About Ranger RMS for Ozone

In CDP 7.1.9, Ranger RMS will support authorization for Ozone storage locations. RMS for Ozone will co-exist with Hive-HDFS ACL sync and provide authorization for both HDFS and Ozone file systems.

RMS periodically connects to the Hive Metastore (HMS), pulls the following Hive metadata
  • database-name
  • table-name
  • location
and stores it into the Ranger database. The Ranger Ozone plugin (running in the OzoneManager) has been extended with an additional RangerOzoneHiveChainedPlugin module. After enabling RMS for Ozone authorization, it downloads Hive policies, Tags and Roles from Ranger Admin, along with the resource-mappings from Ranger RMS. Both Ozone policies and Hive policies determine Ozone access.

Previously, Ranger only supported managing Hive and Ozone policies separately. Ranger Resource Mapping Server (RMS) now allows you to create a database/table level policy in HIVE and have these permissions propagate to the Ozone storage locations of these databases/tables and all files and directories under it. Users can use Ozone as a storage technology to create databases/tables along with the existing HDFS filesystem and RMS is the service that enables HIVE-OZONE ACL Sync along with the HIVE-HDFS ACL Sync. (Prior to CDP 7.1.9 only HIVE-HDFS ACL sync was supported).

After the first, full-synchronization run, RMS downloads mappings for tables and databases present in the HMS. These tables/databases could be located in both OZONE and HDFS file systems. RMS will map the tables and databases with their respective storage locations and store them into the Ranger database with its associated service-id (cm_ozone or cm_hdfs). When ranger-ozone-plugin or ranger-hdfs-plugin requests mappings, it only fetches the requested service mappings. In other words, ranger-ozone-plugin will download mappings only for tables/databases whose storage location is Ozone. Similarly, ranger-hdfs-plugin will download mappings only for tables/databases whose storage location is HDFS. Read access for any user in the database location is allowed through the default HIVE policy for all-databases. This behavior is treated as _any access, which is similar to the HIVE command show tables. If a user has no HIVE policy which allows access to the database, then the access is denied to the corresponding Ozone location of that database. This access evaluation aligns with the HDFS db-level grants feature.