Background: when it comes to rely completely on ranger, and if you are specific about configuring authorization for a resource to an end user then you have to create one policy for each resource. There should be a way to configure a policy that provide access to specific resources based on the User who is making call.
Soultion:
{USER} Support: {USER} support solves this problem , It allows us to create a policy where we can configure resource as {USER} Eg. /user/{USER} and select user also as {USER}. that means all users will get access of their corresponding home directory.
Eg. Hdfs: resource: /user/{USER}
user1 will have access to /user/user1
user2 will have access to /user/user2
Hive: resource: database:database_{USER}
user1 will have access to database database_user1
user2 will have access to database database_user2
resource may contrain {USER} partially or fully.
delimiter can be customised also ,
Steps to configure {USER}:
1) go to ranger admin, and create policy page, there on resource give {USER} as input.
2) in user type {USER} and {USER} will populate , just select it and add the policy
more details can be found at https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable.
