Hortonworks.com
  • Explore
    • All Tags
    • All Questions
    • All Articles
    • All Ideas
    • All Repos
    • All SKB
    • All Users
    • All Badges
    • Leaderboard
  • Create
    • Ask a question
    • Create Article
    • Post Idea
    • Add Repo
  • Tracks
    • All Tracks
    • Community Help
    • Cloud & Operations
    • CyberSecurity
    • Data Ingestion & Streaming
    • Data Processing
    • Data Science & Advanced Analytics
    • Design & Architecture
    • Governance & Lifecycle
    • Hadoop Core
    • Sandbox & Learning
    • Security
    • Solutions
  • Login
HCC Hortonworks Community Connection
  • Home /
  • Security /
  • Home /
  • Security /
  • Apache Ranger and HDFS /
avatar image

Ranger User Variables use for HDFS policies   
  • Add/Remove external LDAP users to/from an internal group in RangerUI
  • Best Practices In HDFS Authorization with Apache Ranger
  • Configuring Ranger Policy Administration High Availability
  • Installing Apache Ranger with Ambari Postgresql

  • Export to PDF
Article by frothkoetter · Jan 26, 2018 at 02:33 PM · edited · Mar 23, 2018 at 03:52 PM
1

Article

Prior Ranger Version 0.6 it was a common scenario that security admins created per users policies, e.g. grant a user access to project databases (hive) or special HDFS directories.

Initially, a policy was created for each user so the admins ended up to manage about thousands of policies. Especially HDFS policies often had the name in the path, e.g. /user/demo/USERNAME/ *.

As Ranger 0.6 introduces the user variable, now the security admin have only to create one policy that looks like this in the path: /user/demo/{USER}/ * and assign the appropriate user permissions for the directory.

The user can immediate access and use the new HDFS directory with enforced user permissions.

dummy_1$ hdfs dfs -copyFromLocal tst.x1 /user/demo/dummy_1
dummy_1$ hdfs dfs -ls /usr/demo/dummy_1
Found 1 items
-rw-r--r-- 3 dummy_1 hdfs19001 2018-03-23 15:36 /user/demo/dummy_1/text.txt

With the use screen-shot-2018-03-23-at-165124.pngof user variables now the security administrators can create more dynamic policies that dramatically reduced the amount of policies in the environment.

thub.nodes.view.add-new-comment
How-To/TutorialHDFSHDFSRangerRangerhdfs-policieshow-to-tutorialpoliciessecurity
screen-shot-2018-03-23-at-162530.png (227.3 kB)
screen-shot-2018-03-23-at-162452.png (145.8 kB)
screen-shot-2018-03-23-at-165124.png (234.0 kB)
Add comment · Show 2 · Featured
10 |6000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Up to 5 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

avatar image Jordan Moore · Jan 26, 2018 at 11:05 PM 0
Share

Did you mean version 0.7?

https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable

avatar image Sivaprasanna · Jan 27, 2018 at 10:11 AM 0
Share

A small correction. It's introduced in Ranger 0.7 and policies should look like this:

//HDFS
resource: path=/home/{USER}
user: {USER}

//Hive
resource: database=db_{USER}; table=*; column=*
user: {USER}

where {USER} would substitute the user id of the currently logged in user.

Article

Contributors

avatar image

avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image

Navigation

Apache Ranger and HDFS
  • Add/Remove external LDAP users to/from an internal group in RangerUI
  • Installing Apache Ranger with Ambari Postgresql
  • Best Practices In HDFS Authorization with Apache Ranger
  • Ranger User Variables use for HDFS policies
  • Configuring Ranger Policy Administration High Availability

Related Articles

Best Practices In HDFS Authorization with Apache Ranger

Configuring Ranger Policy Administration High Availability

Installing Apache Ranger with Ambari Postgresql

Add/Remove external LDAP users to/from an internal group in RangerUI

Hive Row Level Access Restriction Using Ranger

Configure SSL between Ranger and Rager HDFS plugin with CA Signed certs

Apache Ranger and HDFS

Securing Solr Collections with Ranger + Kerberos

Apache Ranger and Yarn setup - Security

Hortonworks Secure Cluster with Isilon OneFS

This website uses cookies for analytics, personalisation and advertising. To learn more or change your cookie settings, please read our Cookie Policy. By continuing to browse, you agree to our use of cookies.

HCC Guidelines | HCC FAQs | HCC Privacy Policy | Privacy Policy | Terms of Service

© 2011-2019 Hortonworks Inc. All Rights Reserved.

Hadoop, Falcon, Atlas, Sqoop, Flume, Kafka, Pig, Hive, HBase, Accumulo, Storm, Solr, Spark, Ranger, Knox, Ambari, ZooKeeper, Oozie and the Hadoop elephant logo are trademarks of the Apache Software Foundation.

  • Anonymous
  • Login
  • Create
  • Ask a question
  • Create Article
  • Post Idea
  • Add Repo
  • Create SupportKB
  • Tracks
  • Community Help
  • Cloud & Operations
  • CyberSecurity
  • Data Ingestion & Streaming
  • Data Processing
  • Data Science & Advanced Analytics
  • Design & Architecture
  • Governance & Lifecycle
  • Hadoop Core
  • Sandbox & Learning
  • Security
  • Solutions
  • Explore
  • All Tags
  • All Questions
  • All Articles
  • All Ideas
  • All Repos
  • All SKB
  • All Users
  • Leaderboard
  • All Badges