Configure a resource-based storage handler policy: HadoopSQL

How to configure a policy that allows authorized users to create data tables using storage-handlers.

Ranger includes “storage-type” and “storage-url” resources in HadoopSQL Service that support only the permission “RW Storage ” permission. Ranger authorizes a user that creates or alters a table against this resource policy. A user having the required “RW Storage” permission on the resource representing the storage-type and storage-url, is allowed to create/alter the table in the respective storage.

On the Service Manager page, select HadoopSQL service.

The List of Policies HadoopSQL page appears.
note
Service_name remains cm_hive. Display name is HadoopSQL.
To create a new policy, click Add New Policy.
1. On Create Policy click storage-type as shown in the following example:
2. Complete the required* fields.
3. In Allow Conditions, select users, then add the RW Storage permission, as shown in the preceeding example.
4. Scroll to the bottom of Create Policy, then click Add.
To configure an existing policy named all - storage-type, storage-url, click Edit.

The Edit Policy page appears.

Complete the Edit Policy page as follows:

Table 1. Policy Details
Field	Description
Policy Name	Enter an appropriate policy name. This name cannot be duplicated across the system. This field is mandatory. The policy is enabled by default.
normal/override	Enables you to specify an override policy. When override is selected, the access permissions in the policy override the access permissions in existing policies. This feature can be used with Add Validity Period to create temporary access policies that override existing policies.
Policy Label	Specify a label for this policy. You can search reports and filter policies based on these labels.
storage-type	Type in the applicable storage type. * allows athorizes users to create any table in the spcified storage type..
storage url	Type in the applicable storage URL. * allows athorizes users to create any table in the spcified storage URL. Select Exclude to deny access.
Description	(Optional) Describe the purpose of the policy.
Audit Logging	Specify whether this policy is audited. (De-select to disable auditing).
Add Validity Period	Specify a start and end time for the policy.

Table 2. Allow Conditions
Label	Description
Select User	Specify the users to which this policy applies. To designate a user as an Administrator, select the Delegate Admin check box. Administrators can edit or delete the policy, and can also create child policies based on the original policy.
Permissions	Add or edit permissions: RW Storage, You can assign read and select permissions to rangerlookup user.
Delegate Admin	You can use Delegate Admin to assign administrator privileges to the roles, groups, or users specified in the policy. Administrators can edit or delete the policy, and can also create child policies based on the original policy.

Example StorageHandler Policy Definitions:

HBase StorageHandler policy:: Storage Type: hbase; Storage URL: hbase-cluster:port/hbase-table

Phoenix StorageHandler policy:: Storage Type: phoenix; Storage URL: phoenix-cluster:port/table-name

Kafka StorageHandler policy:: Storage Type: kafka; Storage URL: bootstrap-server:port/kafka-topic
JDBC StorageHandler policy:: Storage Type: jdbc:mysql; Storage URL: mysql-host:port/DBname/Table , or; Sorage URL: mysql-host:port/DBname/*
note

Policy and table definitions must be in sync regarding the port definition, even for default port numbers. For example, if port number 3306 is defined in the policy for mysql and this port number is left out from the URL as default value for the JDBC Driver, you must use the same reference as defined in the policy when creating the external table.

Using an explicit table name allows only to reference that specific table with hive.sql.table while using * allows not only to reference any tables from the database but also allows you to write a custom query against this database, for example using hive.sql.query.