Enabling RMS for Ozone authorization

You must grant necessary permissions and update policies to access Ozone.

When Ranger is enabled in the cluster, any user other than the default admin user, om requires the necessary Ranger permissions and policy updates to access the Ozone file system. To create a Hive external table that points to the Ozone file system, the hive user should have the required permissions in Ranger. Give all accesses to hive user by updating default policy all - volume, bucket, key in cm_ozone service.

  1. Login to Ranger Admin Web UI.
    1. Go to Cloudera Manager > Clusters > Ranger > Ranger Admin Web UI.
    2. Type your username and password.
    3. Click Sign In.
    The Service Manager for Resource-based Policies page displays.
  2. In Service Manager > cm_ozone service, click Edit.
  3. In cm_ozone policies > all - volume, bucket, key policy, click Edit.
  4. In Allow Conditions, add the hive user, choose necessary permissions, then click Save, as shown in:
    Figure 1. Editing Ozone plugin permissions for hive user
  5. Grant Read access to users only on volumes and buckets where Hive tables and databases are located. (Recommended)
    1. create a new policy in Ozone service (cm_ozone) for volumes and buckets where Hive tables/databases are located.
    2. In Allow Conditions, add the users, groups, and roles and give Read permission.
    or else, to grant Read access to everyone on all volumes and buckets, in Ozone service (cm_ozone) policies page,
    1. edit the all - volume, bucket policy
    2. add the public group to the group list
    3. give Read permission
  6. Add chained properties to the ranger-ozone-security.xml file.
    1. Go to Cloudera Manager > Ozone > Configuration > Ozone Manager Advanced Configuration Snippet (Safety Valve) for ozone-conf/ranger-ozone-security.xml.
    2. Click +Add to add the following properties and values:
    ranger.plugin.ozone.chained.services =
    cm_hive
    ranger.plugin.ozone.chained.services.cm_hive.impl =
    org.apache.ranger.chainedplugin.ozone.hive.RangerOzoneHiveChainedPlugin
  7. Restart the Ozone service.
If everything is correctly configured as explained above, the ranger-ozone-plugin automatically communicates with RMS, downloads Hive-Ozone mappings and stores them into policy-cache directory as a ozone_cm_hive_resource_mapping.json file. It will also communicate with the Ranger admin and download Hive policies, Hive tags and Hive roles.

The following files download into the policy-cache directory

(default configured value: /var/lib/ranger/ozone/policy-cache/)

after enabling RMS for Ozone authorization:
  • ozone_cm_hive_resource_mapping.json
  • ozone_cm_hive.json
  • ozone_cm_hive_tag.json
  • ozone_cm_hive_roles.json