Adding a role through Ranger
How to add a role in Ranger.
What is a Role ? A role contains a set of users, groups, or other roles. You assign a role by adding a user, group or role to it. By adding multiple roles, you create a role hierarchy in which you manage permission sets at the role level.
Benefits that
roles provide in a large environment:
Conceptually, a role functions as a collection. A group is a collection of
users. You create a role and add users to it. Then, you grant that role to a group. Roles
present an easier way to manage users and groups, based on specific access criteria. - A role may include many users or groups, all of which may be updated using a single command.
- Adding or revoking a single permission to or from a role requires a single command, which also applies to all users and groups with that role.
- Roles allow for some documentation about why a permission is granted or revoked.
A
simple example of a role hierarchy follows:
- FinReadOnly role, which gives read permission on all tables in the Finance database and is defined by a Ranger policy that grants read on database:Finance, table:* to the FinReadOnly role.
- FinWrite role, which gives write permission on all tables in the Finance database and is defined by a Ranger policy that grants write on database:Finance, table:* to the FinWrite role.
- FinReadWrite role, which role is granted both the FinRead and FinWrite roles and thereby inherits read and write permission to all tables in the Finance database.
- FinReporting group whose users require only read permission to the Finance tables. FinReporting group is added to FinReadOnly role in Ranger.
- FinDataPrep group whose users require only write permission to the Finance tables. FinDataPrep group is added to the FinWrite role in Ranger.
- FinPowerUser group whose users require read and write permission to all Finance tables. FinPowerUsers group is added to the FinReadWrite role in Ranger.
You can create a role either through Ranger, or through Hive.
To create a role through Ranger, using Ranger Admin Web UI: