Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Enabling and Disabling a Ranger Policy using command

Labels:
avatar
author-rank rajdip_chaudhur
Expert Contributor

Created ‎04-06-2017 03:35 PM

Hello,

We use Ranger for column filtering and data masking. Our use case is we will be ingesting data into Hive from source systems using Talend / Informatica but while executing the jobs we are getting error. What we found out that if the data masking policy on a particular table in Hive is on, data cannot be inserted. However, we can make the policy enabled once the data insert is complete.

Can you please help for guiding us on how can the Ranger Data Masking policies be disabled and enabled using an Unix command so that we can include those in the data ingestion workflow so that there ain't any manual intervention?

Looking for your guidance.

Thanks and Regards,

Rajdip

4,904 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎04-06-2017 03:56 PM

@rajdip chaudhuri

You can use Ranger Rest API to be invoked using simple "curl" commands in order to disable/enable various ranger policies.

1. Get the List of Policies using Rest API: http://localhost:6080/service/plugins/policies For example you want to disable the policy ID = 14 (Example "HDFS Global Allow") The do the following:

Using Ranger API get the policy data:

curl -i -u admin:admin -H "Content-Type: application/json" -X GET http://localhost:6080/service/plugins/policies/14

2. Then you get some JSON output like following:

{"id":14,"guid":"eb167192-29a5-490c-9655-8be40c2363eb","isEnabled":true,"createdBy":"Admin","updatedBy":"Admin","createTime":1473764849000,"updateTime":1473764849000,"version":1,"service":"Sandbox_hadoop","name":"HDFS Global Allow","policyType":0,"description":"This policy gives global permission for all users. Disable this to test Apache Ranger","resourceSignature":"6be1f1907223a25472365fea64a3d450","isAuditEnabled":true,"resources":{"path":{"values":["/","/*"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":[],"groups":["public"],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[]}

Notice it has ["isEnabled":true]

3. Now Paste the output to a file "/tmp/14.json", then change it to ["isEnabled":false] and then PUT the data using curl. Content of "14.json" file as following:

{"id":14,"guid":"eb167192-29a5-490c-9655-8be40c2363eb","isEnabled":false,"createdBy":"Admin","updatedBy":"Admin","createTime":1473764849000,"updateTime":1473764849000,"version":1,"service":"Sandbox_hadoop","name":"HDFS Global Allow","policyType":0,"description":"This policy gives global permission for all users. Disable this to test Apache Ranger","resourceSignature":"6be1f1907223a25472365fea64a3d450","isAuditEnabled":true,"resources":{"path":{"values":["/","/*"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":[],"groups":["public"],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[]}

4. Now run the following curl command:

curl -i -u admin:admin -H "Content-Type: application/json" -X PUT -d@/tmp/14.json  http://localhost:6080/service/plugins/policies/14

More details: https://cwiki.apache.org/confluence/display/RANGER/REST+APIs+for+Policy+Management

.

View solution in original post

3,967 Views
7 REPLIES 7

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎04-06-2017 03:56 PM

@rajdip chaudhuri

You can use Ranger Rest API to be invoked using simple "curl" commands in order to disable/enable various ranger policies.

1. Get the List of Policies using Rest API: http://localhost:6080/service/plugins/policies For example you want to disable the policy ID = 14 (Example "HDFS Global Allow") The do the following:

Using Ranger API get the policy data:

curl -i -u admin:admin -H "Content-Type: application/json" -X GET http://localhost:6080/service/plugins/policies/14

2. Then you get some JSON output like following:

{"id":14,"guid":"eb167192-29a5-490c-9655-8be40c2363eb","isEnabled":true,"createdBy":"Admin","updatedBy":"Admin","createTime":1473764849000,"updateTime":1473764849000,"version":1,"service":"Sandbox_hadoop","name":"HDFS Global Allow","policyType":0,"description":"This policy gives global permission for all users. Disable this to test Apache Ranger","resourceSignature":"6be1f1907223a25472365fea64a3d450","isAuditEnabled":true,"resources":{"path":{"values":["/","/*"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":[],"groups":["public"],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[]}

Notice it has ["isEnabled":true]

3. Now Paste the output to a file "/tmp/14.json", then change it to ["isEnabled":false] and then PUT the data using curl. Content of "14.json" file as following:

{"id":14,"guid":"eb167192-29a5-490c-9655-8be40c2363eb","isEnabled":false,"createdBy":"Admin","updatedBy":"Admin","createTime":1473764849000,"updateTime":1473764849000,"version":1,"service":"Sandbox_hadoop","name":"HDFS Global Allow","policyType":0,"description":"This policy gives global permission for all users. Disable this to test Apache Ranger","resourceSignature":"6be1f1907223a25472365fea64a3d450","isAuditEnabled":true,"resources":{"path":{"values":["/","/*"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":[],"groups":["public"],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[]}

4. Now run the following curl command:

curl -i -u admin:admin -H "Content-Type: application/json" -X PUT -d@/tmp/14.json  http://localhost:6080/service/plugins/policies/14

More details: https://cwiki.apache.org/confluence/display/RANGER/REST+APIs+for+Policy+Management

.

3,968 Views

avatar
author-rank akulkarni1 author-rank
Contributor

Created ‎04-06-2017 06:30 PM

@rajdip chaudhuri

To add to @Jay SenSharma's answer: Please use a newer and better version of REST APIs as documented here.

3,967 Views
0 Kudos

avatar
author-rank rajdip_chaudhur
Expert Contributor

Created ‎04-07-2017 07:01 AM

Hello,

Am not sure if I am missing any steps here but while executing am getting error. Have followed @Jay SenSharma comments and able to get the json output and updated the flag in json. But while uploading the JSON after changes using PUT am facing error and it is not working.

Note that the RANGER is up and can perform operations from UI, but REST API PUT is not working (may be my error). Also the ip mentioned in below command contains the RANGER service.

Need you help as we are stuck here and everytime we had to do work manually which we want to bypass.

CURL command used to PUT the changed JSON is :

curl -i -u admin:admin -H "Content-Type: application/json" -X PUT -d@/tmp/10_2.json http://xx.xx.xx.207:6080/service/plugins/policies/10

(changed the ip)

Error thrown:

HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Set-Cookie: RANGERADMINSESSIONID=03A8D6199168A17D4C19D442E8C55617; Path=/; HttpOnly X-Frame-Options: DENY Content-Length: 0 Date: Fri, 07 Apr 2017 06:56:50 GMT

Modified JSON:

HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: RANGERADMINSESSIONID=EDCBDAFF124C9802A79BFD945662BC1A; Path=/; HttpOnly X-Frame-Options: DENY Content-Type: application/json Transfer-Encoding: chunked Date: Fri, 07 Apr 2017 07:00:49 GMT {"id":10,"guid":"c8afaae2-a4cc-4c25-b4b2-75ae9b0227eb","isEnabled":false,"createdBy":"Admin","updatedBy":"Admin","createTime":1491448221000,"updateTime":1491448221000,"version":1,"service":"TCSGEINTERNALCLUSTER_hive","name":"tcs_ge_user data masking test 2","policyType":1,"description":"tcs_ge_user data masking test 2","resourceSignature":"2cb6661609e66abfd9fbceaeac2be9d0","isAuditEnabled":true,"resources":{"database":{"values":["wells_fargo_poc"],"isExcludes":false,"isRecursive":false},"column":{"values":["card_number"],"isExcludes":false,"isRecursive":false},"table":{"values":["test_masked_2"],"isExcludes":false,"isRecursive":false}},"policyItems":[],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[{"accesses":[{"type":"select","isAllowed":true}],"users":["tcs_ge_user"],"groups":["tcs_ge_user"],"conditions":[],"delegateAdmin":false,"dataMaskInfo":{"dataMaskType":"MASK_HASH"}}],"rowFilterPolicyItems":[]}

3,967 Views
0 Kudos

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎04-07-2017 07:09 AM

@rajdip chaudhuri

I am suspecting that your JSON file "/tmp/10_2.json" has the following line as well in it which is not right ... you should remove it.

HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: RANGERADMINSESSIONID=EDCBDAFF124C9802A79BFD945662BC1A; Path=/; HttpOnly X-Frame-Options: DENY Content-Type: application/json Transfer-Encoding: chunked Date: Fri, 07 Apr 2017 07:00:49 GMT

.

Your modified JSON file "/tmp/10_2.json" should contain only the JSON data part. Looks like you have some additional data in it. (No other extra lines).

{"id":10,"guid":"c8afaae2-a4cc-4c25-b4b2-75ae9b0227eb","isEnabled":false,"createdBy":"Admin","updatedBy":"Admin","createTime":1491448221000,"updateTime":1491448221000,"version":1,"service":"TCSGEINTERNALCLUSTER_hive","name":"tcs_ge_user data masking test 2","policyType":1,"description":"tcs_ge_user data masking test 2","resourceSignature":"2cb6661609e66abfd9fbceaeac2be9d0","isAuditEnabled":true,"resources":{"database":{"values":["wells_fargo_poc"],"isExcludes":false,"isRecursive":false},"column":{"values":["card_number"],"isExcludes":false,"isRecursive":false},"table":{"values":["test_masked_2"],"isExcludes":false,"isRecursive":false}},"policyItems":[],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[{"accesses":[{"type":"select","isAllowed":true}],"users":["tcs_ge_user"],"groups":["tcs_ge_user"],"conditions":[],"delegateAdmin":false,"dataMaskInfo":{"dataMaskType":"MASK_HASH"}}],"rowFilterPolicyItems":[]}

.

3,967 Views
0 Kudos

avatar
author-rank rajdip_chaudhur
Expert Contributor

Created ‎04-07-2017 07:13 AM

Yes, you are absolutely correct. Can this part be removed somehow? Actually we are using "sed" to change the flag to false as we are trying to automate the whole process. If you can guide for removing that part then it will be of great help.

Thanks and Rajdip,

Rajdip

3,967 Views
0 Kudos

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎04-07-2017 07:21 AM

@rajdip chaudhuri

In that case please do not use "-i" option in your curl GET command and redirect the output to a file as following using "-o" option:

curl  -u admin:admin -H "Content-Type: application/json" -X GET http://xx.xx.xx.207:6080/service/plugins/policies/10  -o /tmp/10_2.json

.

So that you only get the desired data not the response metadata.

3,967 Views
0 Kudos

avatar
author-rank rajdip_chaudhur
Expert Contributor

Created ‎04-07-2017 08:01 AM

It worked. Thanks a lot. Have also accepted the best answer.

3,967 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements