Policy Type |
Access. There are no other policy types available for
an Atlas service. |
Policy Name |
255 character name that appears in the list of
policies. Roles, users, and groups also show up in the list,
so it helps if your name includes the operations or metadata
that the policy controls. |
Policy Label |
Metadata you can include in the policy definition to
help organize the policies for a given service. The same
label can be added to any number of policies for the
service. There is no limit to the number of characters in a
label, but only 28 characters display in the policy
list. |
type-category menu |
The metadata or operation type ("resources" in Ranger
terms) that the policy applies to, including:
type-category
entity-type
atlas-service
relationship-type
|
type-category option |
Choose this option to authorize actions generally
against Atlas resource types, including business metadata,
classifications, enumerations, entities, relationships,
structures. With type-category
selected, options include: |
|
Type Name |
Refine the authorization to specific types within the
named type category. For example, to give users
authorization to create Atlas Business Metadata, choose
type-category and the category
Business Metadata ; then set the Type
Name to * . For example, to authorize users to add
values to an existing enum, such as
AtlasGlossaryTermRelationshipStatus , add
this enum to the Type Name and include the permission for
"Update Type" in the Allow Condition. To allow users to
update any types within the type category, use
* .To determine the supported values,
use the Atlas UI or API to show the defined
types. |
entity-type option |
Authorizes actions against specific entity types,
individual entities, entities identified by associated
classifications, or entities identified by associated
metadata. For example, to authorize users to add
classifications or metadata to any Hive table entities,
set the entity-type to
hive_table and set additional options
to * . With
entity-type selected, options
include: |
|
Entity Classification |
Refines the list of entities in
entity-type to those associated
with a specified classification. For example, to restrict
authorization to Hive tables that were marked with some
classification that indicates their readiness for use, set
entity-type to
hive_table and include the identifying
classification name (e.g., Available ) in
Entity Classification. |
|
Entity ID |
Refines the list of entities in
entity-type to those associated
with a specified ID. When the detail page for an entity is
open in the Atlas UI, the last element of the browser URL
indicates the entity ID. |
|
Metadata types selection |
Refines the list of entities in
entity-type to those associated
with specific user-defined metadata, including:
entity-label
entity-business-metadata
none
Set label names in the type
entity-label to limit the
authorization policy to entities marked with any of those
labels. Use * to indicate any
label. Set business metadata collection names in the
type entity-business-metadata to
limit the authorization policy to entities marked with
metadata attributes from that business metadata
collection. Use * to indicate any
business metadata collections. |
atlas-service option |
Authorizes the import and export Atlas entities and
purge deleted entities through the API. This privilege
overrides specific privileges for entity-types. Typically
the users with this privilege are service users creating
entities in Atlas. |
relationship-type option |
Authorizes the creation and update of Atlas
relationships. You can identify specific relationship types
or use * to indicate any relationship type.
Typically the users with this privilege are service users
creating entities in Atlas. |
|
End1 Entity Type
End1 Entity Classification End1 Entity ID End2 Entity Type End2 Entity Classification End2 Entity ID |
Refines the relationship authorization to specific
attributes of relationships. "End1" and "End2" indicate the
entities on each side of the relationship. For example, you
could use the End1 and End2 Entity Type options to allow
modification of relationships when one side of the
relationship are Hive tables and the other side Hive
columns. |
Description |
Information that you add to help you remember the value
of this policy. The description can be up to 1000
characters. |
Audit Logging |
Enables Ranger's audit logging for this policy. There
are other options in Ranger's configuration that can
conflict with this option, but generally if you turn off
this setting, Ranger enforces the policy but does not audit
success or failed actions against the policy. |
Allow Conditions |
Choose the roles, users, and/or groups and the
permissions they can access for the resources defined in the
policy. If you need to include parts of overlapping groups,
add an exclude condition in addition to the allow condition. |
Deny Conditions |
Choose the roles, users, and/or groups and the
permissions they cannot access for the resources defined in
the policy. |