Prior Ranger Version 0.6 it was a common scenario that security admins created per users policies, e.g. grant a user access to project databases (hive) or special HDFS directories.
Initially, a policy was created for each user so the admins ended up to manage about thousands of policies. Especially HDFS policies often had the name in the path, e.g. /user/demo/USERNAME/ *.
As Ranger 0.6 introduces the user variable, now the security admin have only to create one policy that looks like this in the path: /user/demo/{USER}/ * and assign the appropriate user permissions for the directory.
The user can immediate access and use the new HDFS directory with enforced user permissions.
dummy_1$ hdfs dfs -copyFromLocal tst.x1 /user/demo/dummy_1 dummy_1$ hdfs dfs -ls /usr/demo/dummy_1 Found 1 items -rw-r--r-- 3 dummy_1 hdfs19001 2018-03-23 15:36 /user/demo/dummy_1/text.txt
With the use screen-shot-2018-03-23-at-165124.pngof user variables now the security administrators can create more dynamic policies that dramatically reduced the amount of policies in the environment.
Did you mean version 0.7?
https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable
A small correction. It's introduced in Ranger 0.7 and policies should look like this:
//HDFS resource: path=/home/{USER} user: {USER} //Hive resource: database=db_{USER}; table=*; column=* user: {USER}
where {USER} would substitute the user id of the currently logged in user.
Best Practices In HDFS Authorization with Apache Ranger
Configuring Ranger Policy Administration High Availability
Installing Apache Ranger with Ambari Postgresql
Add/Remove external LDAP users to/from an internal group in RangerUI
Hive Row Level Access Restriction Using Ranger
Configure SSL between Ranger and Rager HDFS plugin with CA Signed certs
Securing Solr Collections with Ranger + Kerberos
This website uses cookies for analytics, personalisation and advertising. To learn more or change your cookie settings, please read our Cookie Policy. By continuing to browse, you agree to our use of cookies.
HCC Guidelines | HCC FAQs | HCC Privacy Policy | Privacy Policy | Terms of Service
© 2011-2019 Hortonworks Inc. All Rights Reserved.
Hadoop, Falcon, Atlas, Sqoop, Flume, Kafka, Pig, Hive, HBase, Accumulo, Storm, Solr, Spark, Ranger, Knox, Ambari, ZooKeeper, Oozie and the Hadoop elephant logo are trademarks of the Apache Software Foundation.