Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How to Create a Ranger Policy that Prohibits Combining Datasets

Labels (2)
avatar
author-rank slachterman
Guru

Created on ‎10-26-2016 11:05 PM - edited ‎08-17-2019 08:39 AM

Our scenario for this walkthrough is as follows: we have a customer table that contains fields for Zip Code, MRN, and Blood Type. Per policy, users in the analyst group cannot access MRN and Blood Type together with Zip Code within the same query, as this would deanonymize sensitive Personal Health Information.

In order to make use of Ranger functionality to achieve this, we'll need to register a new policy condition using the Ranger API. Please see my HCC post on this topic for further details. In this case, the policy condition will have the following form (please note itemId value is specific to one's environment) within the policyConditions array contained in the /servicedef/name/hive resource:

{
      "itemId": 1,
      "name": "resources-accessed-together",
      "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerHiveResourcesAccessedTogetherCondition",
      "evaluatorOptions": {},
      "label": "Resources Accessed Together?",
      "description": "Resources Accessed Together?"
}

The RangerHiveResourcesAccessedTogetherCondition evaluator is included with Ranger. Once this condition is registered using the Ranger API, we can make use of it within a Deny condition for a resource-based policy in Ranger.

The policy will be associated with the zipcode field in our ww_customer table.

8914-screen-shot-2016-10-26-at-15551-pm.png

We then need to associate the Blood Type and MRN fields with the resources-accessed-together policy condition we registered above as Deny conditions.

8915-screen-shot-2016-10-26-at-13139-pm.png

Now when joe_analyst, a user in the analyst group, attempts to access these combined fields, they will be denied:

8917-screen-shot-2016-10-26-at-20804-pm.png

8918-screen-shot-2016-10-26-at-20811-pm.png

Please note that joe_analyst can query, say, Zip Code and Blood Type together, as no patient identifier like MRN is in play:

8919-screen-shot-2016-10-26-at-21042-pm.png

4,402 Views
Comments

Re: How to Create a Ranger Policy that Prohibits Combining Datasets

avatar
author-rank nikkie_thomas
Explorer

Created on ‎05-23-2017 11:32 AM

Hi,

I was trying to work through the example in HDP 2.5 sandbox.

I created a file named hiveService2.json with the following content.

"policyConditions": [ { "itemId": 1, "name": "resources-accessed-together", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerHiveResourcesAccessedTogetherCondition", "evaluatorOptions": {}, "label": "Resources Accessed Together?", "description": "Resources Accessed Together?" } ]

Connected to the sandbox via putty.

The file is placed at /root/hiveService2.json

Executed the following command from /root

curl -v -H 'Content-Type: application/json' -u admin:admin -X PUT --data @hiveService2.json http://127.0.0.1:6080/service/public/v2/api/servicedef/name/hive

I am getting the below

About to connect() to 127.0.0.1 port 6080 (#0) * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 6080 (#0) * Server auth using Basic with user 'admin' > PUT /service/public/v2/api/servicedef/name/hive HTTP/1.1 > Authorization: Basic YWRtaW46YWRtaW4= > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: 127.0.0.1:6080 > Accept: */* > Content-Type: application/json > Content-Length: 325 > < HTTP/1.1 404 Not Found < Server: Apache-Coyote/1.1 < Set-Cookie: RANGERADMINSESSIONID=4ABEDBD3646557C69F985A11BF7DDE19; Path=/; HttpOnly < X-Frame-Options: DENY < Content-Length: 0 < Date: Tue, 23 May 2017 11:30:40 GMT < * Connection #0 to host 127.0.0.1 left intact * Closing connection #0

Could you please help me

1)Correct the content of the file(hiveService2.json)- if it is not correct

2)Get around the 404 Not Found.

Thanks

Nikkie

Re: How to Create a Ranger Policy that Prohibits Combining Datasets

avatar
author-rank nikkie_thomas
Explorer

Created on ‎05-23-2017 12:30 PM

Hi,

I think I figured it out myself.

Here is what I did

curl -u admin:admin -X GET http://127.0.0.1:6080/service/public/v2/api/servicedef/name/hive >> test.out

Opened the test.out file.

The mistake I did previously was I sent only the policyconditions in the file. Now the full output from the GET with the udpated policycondition is sent back.

Updated the policycondition section which was blank in the response of GET as below(bold)

{ "id": 3, "guid": "3e1afb5a-184a-4e82-9d9c-87a5cacc243c", "isEnabled": true, "createTime": 1477381370000, "updateTime": 1477381412000, "version": 2, "name": "hive", "implClass": "org.apache.ranger.services.hive.RangerServiceHive", "label": "Hive Server2", "description": "Hive Server2", "options": {}, "configs": [ { "itemId": 1, "name": "username", "type": "string", "mandatory": true, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Username" }, { "itemId": 2, "name": "password", "type": "password", "mandatory": true, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Password" }, { "itemId": 3, "name": "jdbc.driverClassName", "type": "string", "mandatory": true, "defaultValue": "org.apache.hive.jdbc.HiveDriver", "validationRegEx": "", "validationMessage": "", "uiHint": "" }, { "itemId": 4, "name": "jdbc.url", "type": "string", "mandatory": true, "defaultValue": "", "validationRegEx": "", "validationMessage": "", "uiHint": "" }, { "itemId": 5, "name": "commonNameForCertificate", "type": "string", "mandatory": false, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Common Name for Certificate" } ], "resources": [ { "itemId": 1, "name": "database", "type": "string", "level": 10, "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "true", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Hive Database", "description": "Hive Database" }, { "itemId": 2, "name": "table", "type": "string", "level": 20, "parent": "database", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "true", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Hive Table", "description": "Hive Table" }, { "itemId": 3, "name": "udf", "type": "string", "level": 20, "parent": "database", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "true", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Hive UDF", "description": "Hive UDF" }, { "itemId": 4, "name": "column", "type": "string", "level": 30, "parent": "table", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "true", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Hive Column", "description": "Hive Column" } ], "accessTypes": [ { "itemId": 1, "name": "select", "label": "select", "impliedGrants": [] }, { "itemId": 2, "name": "update", "label": "update", "impliedGrants": [] }, { "itemId": 3, "name": "create", "label": "Create", "impliedGrants": [] }, { "itemId": 4, "name": "drop", "label": "Drop", "impliedGrants": [] }, { "itemId": 5, "name": "alter", "label": "Alter", "impliedGrants": [] }, { "itemId": 6, "name": "index", "label": "Index", "impliedGrants": [] }, { "itemId": 7, "name": "lock", "label": "Lock", "impliedGrants": [] }, { "itemId": 8, "name": "all", "label": "All", "impliedGrants": [ "select", "update", "create", "drop", "alter", "index", "lock" ] } ], "policyConditions": [ { "itemId": 1, "name": "resources-accessed-together", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerHiveResourcesAccessedTogetherCondition", "evaluatorOptions": {}, "label": "Resources Accessed Together?", "description": "Resources Accessed Together?" }], "contextEnrichers": [], <Deleted the remaninig> ] } }

Saved the file as hiveService3.json

Executed the below command.

curl -v -H 'Content-Type: application/json' -u admin:admin -X PUT --data @hiveService3.json http://127.0.0.1:6080/service/public/v2/api/servicedef/name/hive * About to connect() to 127.0.0.1 port 6080 (#0) * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 6080 (#0) * Server auth using Basic with user 'admin' > PUT /service/public/v2/api/servicedef/name/hive HTTP/1.1 > Authorization: Basic YWRtaW46YWRtaW4= > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: 127.0.0.1:6080 > Accept: */* > Content-Type: application/json > Content-Length: 10161 > Expect: 100-continue > < HTTP/1.1 100 Continue < HTTP/1.1 200 OK < Server: Apache-Coyote/1.1 < Set-Cookie: RANGERADMINSESSIONID=E0EA0005D86487C03AB4A3C2129E3A97; Path=/; HttpOnly < X-Frame-Options: DENY < Content-Type: application/json < Transfer-Encoding: chunked < Date: Tue, 23 May 2017 12:05:34 GMT < Connection #0 to host 127.0.0.1 left intact * Closing connection #0

It seems to be success as when I clicked on the Add Condition from Ranger the condition ResourcesAccessedTogether Came?:

I still have to proceed with the next steps. I will let you know.

Thanks

Nikkie

Re: How to Create a Ranger Policy that Prohibits Combining Datasets

avatar
author-rank sankar_tumuluru
Contributor

Created on ‎01-25-2018 11:14 PM

Were you able to complete the rest of the steps?

Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements
Version history
Last update:
‎08-17-2019 08:39 AM
Updated by:
Guru
Contributors