000000000000000000000000..bf157f238349b0c7968a3fd1958985eafdff15f6
Binary files /dev/null and b/content/zh-cn/blog/configguide-04/2021-09-24-config-43.png differ