Support Questions
Find answers, ask questions, and share your expertise

Documentation: Ranger policy json example incorrect HDFS and Hive example

The Create Policy Json request example given for HDFS and Hive seems to be incorrect. This applies to both 2.4 and 2.5 documentation.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.3/bk_Security_Guide/content/ranger_rest_api_c...

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/ranger_rest_api_create_p...

1) The HDFS example request json lists "SELECT", "UPDATE" .. as permissions for hdfs resources which is wrong. HDFS resources has only "read","write","execute".. as allowed permissions.

2) The Hive example request json lists "Select", "Update"... as permissions with uppercase starting letter. This is not working. It works only when these are given in all lower case like "select", "update"...

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Documentation: Ranger policy json example incorrect HDFS and Hive example

Naveen Kumar Mahadevuni you first point is valid, example for hdfs and hive seems to be wrong ,thanks for pointing it out, our documentation team will fix it soon.

but I tried the second point you mentioned , passing uppercase starting letter in input json and it worked for me.

{
    "allowExceptions": [],
    "denyExceptions": [],
    "denyPolicyItems": [
        {
            "accesses": [
                {
                    "isAllowed": true,
                    "type": "drop"
                }
            ],
            "conditions": [],
            "delegateAdmin": true,
            "groups": [],
            "users": [
        "user1"
            ]
        }
    ],
    "description": "Policy for Service: cl1_test",
    "isAuditEnabled": true,
    "isEnabled": true,
    "name": "cl1_test-3",
    "policyItems": [
        {
            "accesses": [
                {
                    "isAllowed": true,
                    "type": "Select"
                },
                {
                    "isAllowed": true,
                    "type": "Update"
                },
                {
                    "isAllowed": true,
                    "type": "Create"
                },
                {
                    "isAllowed": true,
                    "type": "Drop"
                }
            ],
            "conditions": [],
            "delegateAdmin": true,
            "groups": ["public"],
            "users": [
            ]
        }
    ],
    "resources": {
        "database": {
            "isExcludes": false,
            "isRecursive": false,
            "values": [
                "abcd"
            ]
        },
        "table": {
            "isExcludes": false,
            "isRecursive": false,
            "values": [
                "*"
            ]
        },
        "column": {
            "isExcludes": false,
            "isRecursive": false,
            "values": [
                "*"
            ]
        }
    },
    "service": "hive_repo",
    "version": 1
}

can you please make sure you are using public v2 apis , and for time being following wiki will help you in ranger rest api calls:

https://cwiki.apache.org/confluence/display/RANGER/REST+APIs+for+Service+Definition%2C+Service+and+P...

View solution in original post

3 REPLIES 3

Re: Documentation: Ranger policy json example incorrect HDFS and Hive example

Naveen Kumar Mahadevuni you first point is valid, example for hdfs and hive seems to be wrong ,thanks for pointing it out, our documentation team will fix it soon.

but I tried the second point you mentioned , passing uppercase starting letter in input json and it worked for me.

{
    "allowExceptions": [],
    "denyExceptions": [],
    "denyPolicyItems": [
        {
            "accesses": [
                {
                    "isAllowed": true,
                    "type": "drop"
                }
            ],
            "conditions": [],
            "delegateAdmin": true,
            "groups": [],
            "users": [
        "user1"
            ]
        }
    ],
    "description": "Policy for Service: cl1_test",
    "isAuditEnabled": true,
    "isEnabled": true,
    "name": "cl1_test-3",
    "policyItems": [
        {
            "accesses": [
                {
                    "isAllowed": true,
                    "type": "Select"
                },
                {
                    "isAllowed": true,
                    "type": "Update"
                },
                {
                    "isAllowed": true,
                    "type": "Create"
                },
                {
                    "isAllowed": true,
                    "type": "Drop"
                }
            ],
            "conditions": [],
            "delegateAdmin": true,
            "groups": ["public"],
            "users": [
            ]
        }
    ],
    "resources": {
        "database": {
            "isExcludes": false,
            "isRecursive": false,
            "values": [
                "abcd"
            ]
        },
        "table": {
            "isExcludes": false,
            "isRecursive": false,
            "values": [
                "*"
            ]
        },
        "column": {
            "isExcludes": false,
            "isRecursive": false,
            "values": [
                "*"
            ]
        }
    },
    "service": "hive_repo",
    "version": 1
}

can you please make sure you are using public v2 apis , and for time being following wiki will help you in ranger rest api calls:

https://cwiki.apache.org/confluence/display/RANGER/REST+APIs+for+Service+Definition%2C+Service+and+P...

View solution in original post

Re: Documentation: Ranger policy json example incorrect HDFS and Hive example

Thanks @Deepak Sharma. We are using HDP 2.4. Documentation has no mention of v2 api.

Re: Documentation: Ranger policy json example incorrect HDFS and Hive example

Explorer

Thanks @Naveen Kumar Mahadevuni & @Deepak Sharma, we will update the docs ASAP.