You must grant necessary permissions and update policies to access Ozone.
When Ranger is enabled in the cluster, any user other than the default admin user,
om requires the necessary Ranger permissions and policy
updates to access the Ozone file system. To create a Hive external table that points
to the Ozone file system, the hive user should have the
required permissions in Ranger. Give all accesses to hive user
by updating default policy all - volume, bucket, key in
cm_ozone service.
Login to Ranger Admin Web UI.
Go to Cloudera Manager > Clusters > Ranger > Ranger Admin Web UI.
Type your username and password.
Click Sign In.
The Service Manager for Resource-based Policies page
displays.
In Service Manager > cm_ozone service, click Edit.
In cm_ozone policies > all - volume, bucket, key policy, click Edit.
In Allow Conditions, add the hive user, choose necessary
permissions, then click Save, as shown in:
Grant Read access to users only on volumes and buckets where Hive tables and
databases are located. (Recommended)
create a new policy in Ozone service (cm_ozone) for volumes and buckets
where Hive tables/databases are located.
In Allow Conditions, add the users, groups, and
roles and give Read permission.
or else, to grant Read access to everyone on all volumes and buckets, in Ozone
service (cm_ozone) policies page,
edit the all - volume, bucket policy
add the public group to the
group list
give Read permission
Add chained properties to the ranger-ozone-security.xml file.
Go to Cloudera Manager > Ozone > Configuration > Ozone Manager Advanced Configuration Snippet (Safety
Valve) for ozone-conf/ranger-ozone-security.xml.
Click +Add to add the following properties and
values:
If everything is correctly configured as explained above, the ranger-ozone-plugin
automatically communicates with RMS, downloads Hive-Ozone mappings and stores them into
policy-cache directory as a ozone_cm_hive_resource_mapping.json
file. It will also communicate with the Ranger admin and download Hive policies, Hive
tags and Hive roles.
The following files download into the policy-cache
directory