Configure a resource-based policy: HDFS

How to add a new policy to an existing HDFS service.

Through configuration, Apache Ranger enables both Ranger policies and HDFS permissions to be checked for a user request. When the NameNode receives a user request, the Ranger plugin checks for policies set through the Ranger Service Manager. If there are no policies, the Ranger plugin checks for permissions set in HDFS.

We recommend that permissions be created at the Ranger Service Manager, and to have restrictive permissions at the HDFS level.

  1. On the Service Manager page, select an existing HDFS service.

    The List of Policies page appears.

  2. Click Add New Policy.
    The Create Policy page appears.

    Ranger > Create HDFS Policy page.
  3. Complete the Create Policy page as follows:
    Table 1. Policy Details
    Field Description
    Policy Name Enter a unique name for this policy. The name cannot be duplicated anywhere in the system.
    normal/override Enables you to specify an override policy. When override is selected, the access permissions in the policy override the access permissions in existing policies. This feature can be used with Add Validity Period to create temporary access policies that override existing policies.
    Resource Path Define the resource path for the policy folder/file. The default recursive setting specifies that the resource path is recursive; you can also specify a non-recursive path.
    Description (Optional) Describe the purpose of the policy.
    Audit Logging Specify whether this policy is audited. (De-select to disable auditing).
    Policy Label Specify a label for this policy. You can search reports and filter policies based on these labels.
    Add Validity Period Specify a start and end time for the policy.
    Table 2. Allow Conditions

    Label

    Description

    Select Role Specify the roles to which this policy applies.

    To designate a role as an Administrator, select the Delegate Admin check box. Administrators can edit or delete the policy, and can also create child policies based on the original policy.

    Select Group

    Specify the groups to which this policy applies.

    To designate a group as an Administrator, select the Delegate Admin check box. Administrators can edit or delete the policy, and can also create child policies based on the original policy.

    The public group contains all users, so granting access to the public group grants access to all users.

    Select User

    Specify the users to which this policy applies.

    To designate a user as an Administrator, select the Delegate Admin check box. Administrators can edit or delete the policy, and can also create child policies based on the original policy.

    Permissions Add or edit permissions: Read, Write, Execute, Select/Deselect All.
    Delegate Admin You can use Delegate Admin to assign administrator privileges to the roles, groups, or users specified in the policy. Administrators can edit or delete the policy, and can also create child policies based on the original policy.
  4. You can use the Plus (+) symbol to add additional conditions. Conditions are evaluated in the order listed in the policy. The condition at the top of the list is applied first, then the second, then the third, and so on.
  5. You can use Deny All Other Accesses to deny access to all other users, groups, and roles other than those specified in the allow conditions for the policy.
  6. Click Add.