Configuring Atlas Authorization using Ranger
Use the Ranger Admin UI to add or update policies to control Atlas access.
You can use Ranger policies to control user-access to Atlas metadata and to actions that users can perform in Atlas. The following policies are defined by default:
To change Ranger policies for Atlas, your user needs privileges in Ranger to change Resource Based Policies.
- Open the Ranger service that is running in the same cluster
One way to do this is to open the Ranger Admin Web UI from Cloudera Manager.
cm_atlas). and select Atlas policies (
- On the List of Policies page, click Add New Policy.
- Use the Create Policy page to specify the Atlas authorization
Ranger fields support
*wildcards for single and multiple character replacement. To apply the policy to all types of a given entry, use
These selections can be set to "include" the selected resources or "exclude" the selected resources. An include policy applies only to the named types. An exclude policy for the same type would apply to all metadata types other than named types.Ranger Authorization with classifications
Currently in Atlas we have the following authorization options for using classification:Authorization Enhancement
The enhancement is provided to authorize as to who can add, remove, and update classification for an entity. Even if the entities on which classification have to be applied, that do not have classifications already tagged to it, provided the entity-type, Entity-ID and classification on it matches the specified policy.
For example, any users belonging to the user group - finance_group can add classification - FINANCE_PII to any entities (these entities may or may not have any classifications associated) if the policy has provided access to the user or user-group.
To achieve this, a new field named classification is introduced in the Ranger UI in which tags to be added can be specified.
Entity Classification denotes the classifications already associated with the entity.
Entity Classification - Finance_*
Access: Group: finance_group, Permission: Add/Update/Delete Classifications.
Policy Type Access. There are no other policy types available for an Atlas service. Policy Name 255 character name that appears in the list of policies. Roles, users, and groups also show up in the list, so it helps if your name includes the operations or metadata that the policy controls. Policy Label Metadata you can include in the policy definition to help organize the policies for a given service. The same label can be added to any number of policies for the service. There is no limit to the number of characters in a label, but only 28 characters display in the policy list. type-category menu The metadata or operation type ("resources" in Ranger terms) that the policy applies to, including:
type-category option Choose this option to authorize actions generally against Atlas resource types, including business metadata, classifications, enumerations, entities, relationships, structures.
With type-category selected, options include:
Type Name Refine the authorization to specific types within the named type category. For example, to give users authorization to create Atlas Business Metadata, choose
type-categoryand the category
Business Metadata; then set the Type Name to
*. For example, to authorize users to add values to an existing enum, such as
AtlasGlossaryTermRelationshipStatus, add this enum to the Type Name and include the permission for "Update Type" in the Allow Condition. To allow users to update any types within the type category, use
To determine the supported values, use the Atlas UI or API to show the defined types.
entity-type option Authorizes actions against specific entity types, individual entities, entities identified by associated classifications, or entities identified by associated metadata.
For example, to authorize users to add classifications or metadata to any Hive table entities, set the entity-type toWith entity-type selected, options include:
hive_tableand set additional options to
Entity Classification Refines the list of entities in entity-type to those associated with a specified classification. For example, to restrict authorization to Hive tables that were marked with some classification that indicates their readiness for use, set entity-type to
hive_tableand include the identifying classification name (e.g.,
Available) in Entity Classification.
Entity ID Refines the list of entities in entity-type to those associated with a specified ID. When the detail page for an entity is open in the Atlas UI, the last element of the browser URL indicates the entity ID. classification
Provides the option to authorize as to who can add, remove, and update classification for an entity, even if the entities on which classification have to be applied, which do not have classifications already tagged to it, provided the entity-type, Entity-ID and classification on it matches the specified policy.
Metadata types selection Refines the list of entities in entity-type to those associated with specific user-defined metadata, including:
Set label names in the type entity-label to limit the authorization policy to entities marked with any of those labels. Use
*to indicate any label.
Set business metadata collection names in the type entity-business-metadata to limit the authorization policy to entities marked with metadata attributes from that business metadata collection. Use
*to indicate any business metadata collections.
atlas-service option Authorizes the import and export Atlas entities and purge deleted entities through the API. This privilege overrides specific privileges for entity-types. Typically the users with this privilege are service users creating entities in Atlas. relationship-type option Authorizes the creation and update of Atlas relationships. You can identify specific relationship types or use
*to indicate any relationship type. Typically the users with this privilege are service users creating entities in Atlas.
End1 Entity Type
End1 Entity Classification
End1 Entity ID
End2 Entity Type
End2 Entity Classification
End2 Entity ID
Refines the relationship authorization to specific attributes of relationships. "End1" and "End2" indicate the entities on each side of the relationship. For example, you could use the End1 and End2 Entity Type options to allow modification of relationships when one side of the relationship are Hive tables and the other side Hive columns. Description Information that you add to help you remember the value of this policy. The description can be up to 1000 characters. Audit Logging Enables Ranger's audit logging for this policy. There are other options in Ranger's configuration that can conflict with this option, but generally if you turn off this setting, Ranger enforces the policy but does not audit success or failed actions against the policy. Allow Conditions Choose the roles, users, and/or groups and the permissions they can access for the resources defined in the policy. If you need to include parts of overlapping groups, add an exclude condition in addition to the allow condition. Deny Conditions Choose the roles, users, and/or groups and the permissions they cannot access for the resources defined in the policy.
- Click Add.