Security Zones Example Use Cases
Four example use cases for admininistering security zones.
Based on the following example:
Zone: finance
service: prod_hdfs; path=/finance/*, /taxes/*
service: prod_hive; database=finance
service: prod_kafka; topic=FIN_*
service: test_hadoop; path=/finance/*, /taxes/*
Zone: sales
service: prod_hadoop; path=/sales/*
service: prod_hive; database=sales
service: prod_kafka; topic=SALES_*
Use case 1 : Access HDFS path using zone policy
For example, let us access hdfs path using unixuser1 user from finance zone.
- Finance zone resource:
- Ranger Service : prod_hdfs
- Finance zone policy:
- Resource Path : /finance/*
Now, when unixuser1 user tries to create dir in /finance dir, Ranger checks for zone with resource /finance and policy for that user in that zone and then allows access for that user. Also, access-audit logs for that operation appear in the Ranger Admin Web UI, Access Audit tab.
Use case 2 : Hive access policy and tag masking policy
For example, we want to manage access policies and masking policy for taxation-related information in multiple finance databases for an organization.
- Zone Resource :
- Zone Tag service: cm_tag
- Zone policy resource
- Tag policy
Now, the Admin and security zone admin can create access policies and masking policies for all the resources associated with tag TDS and as and when new tables on Hive / Hbase are created for saving any taxation related data. They can associate a TDS tag with a related Hive / Hbase column. This will enable zone admin to create policies for masking the confidential data of its organization.
Use case 3 : Knox topologies
For example, suppose we want to manage access to a service. We can mange access to a service using topology.
- Zone Resource :
- Ranger Service : prod_knox
- Zone deny policy Resource:
- Knox Topology:cdp-proxy-api
Without a security zone, access to webhdfs is allowed since the default policy has a 'public' group in it.
Use case 4 : Import and export of zone policy
We can import and export zone policies from stage to prod.
Suppose we want to have the same policy in production that exists on stage. We can export the zone policy from the stage where the exported json has a zone name as a parameter in the json. While importing, we can map the zone name of stage to prod and then import the policies.