Community Articles

Find and share helpful community-sourced technical articles.
Labels (2)
avatar
Cloudera Employee

Prior Ranger Version 0.6 it was a common scenario that security admins created per users policies, e.g. grant a user access to project databases (hive) or special HDFS directories.

Initially, a policy was created for each user so the admins ended up to manage about thousands of policies. Especially HDFS policies often had the name in the path, e.g. /user/demo/USERNAME/ *.

As Ranger 0.6 introduces the user variable, now the security admin have only to create one policy that looks like this in the path: /user/demo/{USER}/ * and assign the appropriate user permissions for the directory.

66382-screen-shot-2018-03-23-at-162452.png

The user can immediate access and use the new HDFS directory with enforced user permissions.

dummy_1$ hdfs dfs -copyFromLocal tst.x1 /user/demo/dummy_1
dummy_1$ hdfs dfs -ls /usr/demo/dummy_1
Found 1 items
-rw-r--r-- 3 dummy_1 hdfs19001 2018-03-23 15:36 /user/demo/dummy_1/text.txt

With the use screen-shot-2018-03-23-at-165124.pngof user variables now the security administrators can create more dynamic policies that dramatically reduced the amount of policies in the environment.


screen-shot-2018-03-23-at-162530.png
3,866 Views
Comments
avatar
Contributor

A small correction. It's introduced in Ranger 0.7 and policies should look like this:

//HDFS
resource: path=/home/{USER}
user: {USER}

//Hive
resource: database=db_{USER}; table=*; column=*
user: {USER}

where {USER} would substitute the user id of the currently logged in user.