Community Articles

Find and share helpful community-sourced technical articles.
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Labels (1)
avatar

Background: when it comes to rely completely on ranger, and if you are specific about configuring authorization for a resource to an end user then you have to create one policy for each resource. There should be a way to configure a policy that provide access to specific resources based on the User who is making call.

Soultion:

{USER} Support: {USER} support solves this problem , It allows us to create a policy where we can configure resource as {USER} Eg. /user/{USER} and select user also as {USER}. that means all users will get access of their corresponding home directory.

Eg. Hdfs: resource: /user/{USER}

user1 will have access to /user/user1

user2 will have access to /user/user2

Hive: resource: database:database_{USER}

user1 will have access to database database_user1

user2 will have access to database database_user2

resource may contrain {USER} partially or fully.

delimiter can be customised also ,

Steps to configure {USER}:

1) go to ranger admin, and create policy page, there on resource give {USER} as input.

17520-screen-shot-2017-06-27-at-33731-pm.png

2) in user type {USER} and {USER} will populate , just select it and add the policy

17521-screen-shot-2017-06-27-at-33707-pm.png

more details can be found at https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable.


screen-shot-2017-06-27-at-33532-pm.png
374 Views