Member since
05-23-2016
26
Posts
11
Kudos Received
6
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1929 | 08-05-2017 10:10 PM | |
2055 | 11-02-2016 05:16 AM | |
1263 | 10-26-2016 08:43 PM | |
2463 | 07-21-2016 02:49 AM | |
2451 | 07-14-2016 02:56 PM |
08-05-2017
10:10 PM
1 Kudo
This Ranger feature provided in HDP2.6 (Ranger 0.7 and higher) for "macro substitution" supports general-purpose identification of patterns in the resource specification and replacing it during policy evaluation with other strings to derive the name of the resource.Therefore, it is an extensible scheme that is not restricted to replacement of {USER} with current user's name. While we offer {USER} and {OWNER} macros out of the box, this scheme can be customized by advanced Ranger users using interfaces provided: RangerContextEnricher, RangerAccessRequest and RangerConditionEvaluator. The {OWNER} macro is useful for databases and folders for example. To add such macros users would need to provide an implementation of RangerContextEnricher and RangerConditionEvaluator and include it in the service-definition before using this custom "macro" in any policy. For details of this feature and how it can be extended please see Apache Ranger wiki at: https://cwiki.apache.org/confluence/display/RANGER/Support+for+%24username+variable Building such extensions is for advanced Ranger users, therefore, the community has only provided the 2 most common use cases with {USER} and {OWNER} out of the box in Ranger.
... View more
03-01-2017
06:54 PM
3 Kudos
Q: How and when was Apache Ranger incubated and what is its current status in Apache? Is it a top level project (TLP)? About two years ago, Hortonworks donated the entire code base of about 440,000 lines from its XA Secure acquisition to the Apache Software Foundation (ASF) in order to help jump start Apache Ranger as an Apache Incubator project. It’s been a rewarding journey, from the first version of Apache Ranger released in November 2014, to achieving a major milestone by graduating to a top level Apache open source project. We are excited to report that recently ASF graduated Apache Ranger to a Top-Level Project (TLP) “signifying that the project's community and products have been well-governed under the ASF's meritocratic process and principles.” We, at Hortonworks, extend our hearty congratulations to the Apache Ranger community, without whom TLP status couldn’t have been achieved. This was a great community effort, representing the best of open source and the “Apache Way”! Q: Why did Hortonworks decide to open source this project? What is the vision and the overall goals of Apache Ranger project? What are the benefits to the community and users with this approach? Hortonworks made the decision to open source the source code from XA Secure acquisition because our enterprise customers need an extensible and robust open source security framework that provides comprehensive authorization, audit, and encryption/ key management capabilities for their Hadoop big data infrastructures. Our customers understand products based on open source projects innovate faster, provide better roadmap clarity and release transparency, and reduce the risk of vendor lock-in. Since those early days, our active contributor community has grown steadily since 2014 when we entered incubation to 22 as of today, with contributors who are affiliated with several large companies. The Apache Ranger community has been laser focused on building and improving a sophisticated but easy to use centralized security console. Apache Ranger enhances administrators’ productivity by enabling them to define, apply, and administer consistent policies across the Hadoop stack by providing a set of rich policy constructs along with comprehensive auditing of all access events from a compliance perspective. Q: What are some key developments in the journey to a TLP? How wide is adoption of Apache Ranger at scale across enterprises ? Do we have testimonials from Apache Ranger users, partners, and community about the project today? Apache Ranger is in its fourth release since it was first included in Hortonworks Data Platform (HDP) and is currently in production use at more than a hundred enterprises indicating the maturity, adoption, and validation of our community’s efforts. Given the evolution of Hadoop to cloud and hybrid deployments, and the need to secure data in a fine-grained manner across different deployment models, the interest in Apache Ranger comes as no surprise. Below is what some of the users have to say about the role Apache Ranger has played in protecting data at their respective organization, as expressed in the ASF press release: "As early adopters of Apache Ranger and having contributed to Apache Ranger, we have come to rely upon Apache Ranger as a key part of our security infrastructure for data," said Ferd Scheepers, Chief Information Architect at ING. "We are therefore pleased to learn that the project has now graduated to a TLP project through the efforts of the Apache community. We believe that Apache Ranger represents the best-in-class Open Source security framework for authorization, encryption management, and auditing across Hadoop ecosystem. We laud the community's efforts in building an extensible and enterprise grade architecture for Apache Ranger, and for innovative features such as tag or classification based security (built in conjunction with Apache Atlas). We congratulate the Apache Ranger community on achieving this significant milestone and are confident Apache Ranger will evolve into the de-facto standard for security stack across the Hadoop ecosystem." As noted above, in this evolution to an Apache TLP, Apache Ranger community has built industry’s first tag based security policy infrastructure for Hadoop ecosystem that provides automatic and dynamic enforcement of policies based on data classification. Furthermore, as noted in the ASF press release, Apache Ranger has added many advanced security features that provide highly sophisticated data-centric security: "As heavy users of Apache Ranger in production, we are pleased to see the project become a TLP through validation across community efforts," said Timothy R. Connor, Big Data & Advanced Analytics Manager at Sprint. "Apache Ranger has built a next generation ABAC model for authorization along with a robust data-centric open source security framework supporting advanced security capabilities such as dynamic row filtering and column masking. All of these point to Apache Ranger maturing into a robust and comprehensive security product for authorization, encryption management and auditing through the Apache community." From inception, Apache Ranger community has strongly advocated for an extensive and healthy partner ecosystem by providing easy extension points as well as comprehensive open API and interfaces for community and partners to add new systems for authorization even if they are outside of Hadoop ecosystem. As noted in the ASF release: "It's great to see Apache Ranger become a TLP," said Dominic Sartorio, Senior Vice President of Products & Development at Protegrity. "Apache Ranger's comprehensive auditing and broad authorization coverage across the Hadoop ecosystem, along with its highly scalable and extensible architecture and rich set of APIs, integrates very well with Protegrity's fine grained data protection capabilities. Our continued collaboration with the Apache Ranger community will help meet the data security requirements of the next generation of enterprise-grade production Hadoop deployments." Summary We would like to congratulate Apache Ranger community once more for achieving this historic milestone! We at Hortonworks look forward to continuing to work closely with the community and our customers to move the project forward. In the followup to this article we will highlight some of the key capabilities that the Apache Ranger community has helped build and solidify since the project started in incubation as well as the rationale and applications of those capabilities to securing big data infrastructure. For more details please refer to Hortonworks Blog on Apache Ranger TLP Interested in learning more about Apache Ranger? Check out http://ranger.apache.org/, ask questions on https://community.hortonworks.com or on dev@ranger.apache.org, or download latest stable version of Apache Ranger from https://github.com/apache/ranger/
... View more
Labels:
01-24-2017
06:48 AM
This is by design - we want only the authorized end users and apps to be able to access decrypted files. The hdfs super user is usually hadoop admins and by design we are providing this "separation of duties" where hadoop admin users who are the operators cannot see the decrypted content in TDE encrypted folders - an additional safeguard against the threat of rogue admins.
... View more
01-17-2017
06:57 AM
@Uvaraj Seerangan Please refer to this discussion on practical use for tag attributes and discussion on how to use them: https://community.hortonworks.com/questions/64496/what-is-a-real-world-example-of-using-attributes-o.html#answer-64507 In the discussion, an example was provided that leverages tag attributes for the concept of a data lease or duration in which the entity is valid. For example, we could have tags called ACTIVE_AFTER, EXPIRES_ON both of which can have an attribute effective_date. On different entities we could then set different values of the effective_date attribute once we tag them with ACTIVE_AFTER or EXPIRES_ON tags. So different entities could have different validity dates through the values set for effective_date on the entity. This can be used to manage the period during which an asset is effective. Once entities are tagged, the tags and attributes flow down to Ranger and you can write a single security policy to prevent specific groups of users from accessing all assets tagged with EXPIRES_ON after the effective_date without having to write 1 policy per entity.
... View more
01-12-2017
10:04 PM
@Dinesh Das, can you explain what is your exact use case with one or more concrete examples of what you are trying to do exactly? Your problem statement is somewhat vague.
... View more
11-02-2016
05:16 AM
1 Kudo
@Carolyn, an example that leverages tag attributes is concept of a data lease or duration in which the entity is valid. For example, we could have tags called ACTIVE_AFTER, EXPIRES_ON both of which can have an attribute effective_date. On different entities we could then set different values of the effective_date attribute once we tag them with ACTIVE_AFTER or EXPIRES_ON tags. So different entities could have different validity dates through the values set for effective_date on the entity. This can be used to manage the period during which an asset is effective. Once entities are tagged, the tags and attributes flow down to Ranger and you can write a single security policy to prevent specific groups of users from accessing all assets tagged with EXPIRES_ON after the effective_date without having to write 1 policy per entity. Hope this helps.
... View more
10-26-2016
08:43 PM
1 Kudo
Please see https://community.hortonworks.com/articles/61208/how-to-enable-deny-conditions-and-excludes-in-rang.html for detailed How-To.
... View more
10-10-2016
11:17 PM
1 Kudo
In addition to current_user() there are also other built-in udfs that you can use in the RLF conditions such as logged_in_user(), current_database() etc. . Please refer to the Hive Misc functions documentation on Apache wiki: https://cwiki.apache.org/confluence/display/Hive/LanguageManual+UDF#LanguageManualUDF-Misc.Functions
... View more
08-05-2016
04:09 AM
Please provide a screenshot of the Audit panel -> Access tab. You can check which policy is firing and allowing access for admin from the Audit screen in the Access tab. FYI, there is no separate plugin sync for tag based and resource based policies - if you have an entry for the hiveServer2 under plugin id column after you updated the policy that means all policies are synced.
... View more
07-22-2016
06:42 AM
Currently in Atlas 0.7, it is not possible to delete the tags themselves either via UI or REST API but you can delete the association between an entity and a tag. This is a feature that will be implemented in the future.
... View more