Atlas in CDP uses Ranger policies to control access to metadata that are managed by
Atlas. Ranger policies also control access to Atlas administrative tasks.
Ranger provides authorization to access the following metadata and operations:
- Types
- Atlas "types" are the entity model definitions, whether provided in
Atlas or added in your environment. Types include these "categories":
- Entity
- Classification
- Relationship
- Business Metadata
- Struct
- Enum
- Ranger authorization allows you to configure access for users and
groups to perform the following operations on types:
-
- Create
- Update
- Delete
- Read
- The policies can be configured to apply to one or more types or all
types. For example, the Atlas administrator user has access to create,
update, and delete all type categories (
type-category
*
).
- Entities
- Atlas "entities" are instances of entity types: entities represent
assets and processes on your cluster. Ranger authorization allows you
to configure access to users and groups to perform the following
operations on entities:
- Read
- Create
- Update
- Delete
- Read classification
- Add classification
- Update classification
- Remove classification
- Add label
- Remove label
- Update Business Metadata
- Note that the classification operations are those that involve
associating a classification to an entity; operations on a
classification definition are controlled by authorization on the
classification category of type described previously. Use the
entity authorization to give a user the ability to associate
an existing classification with any entity
(
entity-type *
); use the type authorization
to give a user the ability to create new classifications
(type-category classification
).
- Policies for labels and business metadata work similarly to
classifications: you can control whether users can add labels or
business metadata to specific entity types, individual entities, or
entities marked with specific classifications. For example, a default
policy allows any authenticated user to update all business metadata
for any entity types with any classifications and on any instances of
entities (
entity-type *, entity-classification *, entity-id *,
entity-business-metadata *
).
- Some Atlas features, such as saved searches, are modeled as
entities. You can control access to these features using entity
policies. For example, a default policy allows any authenticated user
to save Atlas searches (
entity-type __AtlasUserProfile,
__AtlasUserSavedSearch
).
- Relationships
- Atlas "relationships" describe connections between two entities,
including, but not limited to, the input and output relationships that
are used to build lineage graphs. Ranger authorization allows you to
configure access to users and groups to perform the following
operations on relationships:
-
- Add relationship
- Update relationship
- Remove relationship
- These operations are required to build rich models among entities
and are granted to administrative users and system users.
Relationships cannot be updated by users through the Atlas UI.
- Admin operations
- Atlas administrative operations include:
- Import entities
- Export entities
- These operations encompass all the privileges needed to create new
and update existing entities. Typically, this access is granted to
administrative users and system users such as RangerLookup and the
Data Plane profiler user (DPProfiler).