Enabling RMS for Ozone authorization
You must grant necessary permissions and update policies to access Ozone.
When Ranger is enabled in the cluster, any user other than the default admin user, om requires the necessary Ranger permissions and policy updates to access the Ozone file system. To create a Hive external table that points to the Ozone file system, the hive user should have the required permissions in Ranger. Give all accesses to hive user by updating default policy all - volume, bucket, key in cm_ozone service.
Login to Ranger Admin Web UI.
The Service Manager for Resource-based Policies page displays.
- Go to .
- Type your username and password.
- Click Sign In.
- In Edit. service, click
- In Edit. policy, click
In Allow Conditions, add the hive user, choose necessary
permissions, then click Save, as shown in:
Grant Read access to users only on volumes and buckets where Hive tables and
databases are located. (Recommended)
or else, to grant Read access to everyone on all volumes and buckets, in Ozone service (cm_ozone) policies page,
- create a new policy in Ozone service (cm_ozone) for volumes and buckets where Hive tables/databases are located.
- In Allow Conditions, add the users, groups, and roles and give Read permission.
- edit the all - volume, bucket policy
- add the public group to the group list
- give Read permission
Add chained properties to the ranger-ozone-security.xml file.
- Go to .
- Click +Add to add the following properties and values:
- ranger.plugin.ozone.chained.services =
- ranger.plugin.ozone.chained.services.cm_hive.impl =
- Restart the Ozone service.
The following files download into the policy-cache directory
(default configured value: /var/lib/ranger/ozone/policy-cache/)