Ranger RMS (Hive-HDFS ACL-Sync) Use Cases
This topic presents a few common use cases for Ranger RMS (Hive-HDFS ACL-Sync).
Use Case 1: RMS Hive policies control access to a table's HDFS directories
Prerequisites:
- Create a "Customer" Hive table under the default database.
- Create a "unixuser1" user.
- User "unixuser1" does not have any policy to allow it access to table "Customer".
- User "unixuser1" tries to access the Hive data through the hdfs command.
Before setting up RMS:
If HDFS ACLs allow access to the location for Customer table, access will be granted to "unixuser1". The audit log will have "hadoop-acl" as the access enforcer.
After setting up RMS:
Access will not be granted to user "unixuser1". The audit log will not specify denying policy.
Use Case 2: RMS Hive policies propagate tag-based access control on tables to HDFS directories
Prerequisites:
- Create a "Customer" Hive table under the default database.
- Create a "unixuser1" user.
- The tag "SPECIAL_ACCESS" is associated with the "Customer" table.
- A policy for the tag "SPECIAL_ACCESS" provides Hive
select
access to "unixuser1". - User "unixuser1" tries to read the Hive data through the hdfs command.
Before setting up RMS:
If HDFS ACLs allow access to the location for "Customer" table, access will be granted to ‘"unixuser1". The audit log will have "hadoop-acl" as the access enforcer.
After setting up RMS:
Access will be granted by tag-based policy for "SPECIAL_ACCESS".
Use Case 3: RMS Hive policies propagate tag-based masking on tables and denies access to HDFS directories
Prerequisites:
- Create a "Customer" Hive table under the default database.
- Create a "unixuser1" user.
- The tag "SPECIAL_ACCESS" is associated with the "Customer" table.
- A policy for the tag "SPECIAL_ACCESS" provides Hive
select
access to "unixuser1". - A masking policy for the "Customer" table is set up so that for "unixuser1" a column "SSN" is redacted.
- User "unixuser1" tries to read the Hive data through the hdfs command.
Before setting up RMS:
If HDFS ACLs allow access to the location for Customer table, access will be granted to "unixuser1". The audit log will have "hadoop-acl" as the access enforcer.
After setting up RMS:
Access will be denied by the masking policy.
Use Case 4: RMS Hive policies take precedence over HDFS policies
Prerequisites:
- Create a "Customer" Hive table under the default database.
- Create a "unixuser1" user.
- User "unixuser1" has a HDFS policy allowing
read
access. - User "unixuser1" does not have any policy to allow it access to the "Customer" table.
- User "unixuser1" tries to access the Hive data through the hdfs command.
Before setting up RMS:
Access will be granted by the Ranger HDFS policy.
After setting up RMS:
Access will not be granted to the "unixuser1" user. The audit log will not specify a denying policy.