Providing Authorization with Apache Ranger
Also available as:
loading table of contents...

Create a Time-bound Policy

Where Apache Ranger policies used to be permanent once authored, as of HDP 3.0, you can now create a time-bound policy. This enables you to configure a policy to be effective for a specified time range. You can add a validity period to resource- and tag-based policies.

For example, you may want to create a time-bound policy for:
  • Financial information about earnings that is sensitive and restricted only until the earnings release date.
  • Block a certain user for a specific time period (e.g., a compromised user account being investigated needs to be put on "hold" from accessing resources in Hadoop services).
  • Block a certain group for a specific time (e.g., excluding temporary employees from writing on resources during the holiday season).
  1. From Ranger, click Access Manager > Resource Based Policies | Tag Based Policies > <select the service> > Add New Policy

  2. Complete the fields of the Create Policy page.
  3. Click Add Validity Period.
  4. In the Policy Validity Period dialog box, specify the Start Time, End Time, and Time Zone.

    Policy Validity Period Example
  5. If you want this policy to take precedence over all other policies during its validity period, click Override
    A decision from this policy stops further evaluation of policies.
  6. Click Add.