Using Ranger with Ozone
You can use Apache Ranger to secure access to your Ozone data. For Ozone to work with Ranger, you can use Cloudera Manager and enable the Ranger service instance with which you want to use Ozone.
- Go to the Ozone service.
- Click the Configuration tab.
- Search for ranger_service.
- Select the RANGER service checkbox.
- Enter a Reason for Change, and then click Save Changes to save the property changes.
- Restart the cluster.
When using Ranger to provide a particular user with read/write permissions to a specific bucket, you must configure a separate policy for the user to have read access to the volume in addition to policies configured for the bucket.
- user/group -> Allow Read on Volume=testvol, Bucket=testbucket1.
- user/group -> Allow All (including delete on) on Volume=testvol, Bucket=testbucket1, Keys=*
- user/group -> Allow Read on Volume=testvol, Bucket=testbucket1. Deny Delete on Volume=testvol, Bucket=testbucket1
- user/group -> Allow All (including delete on) on Volume=testvol, Bucket=testbucket1, Keys=*
Further, if Infra-Solr is managed by Ranger, the Ozone Manager principal
(om
) must have access to Infra-Solr. You can provide access to
the Ozone Manager principal by adding om
to the
RANGER_AUDITS_COLLECTION
Solr collection for cm_solr
on Ranger.