Using Ranger with Ozone

You can use Apache Ranger to secure access to your Ozone data. For Ozone to work with Ranger, you can use Cloudera Manager and enable the Ranger service instance with which you want to use Ozone.

Go to the Ozone service.
Click the Configuration tab.
Search for ranger_service.
Select the RANGER service checkbox.
Enter a Reason for Change, and then click Save Changes to save the property changes.
Restart the cluster.

Set up policies in Ranger for the users to have the right access permissions to the various Ozone objects such as buckets and volumes.

When using Ranger to provide a particular user with read/write permissions to a specific bucket, you must configure a separate policy for the user to have read access to the volume in addition to policies configured for the bucket.

For example,

user/group -> Allow Read on Volume=testvol, Bucket=testbucket1.
user/group -> Allow All (including delete on) on Volume=testvol, Bucket=testbucket1, Keys=*

To disallow users to delete volumes or buckets:

user/group -> Allow Read on Volume=testvol, Bucket=testbucket1. Deny Delete on Volume=testvol, Bucket=testbucket1
user/group -> Allow All (including delete on) on Volume=testvol, Bucket=testbucket1, Keys=*

Further, if Infra-Solr is managed by Ranger, the Ozone Manager principal (om) must have access to Infra-Solr. You can provide access to the Ozone Manager principal by adding om to the RANGER_AUDITS_COLLECTION Solr collection for cm_solr on Ranger.