Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (2)
Cloudera Employee

Prior Ranger Version 0.6 it was a common scenario that security admins created per users policies, e.g. grant a user access to project databases (hive) or special HDFS directories.

Initially, a policy was created for each user so the admins ended up to manage about thousands of policies. Especially HDFS policies often had the name in the path, e.g. /user/demo/USERNAME/ *.

As Ranger 0.6 introduces the user variable, now the security admin have only to create one policy that looks like this in the path: /user/demo/{USER}/ * and assign the appropriate user permissions for the directory.

66382-screen-shot-2018-03-23-at-162452.png

The user can immediate access and use the new HDFS directory with enforced user permissions.

dummy_1$ hdfs dfs -copyFromLocal tst.x1 /user/demo/dummy_1
dummy_1$ hdfs dfs -ls /usr/demo/dummy_1
Found 1 items
-rw-r--r-- 3 dummy_1 hdfs19001 2018-03-23 15:36 /user/demo/dummy_1/text.txt

With the use screen-shot-2018-03-23-at-165124.pngof user variables now the security administrators can create more dynamic policies that dramatically reduced the amount of policies in the environment.


screen-shot-2018-03-23-at-162530.png
743 Views
Comments
Super Collaborator
New Contributor

A small correction. It's introduced in Ranger 0.7 and policies should look like this:

//HDFS
resource: path=/home/{USER}
user: {USER}

//Hive
resource: database=db_{USER}; table=*; column=*
user: {USER}

where {USER} would substitute the user id of the currently logged in user.

Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
2 of 2
Last update:
‎08-17-2019 09:13 AM
Updated by:
 
Contributors
Top Kudoed Authors