Support Questions

benhadoop · ‎10-20-2016

Hi community,

I am searching for a documentation that describes, how Permissions to use Ranger are configured (in Ranger in Settings -> Permissions).

In detail, two questions are very relevant for me:

- What does each level of Permissions mean in detail?

- How are Users granted permissions automatically? Is there a way to change this, e.g. to stop Ranger from granting all new users permissions on "Resource Based Policies" or "Audit"?

Thanks for your kind help referencing any valuable sources or answering those questions.

hrongali · ‎10-21-2016

@Roland Simonis

The below documentation has explanation on how to manage permissions they the Ranger --> Settings -->Permissions

https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide#ApacheRanger0.5-Us...

I would say this is a different level of access related grouping from the Ranger operations perspective.

To answer your questions:

- What does each level of Permissions mean in detail?

Permissions tab option allows any user with Admin privileges to control the level of Ranger Admin UI accessibility for Ranger modules to the non-admin users. For example,

You can control the Admin access in Ranger if you add/remove users from the Permissions --> Users/Groups tab

Resource Based policies option will have a group of users who currently have Resource based policies. You can restrict the access to Resource based policy tab by adding/removing users. If you have Ranger admin access as admin user as well as your user(with admin access), please try logging in as your user user id and try removing yourself and you can see that you wont be able to access the Resource based policies tab after a re-login. You can always add back your access once you log in as admin user.

The other options are self explanatory. Let me know if this helps.

- How are Users granted permissions automatically? Is there a way to change this, e.g. to stop Ranger from granting all new users permissions on "Resource Based Policies" or "Audit"?

Ideally, with User level privileges, you should not be able to see Audit tab, unless admin level access is granted to the user from another admin login. Resource based policies tab will be granted for every user by default, but the users wont be able to see other's policies and they will be able to see only those policies that were exclusively granted for the user thru user level or group level accesses. Again, if you want the users with User level permissions to be restricted to see the Resource Based policy tab at all, you can control that from the Settings --> Permissions --> Resource Based policies option.

Let me know if this helps.

View solution in original post

apathan · ‎10-20-2016

@Roland Simonis

Please refer to the ranger user guide for the detailed information.

https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide

Hope this helps.

benhadoop · ‎10-20-2016

@Ayub Khan

Thanks, there are some insights in how to manage permissions.

Still my questions from above aren't really answered in this document.

hrongali · ‎10-21-2016

@Roland Simonis

The below documentation has explanation on how to manage permissions they the Ranger --> Settings -->Permissions

https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide#ApacheRanger0.5-Us...

I would say this is a different level of access related grouping from the Ranger operations perspective.

To answer your questions:

- What does each level of Permissions mean in detail?

Permissions tab option allows any user with Admin privileges to control the level of Ranger Admin UI accessibility for Ranger modules to the non-admin users. For example,

You can control the Admin access in Ranger if you add/remove users from the Permissions --> Users/Groups tab

Resource Based policies option will have a group of users who currently have Resource based policies. You can restrict the access to Resource based policy tab by adding/removing users. If you have Ranger admin access as admin user as well as your user(with admin access), please try logging in as your user user id and try removing yourself and you can see that you wont be able to access the Resource based policies tab after a re-login. You can always add back your access once you log in as admin user.

The other options are self explanatory. Let me know if this helps.

- How are Users granted permissions automatically? Is there a way to change this, e.g. to stop Ranger from granting all new users permissions on "Resource Based Policies" or "Audit"?

Ideally, with User level privileges, you should not be able to see Audit tab, unless admin level access is granted to the user from another admin login. Resource based policies tab will be granted for every user by default, but the users wont be able to see other's policies and they will be able to see only those policies that were exclusively granted for the user thru user level or group level accesses. Again, if you want the users with User level permissions to be restricted to see the Resource Based policy tab at all, you can control that from the Settings --> Permissions --> Resource Based policies option.

Let me know if this helps.

hrongali · ‎10-23-2016

@Roland Simonis - Can you please vote and accept the answer if the explanation answers your question?

Cloudera Community

Support Questions

Permissions for using Ranger