Ranger special entities

Ranger in CDP has specific, internal groups and entities that affect user authorization and access to all services in CDP.

In addition to any users, group, roles and permissions that you define using Ranger, you must understand the following Ranger special entities:

"public" group
A special, internal group within Ranger that consists of all users, including future users. Membership is implicit and automatic.

The following, default policies give permissions to members of group "public":

  • all - database > public > create permission
  • default database tables columns > public > create permission
  • Information_schema database tables columns > public > select permission

You can remove “public” from these default policies to further restrict user access, based on your security requirements.

{OWNER} special entity

A special Ranger entity attached to a user based on their actions. For example, when a user "bob" creates a table, "bob" becomes the {OWNER} of that table and would get any permissions provided to {OWNER} on that table across all the policies. The following default policies have permissions for {OWNER}:

  • all - database, table, column > {OWNER} > all permissions
  • all - database, table > {OWNER} > all permissions
  • all - database, udf > {OWNER} > all permissions
  • all - database > {OWNER} > all permissions

Although not recommended, you can modify access to special entity {OWNER}, based on your security requirements. Removing the default {OWNER} permissions may require adding additional, specific policies for each object owner, which may increase your policy management operational burden.