Ranger RMS (Hive-HDFS ACL-Sync) Use Cases

This topic presents a few common use cases for Ranger RMS (Hive-HDFS ACL-Sync).

Use Case 1: RMS Hive policies control access to a table's HDFS directories

Prerequisites:

  1. Create a "Customer" Hive table under the default database.
  2. Create a "unixuser1" user.
  3. User "unixuser1" does not have any policy to allow it access to table "Customer".
  4. User "unixuser1" tries to access the Hive data through the hdfs command.

Before setting up RMS:

If HDFS ACLs allow access to the location for Customer table, access will be granted to "unixuser1". The audit log will have "hadoop-acl" as the access enforcer.

After setting up RMS:

Access will not be granted to user "unixuser1". The audit log will not specify denying policy.

Use Case 2: RMS Hive policies propagate tag-based access control on tables to HDFS directories

Prerequisites:

  1. Create a "Customer" Hive table under the default database.
  2. Create a "unixuser1" user.
  3. The tag "SPECIAL_ACCESS" is associated with the "Customer" table.
  4. A policy for the tag "SPECIAL_ACCESS" provides Hive select access to "unixuser1".
  5. User "unixuser1" tries to read the Hive data through the hdfs command.

Before setting up RMS:

If HDFS ACLs allow access to the location for "Customer" table, access will be granted to ‘"unixuser1". The audit log will have "hadoop-acl" as the access enforcer.

After setting up RMS:

Access will be granted by tag-based policy for "SPECIAL_ACCESS".

Use Case 3: RMS Hive policies propagate tag-based masking on tables and denies access to HDFS directories

Prerequisites:

  1. Create a "Customer" Hive table under the default database.
  2. Create a "unixuser1" user.
  3. The tag "SPECIAL_ACCESS" is associated with the "Customer" table.
  4. A policy for the tag "SPECIAL_ACCESS" provides Hive select access to "unixuser1".
  5. A masking policy for the "Customer" table is set up so that for "unixuser1" a column "SSN" is redacted.
  6. User "unixuser1" tries to read the Hive data through the hdfs command.

Before setting up RMS:

If HDFS ACLs allow access to the location for Customer table, access will be granted to "unixuser1". The audit log will have "hadoop-acl" as the access enforcer.

After setting up RMS:

Access will be denied by the masking policy.

Use Case 4: RMS Hive policies take precedence over HDFS policies

Prerequisites:

  1. Create a "Customer" Hive table under the default database.
  2. Create a "unixuser1" user.
  3. User "unixuser1" has a HDFS policy allowing read access.
  4. User "unixuser1" does not have any policy to allow it access to the "Customer" table.
  5. User "unixuser1" tries to access the Hive data through the hdfs command.

Before setting up RMS:

Access will be granted by the Ranger HDFS policy.

After setting up RMS:

Access will not be granted to the "unixuser1" user. The audit log will not specify a denying policy.