Hi @rgarcia,
I started putting together the schema myself but never completed it. I think I have sufficiently documented what you need though. See the attachments for a description of a few of the tables. It is worth noting that there are two databases in a default installation. the ranger_audit database contains all of the audit information regarding the HDP-based repositories (e.g., who touch what HDFS file, when, and was it allowed). The ranger database contains several tables pertaining to the metadata about each repo and the policies around them. The audit information around who changed the policies and when is also stored here.
I also have couple example queries below to help understand them, specifically the ranger database which you need if you want to understand and audit how the policies themselves are changed:
The following query will gather all of the resources that the usr ‘hive’ has been explicitly allowed access to:
SELECT * FROM
(select x_resource.policy_name, x_user.user_name, x_resource.res_name, x_resource.res_cols, x_resource.res_dbs, x_resource.res_col_fams from x_resource
join x_perm_map
on x_perm_map.res_id = x_resource.id
join x_user
on x_user.id = x_perm_map.user_id) as policies
WHERE policies.user_name = 'hive’;The next will do the same for the group ‘hadoop’:
SELECT * FROM
(select x_resource.policy_name, x_group.group_name, x_resource.res_name, x_resource.res_cols, x_resource.res_dbs, x_resource.res_col_fams from x_resource
join x_perm_map
on x_perm_map.res_id = x_resource.id
join x_group
on x_group.id = x_perm_map.group_id) as policies
WHERE policies.group_name = 'hadoop';If you are looking for all users that have admin privileges somewhere within Hive, HDFS, or HBase then you can do it as follows:
SELECT * FROM
(select x_resource.policy_name, x_user.user_name, x_resource.res_name, x_perm_map.perm_type from x_resource
join x_perm_map
on x_perm_map.res_id = x_resource.id
join x_user
on x_user.id = x_perm_map.user_id) as policies
WHERE policies.perm_type=6;
