Ranger Security Zones overview.
What is a Security Zone?
Lets you organize resource and tag-based services and policies into separate security zones. You can assign one or more administrators for each security zone. Security zone administrators can then create and update policies for their security zone.
For example, let us consider two security zones: "finance" and "sales":
- Security zone "finance" includes all content in a "finance" Hive database.
- Security zone "sales" includes all content in a "sales" Hive database.
- Sets of users and groups are designated as administrators in each security zone.
- Users are allowed to set up policies only in security zones in which they are administrators.
- Policies defined in a security zone are applicable only for resources of that zone.
- A zone can be extended to include resources from multiple services such as HDFS, Hive, HBase, Kafka, etc., allowing administrators of a zone to set up policies for resources owned by their organization across multiple services.
Zone: finance service: prod_hdfs; path=/finance/*, /taxes/* service: prod_hive; database=finance service: prod_kafka; topic=FIN_* service: test_hadoop; path=/finance/*, /taxes/* Zone: sales service: prod_hdfs; path=/sales/* service: prod_hive; database=sales service: prod_kafka; topic=SALES_*
- As shown above, resources can be specified using wildcards (FIN_*, SALES_*).
- A resource is not mappable to more than one security zone. Ranger does not allow creation of security zones that specify resources that match resources in another zone. For example, an attempt to update the "finance" zone above with the HDFS path /sales/finance/* is not be permitted, as this conflicts with the HDFS path /sales/* specified in the "sales" zone.
- A set of users and groups can be designated as administrators of a security zone. Administrators can create, update, and delete security policies for the resources in the security zone.
- A set of users and groups can be authorized to view audit logs of access to a security zone’s resources. Other users are not allowed to view access-audit logs of the security zone resources.
Security Zone Administration
- Security zones can only be created, updated, or deleted by a user with the ROLE_SYS_ADMIN role in Ranger.
- Users can view, retrieve, and update policies only in security zones in which they have administrator privileges.
How are Security Zones Used in Authorization?
When a Ranger authorization plugin authorizes a resource access request, it first determines the zone in which the accessed resource resides. If the resource matches a security zone, only the policies of that security zone are used to authorize the access. If resource does not match any security zone, the policies in the default (unnamed) security zone are used to authorize the access.
Tag-based Policies in Security Zones
In a given service, each security zone can be configured to use tag-based policies from a specific security zone in a tag-service. This enables tag-based authorization policies to be used based on the security zone of the resource.
Audit logs generated by Ranger include the name of the security zone in which the accessed resource resides. Only users who have been assigned as an Admin or Auditor for the security zone are allowed to view the audit logs.