Ranger RMS Assumptions and Limitations

  • RMS for Ozone does not support semantics enforced by Sentry for HDFS ACLs. This implies that even when ranger.plugin.ozone.mapping.hive.authorize.with.only.chained.policies is set to true, to access ozone locations when RMS is enabled; READ access must be given for the user on bucket and volume where Hive Tables and Databases are located.
  • In addition to Ozone policies, Ranger RMS will authorize access only for "key" resources which are the database/table locations in ozone. To access volumes & buckets, user should have appropriate access through policies of Ozone service configured Ranger Admin.
  • The Ranger RMS ACL-sync feature supports a single logical HMS, to evaluate OZONE/HDFS access via HIVE permissions.
  • RMS ACL sync is designed to work on a specific pair of HDFS<->Hive and OZONE<->Hive Ranger services. It will support only one pair of “HDFS and HIVE” services and one pair of “OZONE and HIVE” services.
  • By default, all external tables are stored into HDFS. To create an external table in Ozone, please specify the location clause by providing the Ozone location at the time of creating a table or configure Hive External Warehouse Directory in HMS.
  • The default Hive Warehouse directory is configured in HiveMetaStore (HMS) to store managed tables into HDFS. To store managed tables into Ozone, please configure the Hive Warehouse directory or update the database managed location as an Ozone storage location. Please check with the Ozone/Hive support members to know more about creating Hive Tables/Databases into Ozone.
  • Metrics support for RMS with Ozone is not supported in the CDP-7.1.9 release.