Article
Prior Ranger Version 0.6 it was a common scenario that security admins created per users policies, e.g. grant a user access to project databases (hive) or special HDFS directories.
Initially, a policy was created for each user so the admins ended up to manage about thousands of policies. Especially HDFS policies often had the name in the path, e.g. /user/demo/USERNAME/ *.
As Ranger 0.6 introduces the user variable, now the security admin have only to create one policy that looks like this in the path: /user/demo/{USER}/ * and assign the appropriate user permissions for the directory.
The user can immediate access and use the new HDFS directory with enforced user permissions.
dummy_1$ hdfs dfs -copyFromLocal tst.x1 /user/demo/dummy_1 dummy_1$ hdfs dfs -ls /usr/demo/dummy_1 Found 1 items -rw-r--r-- 3 dummy_1 hdfs19001 2018-03-23 15:36 /user/demo/dummy_1/text.txt
With the use screen-shot-2018-03-23-at-165124.pngof user variables now the security administrators can create more dynamic policies that dramatically reduced the amount of policies in the environment.
Did you mean version 0.7?
https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable
A small correction. It's introduced in Ranger 0.7 and policies should look like this:
//HDFS
resource: path=/home/{USER}
user: {USER}
//Hive
resource: database=db_{USER}; table=*; column=*
user: {USER}
where {USER} would substitute the user id of the currently logged in user.
Contributors
