Support Questions
Find answers, ask questions, and share your expertise

How to create many ranger policies and add users to them ?

Guru

We have requirement where we have to create more that 1000+ policies, so what is the easiest way to create these?

Also how to add users to each policies ?

1 ACCEPTED SOLUTION

Accepted Solutions

Expert Contributor

The Ranger REST API is best to programmatically create users and policies.

Here's how to create users, from an article on this site:
https://community.hortonworks.com/content/supportkb/49439/how-to-use-api-curl-commands-to-create-int...

Here's how to use the Ranger REST API to create policies:

https://cwiki.apache.org/confluence/display/RANGER/REST+APIs+for+Policy+Management

Please note the sections on Creating, Updating, Deleting policies.

To create for example, send a POST request to the following endpoint with the following body. This example is pulled from the link above.

POST /service/public/api/policy

{
  "policyName": "HomePolicy",
  "resourceName": "\/home,\/apps",
  "description": "Home",
  "repositoryName": "hadoopdev",
  "repositoryType": "hdfs",
  "isEnabled": "true",
  "isRecursive": false,
  "isAuditEnabled": true,
  "permMapList": [
    {
      "userList": [
        "john",
        "andrew"
      ],
      "permList": [
        "SELECT",
        "UPDATE"
      ]
    },
    {
      "userList": [
        "hr"
      ],
      "groupList": [
        "admin"
      ],
      "permList": [
        "DROP",
        "ALTER",
        "ADMIN"
      ]
    }
  ]
}

View solution in original post

7 REPLIES 7

Expert Contributor

The Ranger REST API is best to programmatically create users and policies.

Here's how to create users, from an article on this site:
https://community.hortonworks.com/content/supportkb/49439/how-to-use-api-curl-commands-to-create-int...

Here's how to use the Ranger REST API to create policies:

https://cwiki.apache.org/confluence/display/RANGER/REST+APIs+for+Policy+Management

Please note the sections on Creating, Updating, Deleting policies.

To create for example, send a POST request to the following endpoint with the following body. This example is pulled from the link above.

POST /service/public/api/policy

{
  "policyName": "HomePolicy",
  "resourceName": "\/home,\/apps",
  "description": "Home",
  "repositoryName": "hadoopdev",
  "repositoryType": "hdfs",
  "isEnabled": "true",
  "isRecursive": false,
  "isAuditEnabled": true,
  "permMapList": [
    {
      "userList": [
        "john",
        "andrew"
      ],
      "permList": [
        "SELECT",
        "UPDATE"
      ]
    },
    {
      "userList": [
        "hr"
      ],
      "groupList": [
        "admin"
      ],
      "permList": [
        "DROP",
        "ALTER",
        "ADMIN"
      ]
    }
  ]
}

View solution in original post

Guru

@anarasimham: Thanks for your quick response. can you help me to get how to add many users to a specific policy or one user to many policy ?

Expert Contributor

Yes, you can add users to policies either through a CREATE or UPDATE as the second article above outlines. There is a parameter called 'userList' and you will be able to specify any number of users you'd like. To add one user to many policies, you will have to go one by one and add the user to each of the target policies.

Please refer to this link from above:

https://cwiki.apache.org/confluence/display/RANGER/REST+APIs+for+Policy+Management

Guru

thanks @anarasimham.

Contributor

Hi,

I have a requirement like, i need to create hive policy with two groups .one group with "ALL" permissions to some "x" user and 2nd group with "select" permission to "y" user.

 

i have created policy through REST APi with one group but with "all" permissions but how to mention 2nd group with "select" permission in same create policy command.

 

Thanks in advance!

 

 

Srini Podili

Explorer

Please use the following doc link. It documents the latest set of REST APIs supported by Ranger for policy management.

Thanks!

https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.6+-+REST+APIs+for+Service+Definit...

,

Rising Star

@Saurabh: Why you want to create 1000+ policies? Can you try grouping the requirements and reduce the policies? Eg: achieve them via making user groups or DB level policies with different user permission set. Ranger API is def a solution for this but I would suggest to revisit the requirement and rule out as many duplicates as you can.

Just a suggestion, not saying your requirement is invalid!!!